HIPAA and Protected Health Information: BAAs Must Include New Statutory Language

When the Health Insurance Portability and Accountability Act “HIPAA” was implemented, it was designed to regulate “covered entities” such as health care providers, hospitals and health insurance companies.  Because of this limited regulation, many entities with access to “protected health information” or “PHI” were outside the scope of HIPAA.  Those “non-covered” entities included data storage providers, billing companies and other vendors.

HIPAA attempted to close this apparent loophole by requiring covered entities to enter into “business associate agreements” or “BAAs” with non-covered entities that had access to PHI.  Simply put, BAAs impose by contract the same obligations on non-covered entities that covered entities have under HIPAA.

When the Health Information Technology for Economic and Clinical Health (“HITECH”) Act became effective in 2010, the relationship between business associates and covered entities changed.  HITECH imposed obligations directly on business associates and required covered entities to include certain provisions in BAAs effective September 23, 2013.  These new regulations require covered entities to revise their BAAs to include updated language and definitions and to impose obligations on the business associate in the event of privacy breach.

All new BAAs must include this new statutory language.  Existing BAAs (implemented prior to January 15, 2013) must be amended to include the required changes before September 23, 2014.

To discuss your company’s privacy and security policies, procedures, forms, and agreements, please contact KDDK at (812) 423-3183.

Print Friendly, PDF & Email