Skip to main content
Free Billing Consultation
Back to Blog

Who Does The HIPAA Omnibus Rule Define As A Business Associate?

October 9, 2013
by Simon Hughes
Dot grid in the shape of the USA with many highlighted dots.

Hipaa omnibus rule Business Associate resized 600Issued at the beginning of 2013, HIPAA’s Omnibus Rule makes important changes to the definition and responsibilities of business associates, and although the rule stipulates that businesses have until late September to become compliant, practices with existing business associate agreements may be able to have that deadline extended for up to a year.

So what are the changes that were put in place by the new rule? Well, before the rule was issued in January, business associates were defined as those individuals or entities who, while not a member of the covered entity’s workforce, worked in the interests of that covered entity to: create, receive or transmit protected health information (PHI); or provide legal, accounting, consulting or other services. Under the new rule, the word “maintain” has been added to ensure the inclusion of data storage companies, such as those companies that act as repositories for Meaningful Use and PQRS data. The new rule also includes health information (HI) organizations and prescription gateways that facilitate the transmission of PHI to or on behalf of a covered entity and other entities that capture and access PHI on a regular basis.

The “conduit exception,” designed to protect couriers such as the United States Postal Service, Federal Express or similar entities and exclude them from liability, still applies under the new rule. Under both the old and new rule, a “conduit” is any business that transports information without accessing it except on an infrequent basis.

In addition, under the new rule, “subcontractors” are also covered under the new definition of business associate. A subcontractor, as defined by the new rule, is any individual or entity that performs a delegated activity or service on behalf of a business associate without being a member of the associate’s workforce. The definition also includes subcontractors of subcontractors – that is, individuals or entities contracted by the subcontractor to perform the original task or a portion of that task.

That’s what the new rule does define as a business associate. Now, what or who is not defined as a business associate under the new rule?

In general, business associates are not:

  • A health care provider, when the health care provider is being consulted regarding the course of care for an individual patient;
  • A government agency, when information is being used to determine eligibility for a government plan; or
  • A covered entity that is taking part in an organized health care arrangement that creates, receives, maintains, or transmits PHI in order to facilitate or fulfill recordkeeping or other administrative tasks or similar responsibilities on behalf of the organized arrangement.

In addition, Personal Health Record (PHR) vendors may or may not be considered business associates, depending upon their specific role. For example, when a vendor offers PHRs directly to an individual, it is not considered a business associate; however, when it offers PHRs to individuals on behalf of a covered entity, it is considered a business associate and is considered liable under the new rule.

As with the previous rule, covered entities are required to enter into business associate agreements (BAAs) with associates, and associates must enter into BAAs with their subcontractors, in order to provide assurance that the associate or subcontractor understands privacy requirements and will comply with those requirements. In addition, the BAA must now include verbiage indicating that the associate will adhere to the Security Rule with regard to electronic PHI, that they will report breaches of unsecured PHI to covered entities and that they will make sure any subcontractors they use agree to the same regulations and restrictions regarding PHI.

Sound complicated? While the changes implemented by the new rule are not substantial, understanding and complying with them is critical to remain in compliance and avoid costly penalties. To see these rules in action, take a look at the sample BAA provided at the U.S. Dept. of Health and Human Services (HHS) website .

 

{{cta(‘677eb645-eebd-4c45-a37d-e84cc5d3e4a7’)}}
Image courtesy of www.foxgrp.com

More Insights & Posts

April 22, 2024

The Value of Chronic Pain to an Anesthesia Practice: What Is It and How Is It Best Realized?

Anesthesia providers distinguish themselves by virtue of their ability to manage all types of pain. While most of their time and energy is focused on the acute pain related to surgical procedures and deliveries, many providers also consider themselves qualified to manage chronic intractable pain. The result can be two very distinct types of practice. […]

Read More
April 19, 2024

BCBS To Discontinue Physical Status Payments

Last week, we sent out a special alert advising our readers of a change in Aetna’s payment policy in connection with physical status (PS) modifiers on anesthesia claims. The payer announced it would no longer provide additional payment for PS 3-5, effective July 15 of this year. Not to be outdone, several of the “Blues” […]

Read More
April 17, 2024

2025 IPPS Proposed Rule: Highlights for Hospitals

On April 10, 2024, the Centers for Medicare and Medicaid Services (CMS) issued the fiscal year (FY) 2025 Medicare hospital inpatient prospective payment system (IPPS) proposed rule. While these provisions are not final, they do give current insight into the agency’s thinking in terms of a host of issues concerning the inpatient hospital setting, including […]

Read More

Get the Latest RCM News Delivered

Receive practical tips on medical billing and breaking news on RCM in your inbox.

Get in Touch