HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA/LAW: Legal Q/A Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAA/LAW: Legal Q/A
April 2002

" Delaying the Business Associate Compliance Date: a Good Thing?"

by Steve Fox, Esq., & Rachel Wilson, Esq., Pepper Hamilton LLP

QUESTION: I understand that HHS has proposed extending the deadline for compliance with the business associate requirements under the HIPAA privacy rule (the "Privacy Rule"). What does this mean for covered entities?

ANSWER: HHS has proposed the addition of a "transition period" to the Privacy Rule. During this period, certain existing vendor contracts would be deemed to be in compliance with the requirements for business associates for up to one additional year beyond the Privacy Rule's April 14, 2003 compliance date ("Compliance Date"). Under the proposal, covered entities could take advantage of the transition period with respect to those vendor contracts that: (i) are in existence prior to the effective date of the proposal, and (ii) do not expire or are not modified or amended prior to the Compliance Date. This includes contracts which renew automatically, known as "evergreen contracts."

The transition period would effectively extend the deadline for complying with the business associate contract provisions of the Privacy Rule. HHS proposed this period in order to ease some of the financial burdens associated with re-negotiating and amending existing contracts in the relatively short period prior to the Compliance Date. However, the transition period does not apply to small health plans, which already have until April 14, 2004 to comply, or to oral contracts.

The impact that this proposed modification would have on covered entities is unclear at best.

The transition period will certainly add new administrative burdens to covered entities as well as their business associates. For example, it is not uncommon for covered entities to have several contracts with the same vendor. Under the proposed modification to the Privacy Rule, some of the contracts may be required to conform to HIPAA requirements as of the Compliance Date, while others may not. Both covered entities as well as their business associates will have to keep track of which contracts are subject to HIPAA and which are not.

Another unintended and unforeseen consequence of the transition period may be the de facto extension of the Compliance Date. HHS has made it clear that the transition period does not release covered entities from their obligation to comply with the Privacy Rule. However, it is not uncommon for covered entities to outsource key operations or partner with third parties to perform functions such as billing, which involve the disclosure of protected health information ("PHI"). Since those business associates who are not covered entities themselves, will not have to comply with HIPAA for an additional year, any PHI used, disclosed, or created by them will not be subject to the protections mandated under the Privacy Rule. Moreover, HHS has not explained how, in the absence of a business associate agreement, a covered entity will be able to require its business associates to comply with the Privacy Rule requirements related to an individual's right to access, amend, and receive an accounting of the uses and disclosures of PHI. This is clearly inconsistent with the entire premise of providing greater privacy protection. It is unclear how a covered entity required to comply with the Privacy Rule can do business with a business associate that does not have the same requirement.

In order to avoid the ambiguity resulting from HHS' proposal, and to provide a consistent standard of protection for PHI, it would be prudent for covered entities to:

  1. disclose any gaps in privacy protection in their Notice of Privacy Practices;
  2. disregard the transition period and use best efforts to modify existing business associate agreements prior to the Compliance Date or as soon thereafter as possible; and
  3. advise all business associates that, despite the absence of a signed business associate agreement, they are still expected to comply with HIPAA regulations to the fullest extent possible.

Finally, HHS published a template for business associate agreements as part of the proposed modifications to the Privacy Rule (available at: http://www.hipaadvisory.com/regs/privacynprm/modelba.htm). Although use of the model provisions is not required for compliance, the template represents a good starting point for creating a business associate agreement in accordance with the requirements set forth under the Privacy Rule. Covered entities would be ill advised to use the template as is, since it is not all inclusive nor is it intended to be utilized as a "one-size-fits-all" approach to compliance. The template was published in response to numerous requests for guidance. It should be modified and customized so it fits the particular needs of each individual covered entity. For additional suggestions on key business associate contract terms and conditions, please refer to the February, 2002 installment of this column.

Read past HIPAA Legal Q/A articles.

Steve Fox, Esq., is a partner at the Washington, DC office of Pepper Hamilton LLP. This article was co-authored by Rachel H. Wilson, Esq., of Pepper Hamilton LLP. www.pepperlaw.com

Disclaimer: This information is general in nature and should not be relied upon as legal advice.

Go to TOP