There may be some disagreement as to when the HHS Omnibus Rule will actually arrive but everyone agrees that it is coming. Director Rodriguez confirmed as much last week. There is also very little doubt that the Rule is going to have a huge impact on business associates.
The revised business associate definition from the NPRM issued in July 2010 is as follows:
Business associate:
(1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:
(i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:
(A) A function or activity involving the use or disclosure of protected health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or
(B) Any other function or activity regulated by this subchapter; or(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in ß 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
(2) A covered entity may be a business associate of another covered entity.
(3) Business associate includes:
(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.
(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.
(iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.
(4) Business associate does not include:
(i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.
(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of ß 164.504(f) of this subchapter apply and are met.
(iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.
(iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.
A couple of changes in the definition require special mention:
- The term "individual identifiable health information" has been replaced with protected health information (technical modification but nonetheless something to be aware of).
- The "treatment" and other exceptions are now included in the definition instead of being scattered about the HIPAA Privacy and Security Rules.
- Subcontractors of business associates are now on the hook.
The last point can be depicted graphically as follow:
It hasn't gotten nearly as much attention as it deserves, but that will change as soon as the Omnibus Rule is released. As Director Rodriguez said so artfully "stay tuned."
Looking for best of breed HIPAA Training?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Are you for an Internet Lawyer with HITECH /HIPAA experience?
Comments