The Office for Civil Rights of the Department of Health and Human Services has filed final rules modifying the HIPAA regulations. One of the primary changes strengthens privacy and security protection of Protected Health Information (PHI) by imposing direct liability on business associates and their subcontractors. Business associates now face the same requirements and obligations to protect PHI from disclosure and use as were previously imposed on Covered Entities. Business Associates are also now required to maintain business associate agreements with any subcontractors that are involved in any activities involving PHI. The regulations contain exceptions for vendors and their subcontractors that are merely information conduits, such as the postal service, courier services, and their electronic equivalents.
These rules are effective September 23, 2013. All existing Business Associate Agreements must be amended to comply by September 22, 2014. Please contact Chip Koval for assistance in reviewing and revising existing business associate agreements, or for drafting new agreements to meet these requirements.