The federal HHS Office of Civil Rights recently adopted final HIPAA regulations covering a broad range of topics, to strengthen privacy and security protections for individual health information. This blog is another in a series examining these new regulatory requirements.
By Dean P. Nicastro, Esq.
The new HIPAA Final Rule for Privacy, Security, Enforcement and Breach Notification (adopted in January 2013) creates new obligations for Business Associate Agreements (“BAA”) between physicians, hospitals and other health care providers (“Covered Entities”), and those contractors who perform services for them involving the use or disclosure of Protected Health Information (“PHI”).
As was mentioned in a previous blog, HIPAA now defines “Business Associate” (“BA”) to include a BA’s subcontractors who create, receive, maintain or transmit PHI on the BA’ behalf. The new Final Rule goes on to require that a BAA between a Covered Entity and its BA must require the BA to ensure that the BA’s subcontractors comply with HIPAA privacy and security requirements. Effectively, and as a mandate, this means that the Covered Entity’s BA must have in place a separate BAA with the BA’s subcontractor.
HIPAA makes clear that the Covered Entity need not have a BAA in place directly with the BA’s subcontractor. However, the Final Rule puts the burden on the Covered Entity to arrange for subcontractor compliance, by requiring the BA to obtain compliance assurance from its subcontractor. Thus, HIPAA BAA’s between health care providers and their servicing vendors need to be revised and updated to include these “downstream” subcontractor compliance obligations.
Care should be exercised when drafting the updating revisions: for example, the main BAA should require that the downstream BAA mirror the BA’s privacy and security obligations; additionally, it may be advisable to expressly disavow any relationship of agency between the Covered Entity and the subcontractor.
Finally, when updating a BAA template, it would be helpful to include language of compliance with Massachusetts law and regulations that protect the security and disposal of data that contains personal information, like names and social security or financial account numbers. Massachusetts consumer regulations require that a service provider contract be in place with vendors who access such data, so it is a good idea to have the HIPAA BAA serve as such a contract as well.
In general, the HIPAA Final Rule must be complied with by September 23, 2013. The federal HHS Office of Civil Rights has posted some helpful sample language for BAAs on its website.
Please contact the health law professionals at Pierce & Mandell for additional information on this subject.
Health and Dental Law
Grab Health and Dental Law RSS Feed
UPDATING BUSINESS ASSOCIATE AGREEMENTS TO COMPLY WITH NEW HIPAA CHANGES - Boston
CMS and OIG Propose to Amend Stark and Anti-Kickback Rules for EHR Donations

Last month, the Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General of the U.S. Department of Health and Human Services (OIG) proposed similar amendments to the Stark exception and to the Anti-Kickback safe harbor for the donation of electronic health records (EHR). The current rules permit hospitals, group practices and other entities to donate technology-related items and services to physicians, to be used to create, maintain, transmit or receive EHR. Highlights of the proposed changes:
- Eliminate the requirement that EHR must include an electronic prescribing component or interface ability
- Change the procedure for deeming EHR software “interoperable,” so as to follow the current certification process employed by the Office of National Coordinator for Health Information Technology (ONC); and eliminate the 12-month prior timeframe for certification
- Postpone the EHR sunset from December 31, 2013 to December 31, 2016
The two agencies believe that “sufficient alternative policy drivers” exist to advance electronic prescribing, and that the ONC certification program (which certifies to any edition of EHR certification criteria that is identified in the regulatory definition applicable at time of donation) is consistent with the objective of ensuring that EHR products are certified to the current standard of interoperability when they are donated. In addition, the sunset extension is thought needed in order to help achieve more widespread adoption of EHR in the healthcare industry (the December 31, 2016 date corresponds with the closing timetable for Medicare/Medicaid EHR incentive programs; the agencies even suggest an extension to December 31, 2021).
The agencies have invited comment on the proposed amendments through June 10, 2013. Also, they seek comment on whether to limit the class of permitted donors, so as to exclude certain ancillary suppliers, such as lab companies, durable medical equipment suppliers and independent home health agencies, and on other suggestions for preventing “data and referral lock-in” and for encouraging the free exchange of data.
The proposed changes are contained in the April 10, 2013 Federal Register. Please contact the health law professionals at Pierce & Mandell for additional information on this subject.
1
Recent Posts
- Pierce & Mandell Attorneys Present and Exhibit At the 2020 Yankee Dental Conference
- Bill Mandell to Speak at 2020 Annual Meeting of MA Association of Practicing Urologists
- Bill Mandell is Featured Speaker at 2019 MCLE Hospital & Health Law Conference
- New Massachusetts Law Requires Dental Practice Owners to Provide Additional Compensation for Associate Post-Termination Non-Compete Covenants Agreements
- Pierce & Mandell Attorneys Represent Hospitals and Doctors in Hospital Privileges Proceedings
- Bill Mandell was Quoted in the May 2018 ED Legal Letter Article
- Guidance to Massachusetts Health Care Providers Regarding the Release of Protected Health Information
- Practice Transitions - Process and Substance
- Pierce & Mandell, P.C. at Yankee Dental Congress 2018
- Bill Mandell was Quoted in the April 2017 Emergency Department Legal Letter Article
Archive
Tags
- ACA, Boston (1)
- affordable care act (1)
- amendments to Stark, Boston (1)
- anti kickback rules, Boston (1)
- apology law, Boston (1)
- April 2017 Emergency Department Legal Letter (1)
- Bill Mandel, Boston, MA (1)
- Bill Mandell (9)
- Bill Mandell, Lawyer (2)
- Bill Mandell, Pierce & Mandell, P.C. (1)
- Boston Bar Association (1)
- Brandon Saunders (2)
- Center for Health Information and Analysis, Boston (1)
- CMS, Boston (1)
- controlled substance registration, Boston (1)
- Cost Containment Law, Boston (1)
- Curt Dooling (1)
- dangerousness disclosures, Boston (1)
- Dean Nicastro, Boston (2)
- dental law (1)
- dental law and ethics, Boston (1)
- dental law, Boston (3)
- dental practice audits, Boston (1)
- dental practice sales, Boston (1)
- dental practice transitions and sales, Boston (1)
- dental practice transitions, Boston (1)
- dentists that use MassHealth, Boston (1)
- disclosure and apology law, Boston (1)
- doctor gift disclosures (1)
- donating health care related technology, Boston (1)
- drug addiction in Massachusetts (1)
- ED Legal Letter (1)
- elder care compliance and ethics, Boston (1)
- elder care law, Boston (1)
- elder law, Boston (1)
- gift disclosures (1)
- Guns (1)
- Hannah Schindler Spinelli (1)
- Health and Dental Law (2)
- health and law attorneys (1)
- health care attorneys, Boston (3)
- health care law, Boston (5)
- health care lawyers, Boston (5)
- health care provider, Boston (1)
- Health Information Exchange (1)
- health law (1)
- health law attorneys, Boston (1)
- health law, Boston (2)
- health policy commission, Boston (1)
- HIPAA (2)
- HIPAA Privacy and Security Rules, Boston (2)
- HIPAA Privacy policy, Boston (1)
- HIPAA regulations, Boston (3)
- HIPAA rules, Boston (1)
- HIPAA, Boston (1)
- HITECH (1)
- hospitcal aquisition, Boston (1)
- hospitcal merger, Boston (1)
- Karen Rabinovici (2)
- leasing a dental office, Boston (1)
- leasing a medical office, Boston (1)
- leasing commercial dental space, Boston (1)
- leasing commercial medical space, Boston (1)
- Legal and Compliance Issues and the Practice of Urology (1)
- MACRA (1)
- Mass HIway (1)
- Mass Law (1)
- Massachusetts controlled substance registration (1)
- Massachusetts HIPPA laws (1)
- MassHealth, Boston (1)
- Matt Lauring (1)
- MCLE Annual Massachusetts Health and Hospital Law conference (1)
- MCLE Annual Massachusetts Health and Hospital Law conference faculty (1)
- medical complication, Boston (1)
- medical law, Boston (1)
- medical malpractice, Boston (1)
- Medicare Part B (1)
- Michael Fee (1)
- Next Generation ACO (1)
- Nursing facility, Boston (1)
- nursing home compliance and ethics, Boston (1)
- Nursing Home, Boston (1)
- OIG, Boston (1)
- opiod abuse problem, MA (1)
- owning a dental office, Boston (1)
- owning a medical office, Boston (1)
- patient confidentiality, Boston (1)
- patient privacy (1)
- patient rights, Boston (1)
- PHI, Boston (1)
- physician guidelines in malpractice suits (1)
- Pierce & Mandell (1)
- Pierce & Mandell, P.C. (9)
- Pierce & Mandell, P.C., Boston, MA (2)
- Pierce & Mandell’s Health Law Practice (1)
- Pierce and Mandell (1)
- Pierce and Mandell P.C. (21)
- Practice Transitions (1)
- prescription monitoring program, Boston (1)
- privacy laws, Boston (1)
- Protected Health Information (1)
- right of first refusal, Boston (1)
- right of refusal, Boston (1)
- Robert Kirby (1)
- Ryelle Seymour (1)
- Samuel Hoff (1)
- Scott Zanolli (1)
- skilled nursing facility, Boston (1)
- Stark, Boston (1)
- state regulations governing dental services, Boston (1)
- substance abuse problem, MA (1)
- substance abuse treatment problem, MA (1)
- sunshine act (1)
- Sunshine Act reporting has implications for malpractice litigation (1)
- The Schwartz Center (1)
- Thomas Kenney (1)
- Tom Kenney, Boston (1)
- William M. Mandell (3)
- william mandell (1)
- william mandell, Boston (1)
- Yankee Dental Congress (2)
- Yankee Dental Congress, Boston, MA (1)
Comments