In This Issue:

- Expansion of, Clarifications to, and Explicit Inclusions in the Definition of BA

- BAs’ Direct Liability Under the Final Rule

- BAAs: Required Provisions Under the Final Rule and the Compliance Date

- Excerpt from Expansion of, Clarifications to, and Explicit Inclusions in the

Definition of BA:

The Final Rule included several additions and clarifications to the HIPAA definition of BA. Identifying persons and entities which meet the definition of BA is important because the Final Rule clarified that a person or entity becomes a BA by meeting the definition of a BA and by creating, receiving, maintaining, or transmitting protected health information on behalf of a Covered Entity, not by contracting with the Covered Entity and entering into a BAA. Moreover, the type of protected health information involved does not matter; if the information is tied to a Covered Entity, it is considered protected health information by definition (even if it is, for example, strictly limited to demographic information). Whether or not a person or entity is a BA is significant because as will be further discussed below, BAs have direct liability under the Final Rule for not complying with certain HIPAA requirements.