In 2009, the Health Information Technology for Economic and Clinical Health Act ("HITECH") modified a number of provisions of the Health Insurance Portability and Accountability Act ("HIPAA") to strengthen HIPAA's privacy and security protections. One significant aspect of HITECH is that Business Associates now have to comply with much of HIPAA and are subject to enforcement and penalties by the HHS Office for Civil Rights ("OCR"). In January, OCR published amendments to the HIPAA Regulations that Business Associates need to know.
Put simply, Business Associates are people or organizations that perform a service for a HIPAA "Covered Entity" (usually a health care provider or a health insurance plan), if the Business Associate will use, disclose, or maintain Protected Health Information ("PHI") in performing that service. For examples, Business Associates might include attorneys, accountants, consultants, software vendors, accrediting organizations, and management companies – if they have access to PHI. Under the new regulations, Business Associates also include health information organizations, e-prescribing gateways, other entities that provide data transmission services, entities that offers a personal health record on behalf of a Covered Entity, and data storage companies or cloud-computing companies.
On September 23, 2013, Business Associates are required to comply with the new regulations. Polsinelli has developed a template HIPAA Business Associate Policy and Agreement Guide (the "HIPAA Business Associate Guide"). The HIPAA Business Associate Guide is a comprehensive document that can be easily adapted to fit an organization's structure and specific function as a Business Associate.
The HIPAA Business Associate Guide contains (i) a simple introduction explaining whether a company is subject to HIPAA and the consequences of non-compliance; (ii) thirty-three template policies and procedures to implement Business Associate obligations under the HIPAA Regulations; (iii) a detailed overview of HIPAA, HITECH and the HIPAA Regulations; and (iv) a sample business associate agreement and a sample subcontractor business associate agreement. The Business Associate HIPAA Guide will serve as a tremendous tool in assisting any Business Associate in its HIPAA compliance efforts.