By Michael J. DeCarlo, Esq., Director and Counsel for Policy Development, Health Insurance Association of America
On August 14, 2002, the US Department of Health and Human Resources (HHS) published the final rule containing significant modifications to the Health Insurance Portability and Accountability Act (HIPAA) privacy rule. The final rule is effective on October 15, 2002. Of particular interest to technology vendors and IT managers is the final rule's one-year extension for amending business associate contracts.
Prior rule: A "business associate" is any non-workforce person or entity that assists the health plan (covered entity) with performing an activity involving the use or disclosure of protected health information (PHI). The privacy rule permits a business associate to create and receive PHI on the covered entity's behalf if, by April 14, 2003, certain detailed "satisfactory assurances" about appropriately safeguarding the information are written into the business associates' contracts.
Final privacy rule modifications: The recent final rule allows covered entities to continue to operate under existing contracts with business associates for up to one year after the rule's compliance date of April 14, 2003, provided that the current agreements are in force prior to October 15, 2002, and are not modified or renewed prior to the compliance date. The one-year extension does not apply to "small health plans," which are required to have business associate contracts in compliance with the rule by April 14, 2004, the existing deadline for small health plans.
Agreements negotiated after October 15, 2002, are not eligible for the extension and must be compliant by April 14, 2003. However, where an agreement automatically renews without any change in terms or other action by the parties -- i.e., an "evergreen contract" -- such an agreement is eligible for the extension, regardless of whether it renews between October 15, 2002, and April 14, 2003. That deemed compliance would not terminate if and when a contract automatically rolls over. All agreements must be in compliance by 2004.
The extension for amending business associate agreements does not relieve covered entities of ensuring their business associates will comply with the rule's requirements by the 2003 compliance date, however. Further, covered entities are explicitly not relieved of their obligation to mitigate, to the extent practicable, any harmful effect resulting from a business associate's use or disclosure of PHI in violation of the covered entity's policies and procedures or the rule.
To learn more about this topic, attend the HIPAA Roundtable and other HIPAA workshops at the HIAA 2002 Forum & Exhibit in New Orleans, October 1-5, 2002. For more information and to register, visit www.hiaa.org.