On January 25, 2013, the Department of Health and Human Services published the much-anticipated Omnibus Final Rule (the “Final Rule”), which, with respect to business associates and their subcontractors, conforms HIPAA’s Privacy and Security Rules to a number of changes brought about by the HITECH Act, implements a number of regulatory changes seen in HHS’s proposed rule-making, and modifies a number of other proposed regulatory changes.

The Final Rule expands the reach of the HIPAA Rules by clarifying that those who “maintain and transmit” protected health information on behalf of covered entities are subject to many of those rules as business associates of those covered entities. Moreover, certain subcontractors of business associates are now to be treated as business associates themselves. As a result, business associates and those subcontractors are required to enter into business associate agreements with each other, and those subcontractors will be responsible for HIPAA compliance not only under those contracts but also directly under the HIPAA Rules themselves. Finally, the Final Rule also changes a number of the mandated terms of business associate contracts and will require covered entities, business associates and subcontractors to revisit their existing agreements for compliance with the Final Rule’s new requirements.