Healthcare: More Time is Given for Business Associate Compliance
The "HITECH Act", effective February 18, 2010, made significant changes to HIPAA requirements affecting Business Associates. On July 14, 2010, the Office for Civil Rights (OCR), responsible for enforcing HIPAA, published proposed rules on the HITECH Act's changes. Although many of the provisions under the HITECH Act took effect on February 18, 2010, the OCR acknowledged it would be difficult for covered entities and business associates to comply with the changes until final rules are issued. Therefore, OCR intends to expand the date of compliance to 180 days after the effective date of the final rule. In fact, the proposed rules allow covered entities and business associates to continue to operate under existing business associate agreements for up to 1 year beyond the compliance date (which will be until 18 months after the effective date of the final rule). This grandfathered stat us applies to business associate agreements in existence prior to the publication of the final rules. This means current business associate agreements do not yet need to be modified. However, anyone entering into new business associate agreements may want to incorporate the requirements in the proposed rules.
The proposed rules state that business associates utilizing subcontractors that receive PHI must have business associate contracts with the subcontractor. The covered entity will not be required to enter into a business associate agreement with the subcontractor.
Some of the HITECH Act's changes are already in effect, such as breach notification and the modified civil money penalty structure. If your HIPAA program has not been reviewed or updated in a while, this would be a good time to do it.
The author, Elise D. Brennan, may be contacted at firstname.lastname@example.org