Senior Communications Manager
Kirk Nahra Quoted on New Health Care Privacy Requirements for Business Associates
Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice, was quoted in an article published in the February issue of Report on Patient Privacy regarding a rush to comply with the U.S. Health and Human Services Department’s (HHS) new data-security and breach notification rules.
The rules, issued January 25 by HHS’s Office of Civil Rights (OCR), expanded the applicability of the Health Insurance Portability and Accountability Act’s (HIPAA) privacy requirements beyond health care providers, doctors and insurance companies, to also cover their business associates (BAs) and subcontractors. The revisions were required under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act.
There were a few surprises in the new requirements, such as an expanded definition of “business associate” and “subcontractor” to include entities such as cloud computing and data storage companies that were not previously subject to HIPAA rules. The new requirements also apply to all tiers of those who handle protected health information. The compliance date for the final rule is September 23, 2013, giving everyone just six months to prepare for the changes.
The new rule holds BAs accountable only for specific requirements that are triggered by their work on behalf of HIPAA covered entities (CE). The measure finalizes four previously issued rules including a July 2010 proposal that holds BAs directly liable for certain requirements. But the new rule “does not turn BAs into CEs,” Mr. Nahra said.
While OCR has posted “sample business associate agreement provisions,” it has not yet issued guidance or updated materials on its website to reflect the new regulation, according to the article. Even though OCR has yet to issue guidance that was due in 2010 on the minimum necessary standard, the agency is requiring BAs and subcontractors to comply with this highly misunderstood concept.