The federal HHS Office of Civil Rights recently adopted final HIPAA regulations covering a broad range of topics, to strengthen privacy and security protections for individual health information. This blog is another in a series examining these new regulatory requirements.
By Dean P. Nicastro, Esq.
The new HIPAA Final Rule for Privacy, Security, Enforcement and Breach Notification (adopted in January 2013) creates new obligations for Business Associate Agreements (“BAA”) between physicians, hospitals and other health care providers (“Covered Entities”), and those contractors who perform services for them involving the use or disclosure of Protected Health Information (“PHI”).
As was mentioned in a previous blog, HIPAA now defines “Business Associate” (“BA”) to include a BA’s subcontractors who create, receive, maintain or transmit PHI on the BA’ behalf. The new Final Rule goes on to require that a BAA between a Covered Entity and its BA must require the BA to ensure that the BA’s subcontractors comply with HIPAA privacy and security requirements. Effectively, and as a mandate, this means that the Covered Entity’s BA must have in place a separate BAA with the BA’s subcontractor.
HIPAA makes clear that the Covered Entity need not have a BAA in place directly with the BA’s subcontractor. However, the Final Rule puts the burden on the Covered Entity to arrange for subcontractor compliance, by requiring the BA to obtain compliance assurance from its subcontractor. Thus, HIPAA BAA’s between health care providers and their servicing vendors need to be revised and updated to include these “downstream” subcontractor compliance obligations.
Care should be exercised when drafting the updating revisions: for example, the main BAA should require that the downstream BAA mirror the BA’s privacy and security obligations; additionally, it may be advisable to expressly disavow any relationship of agency between the Covered Entity and the subcontractor.
Finally, when updating a BAA template, it would be helpful to include language of compliance with Massachusetts law and regulations that protect the security and disposal of data that contains personal information, like names and social security or financial account numbers. Massachusetts consumer regulations require that a service provider contract be in place with vendors who access such data, so it is a good idea to have the HIPAA BAA serve as such a contract as well.
In general, the HIPAA Final Rule must be complied with by September 23, 2013. The federal HHS Office of Civil Rights has posted some helpful sample language for BAAs on its website.
Please contact the health law professionals at Pierce & Mandell for additional information on this subject.
Health and Dental Law
Grab Health and Dental Law RSS Feed
UPDATING BUSINESS ASSOCIATE AGREEMENTS TO COMPLY WITH NEW HIPAA CHANGES - Boston
Monday, July 01, 2013
1
Recent Posts
- Bill Mandell is Featured Speaker at 2019 MCLE Hospital & Health Law Conference
- New Massachusetts Law Requires Dental Practice Owners to Provide Additional Compensation for Associate Post-Termination Non-Compete Covenants Agreements
- Pierce & Mandell Attorneys Represent Hospitals and Doctors in Hospital Privileges Proceedings
- Bill Mandell was Quoted in the May 2018 ED Legal Letter Article
- Guidance to Massachusetts Health Care Providers Regarding the Release of Protected Health Information
- Practice Transitions - Process and Substance
- Pierce & Mandell, P.C. at Yankee Dental Congress 2018
- Bill Mandell was Quoted in the April 2017 Emergency Department Legal Letter Article
- Bill Mandell: Faculty at the MCLE Annual Massachusetts Health and Hospital Law Conference 12 years in a Row
- Mass HIway likely to see changes in the near future
Archive
Tags
- ACA, Boston (1)
- affordable care act (1)
- amendments to Stark, Boston (1)
- anti kickback rules, Boston (1)
- apology law, Boston (1)
- April 2017 Emergency Department Legal Letter (1)
- Bill Mandel, Boston, MA (1)
- Bill Mandell (9)
- Bill Mandell, Lawyer (2)
- Boston Bar Association (1)
- Brandon Saunders (2)
- Center for Health Information and Analysis, Boston (1)
- CMS, Boston (1)
- controlled substance registration, Boston (1)
- Cost Containment Law, Boston (1)
- Curt Dooling (1)
- dangerousness disclosures, Boston (1)
- Dean Nicastro, Boston (2)
- dental law (1)
- dental law and ethics, Boston (1)
- dental law, Boston (3)
- dental practice audits, Boston (1)
- dental practice sales, Boston (1)
- dental practice transitions and sales, Boston (1)
- dental practice transitions, Boston (1)
- dentists that use MassHealth, Boston (1)
- disclosure and apology law, Boston (1)
- doctor gift disclosures (1)
- donating health care related technology, Boston (1)
- drug addiction in Massachusetts (1)
- ED Legal Letter (1)
- elder care compliance and ethics, Boston (1)
- elder care law, Boston (1)
- elder law, Boston (1)
- gift disclosures (1)
- Guns (1)
- Hannah Schindler Spinelli (1)
- Health and Dental Law (2)
- health and law attorneys (1)
- health care attorneys, Boston (3)
- health care law, Boston (5)
- health care lawyers, Boston (5)
- health care provider, Boston (1)
- Health Information Exchange (1)
- health law (1)
- health law attorneys, Boston (1)
- health law, Boston (2)
- health policy commission, Boston (1)
- HIPAA (2)
- HIPAA Privacy and Security Rules, Boston (2)
- HIPAA Privacy policy, Boston (1)
- HIPAA regulations, Boston (3)
- HIPAA rules, Boston (1)
- HIPAA, Boston (1)
- HITECH (1)
- hospitcal aquisition, Boston (1)
- hospitcal merger, Boston (1)
- Karen Rabinovici (2)
- leasing a dental office, Boston (1)
- leasing a medical office, Boston (1)
- leasing commercial dental space, Boston (1)
- leasing commercial medical space, Boston (1)
- MACRA (1)
- Mass HIway (1)
- Mass Law (1)
- Massachusetts controlled substance registration (1)
- Massachusetts HIPPA laws (1)
- MassHealth, Boston (1)
- Matt Lauring (1)
- MCLE Annual Massachusetts Health and Hospital Law conference (1)
- MCLE Annual Massachusetts Health and Hospital Law conference faculty (1)
- medical complication, Boston (1)
- medical law, Boston (1)
- medical malpractice, Boston (1)
- Medicare Part B (1)
- Michael Fee (1)
- Next Generation ACO (1)
- Nursing facility, Boston (1)
- nursing home compliance and ethics, Boston (1)
- Nursing Home, Boston (1)
- OIG, Boston (1)
- opiod abuse problem, MA (1)
- owning a dental office, Boston (1)
- owning a medical office, Boston (1)
- patient confidentiality, Boston (1)
- patient privacy (1)
- patient rights, Boston (1)
- PHI, Boston (1)
- physician guidelines in malpractice suits (1)
- Pierce & Mandell (1)
- Pierce & Mandell, P.C. (9)
- Pierce & Mandell, P.C., Boston, MA (2)
- Pierce & Mandell’s Health Law Practice (1)
- Pierce and Mandell (1)
- Pierce and Mandell P.C. (21)
- Practice Transitions (1)
- prescription monitoring program, Boston (1)
- privacy laws, Boston (1)
- Protected Health Information (1)
- right of first refusal, Boston (1)
- right of refusal, Boston (1)
- Robert Kirby (1)
- Ryelle Seymour (1)
- Samuel Hoff (1)
- Scott Zanolli (1)
- skilled nursing facility, Boston (1)
- Stark, Boston (1)
- state regulations governing dental services, Boston (1)
- substance abuse problem, MA (1)
- substance abuse treatment problem, MA (1)
- sunshine act (1)
- Sunshine Act reporting has implications for malpractice litigation (1)
- The Schwartz Center (1)
- Thomas Kenney (1)
- Tom Kenney, Boston (1)
- William M. Mandell (3)
- william mandell (1)
- william mandell, Boston (1)
- Yankee Dental Congress (2)
- Yankee Dental Congress, Boston, MA (1)
Comments