In July 2010, the Department of Health and Human Services' Office for Civil Rights published a proposed rule, mandated under the HITECH Act, to strengthen provisions of the HIPAA privacy, security and enforcement rules. OCR expects this year to release a final "omnibus" rule, which also will include changes to the breach notification rule.

If the final rule closely follows what was proposed, it will beef up requirements on covered entities, their business associates, and subcontractors of business associates.

The changes are significant because the proposed rule puts new requirements on business associates and subcontractors, who are the "downstream" handlers of much of the protected health information-paper and electronic-that moves through the health care industry. And the new requirements, if finalized, will change relationships between the spectrum of entities handling protected health information.

Under existing HIPAA rules, covered entities--providers, payers and claims clearinghouses that conduct HIPAA claims and related transactions electronically--are liable for criminal or civil penalties for violations of the privacy, security and breach rules.

Covered entities also are liable for failure of their business associates to abide by the rules, but there are circumstantial exemptions. But under the July 2010 proposed rule those exemptions would be removed, exposing covered entities to liability for any violations by business associates.

The exemptions were dropped in the proposed rule because legal liability under HIPAA would be expanded to business associates. The rule also expanded the definition of "business associates" to include health information exchanges, health information organizations, electronic prescribing gateways, patient safety organizations and vendors that contract with covered entities to offer personal health records to patients-making these entities also liable.

The rule then went one step further by defining business associates' subcontractors as business associates under HIPAA. This makes a subcontractor-a person who acts on behalf of a business associate and is not an employee of the business associate-also legally liable for compliance.

A Feature Story in Health Data Management's November issue looks at how a final rule with similar provisions to what HHS proposed would change processes and relationships among covered entities, business associates and subcontractors.


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access