• HIPAA Compliance Update
  • August 2, 2013
  • Law Firm: Holland Hart LLP - Denver Office
  • As we reported earlier this year, the Department of Health and Human Services ("HHS") issued final regulations requiring changes to a covered entity's HIPAA privacy and security policies and procedures, notices of privacy practices and business associate agreements. The compliance deadline is September 23, 2013.


    One of the most sweeping changes in the final HIPAA regulations relates to business associates. The final regulations broadened the definition of "business associate" and directly applied many of the privacy rules and all of the security rules to business associates. In general, any service provider that creates, receives, maintains or transmits protected health information of behalf of a covered entity is a business associate. Any of the following providers can now constitute a business associate of a covered entity: consultants, advisors, lawyers, accountants, actuaries, software vendors, data transmission services, shredding services, and records storage services (paper or electronic).

    Moreover, the regulations clarify subcontractors of business associates that create, receive, maintain or transmit protected health information on behalf of a business associate are also business associates. To illustrate, third party administrator (TPA) is the record keeper for a self-funded health plan, TPA is a business associate of the health plan; therefore, health plan must have a business associate agreement in place with TPA. TPA contracts with claims processor (CP) to process claims. CP is a subcontractor of TPA and is also a business associate. Therefore, TPA must have a business associate agreement in place with CP. CP contracts with individual physicians on a case-by-case basis to evaluate claims. These individual physicians are subcontractors of CP and are business associates. CP therefore must have a business associate agreement in place with each individual physician. Note that the group health plan is not required to (and should not) enter into a business associate agreement with the downstream business associates (i.e., CP and the individual physicians).

    As mentioned earlier, the final regulations require business associates to comply with all of the HIPAA security rules and certain privacy requirements. What this means is that HHS now has the authority to enforce these HIPAA requirements directly against business associates. HHS can audit, investigate complaints, and impose penalties against business associates.


    Group health plans (as covered entities) should take the following steps immediately in order to comply with the final regulation's sweeping changes by September 23, 2013:

    1. Evaluate all services providers to ensure all business associates have been identified.
    2. Enter into / update business associate agreements.
    3. Update Notice of Privacy Practices.
    4. Adopt / update Privacy and Security policies and procedures.

    If a business associate agreement was in place before the final regulations were published (i.e., January 25, 2013) and complied with the HIPAA requirements as of then, and the business associate agreement is not renewed or modified between March 26, 2013 and September 23, 2013, then the business associate agreement does not have to be updated until the earlier of: (1) the date the business associate agreement is renewed or modified on or after September 23, 2013 or (2) September 22, 2014.