The final rule under HIPAA, released this past January, makes some sweeping changes that will greatly enhance a patient’s privacy rights.
Now, a “business associate” also includes a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. Contracts between business associates and business associates that are subcontractors are also required under HIPAA. The reach of the designation of a subcontractor will apply to subcontractors irrespective of how far downstream the subcontractor is, contractually, from the covered entity. Even though business associates have always been subject to use and disclosure restrictions, however, they can now be held directly liable for unauthorized uses under HIPAA.
The final rule codifies which provisions of the privacy and security rules apply to business associates as prescribed by the HITECH Act. Business associates may face civil monetary penalties, and in some cases criminal penalties, for failure to comply or for the failure of their agents, including subcontractors, to comply with the obligations under HIPAA. Now is the time covered entities and business associates should reassess which of their vendors could now be considered business associates or subcontractors under the new final rule. To the extent a vendor can now be characterized as a business associate, a business associate agreement will need to be put in place before September 23, 2013, the final date of compliance.