by Elizabeth A. Diller and James P. McElligott Jr.
Employer-sponsored health plans subject to the Health Insurance Portability and Accountability Act (HIPAA) must be in compliance with the final rule under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Nondiscrimination Act of 2008 (GINA) by September 23.
The rule went into effect on March 26, 2013. Entities covered under HIPAA, including group health plans and their “business associates,” will have one year from the September 23 compliance date to amend existing business associate agreements.
The new rule expands the definition and liability of business associates. Before the new rule, “business associate” included persons who perform or assist in the performance of a function or activity involving the use or disclosure of protected health information (PHI) for a covered entity. For example, business associates included someone who works in the following capacities:
- Claims processing or administration;
- Data analysis, processing, or administration;
- Utilization review;
- Quality assurance;
- Billing or repricing;
- Benefits or practice management; or
- Professional and management services.
The new rule expands the definition to include individuals who create, receive, maintain, or transmit PHI in connection with performing a function or service for a covered entity, even if the person doesn’t actually view the PHI. Also, the definition now includes subcontractors who create, receive, maintain, or transmit PHI on behalf of a business associate. Thus, subcontractors of a business associate who use or disclose the covered entity’s PHI are now directly subject to HIPAA.
Now, business associates are directly liable for noncompliance with the security rule and most provisions of the privacy rule. Before the HITECH Act, business associates were contractually liable to covered entities under executed business associate agreements but didn’t have direct liability under HIPAA.
Because of changes to HIPAA as a result of the new rule, employers that sponsor group health plans must:
- Review the vendors with which they contract for group health plan services to determine whether any vendor that was previously not identified as a business associate fits within the expanded definition;
- Review and update HIPAA documents and practices to reflect the changes under the HITECH Act, particularly business associate agreements and notices of privacy practices; and
- Review and enhance their privacy and security practices to avoid breaches of unsecured PHI.
Elizabeth A. Diller and James P. McElligott Jr. are attorneys in the Richmond, Virginia, office of McGuireWoods LLP. Elizabeth can be reached at ediller@mcguirewoods.com or 804-775-4358. James can be reached at jmcelligott@mcguirewoods.com or 804-775-4329