• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

HIPAA Final Rule: Modification of Business Associate Definition, Part (6)–Exceptions

February 14, 2013 Health IT and HITECH, HIPAA Law, Privacy, Security No Comments

February 14, 2013.  Today, we finish examining the business associate definition, focusing on exceptions, as modified by the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.

Paragraph (4) of the modified definition outlines 4 exceptions (45 CFR 160.103, Definitions, as shown at 78 Federal Register 5688):

(4) Business associate does not include:

(i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.

(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of 164.504(f) [Standard:  Requirements for group health plans] of this subchapter apply and are met.

(iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.

(iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.

In general, these exclusions have been a part of the HIPAA Rules, but three have been moved from other parts of the Rules, as described below, to the definition, and wording has been tightened or modified (e.g., in (iii), protected health information has been substituted for individually identifiable health information). [78 Federal Register 5574]

Exception (iv) was part of the predecessor definition of business associate at 45 CFR 160.103(2), with slight changes in wording, but not substance.

The Final Rule discusses items (i)-(iii):  “Sections 164.308(b)(2) [Standard:  Business associate contracts and other arrangements “does not apply”] and 164.502(e)(1)(ii) [Standard:  Disclosures to business associates “does not apply”] of the HIPAA Rules currently describe certain circumstances, such as when a covered entity discloses protected health information to a health care provider concerning the treatment of an individual [i], in which a covered entity is not required to enter into a business associate contract or other arrangement with the recipient of the protected health information.  We proposed to [and did, in the Final Rule] move these provisions to the definition of ‘business associate’ itself as exceptions to make clear that the Department does not consider the recipients of the protected health information in these circumstances to be business associates.  The movement of these exceptions also was intended to help clarify that a person or an entity is a business associate if the person or entity meets the definition of ‘business associate,’ even if a covered entity, or business associate with respect to a subcontractor, fails to enter into the required business associate contract with the person or entity.”  [78 Federal Register 5574]

Tomorrow, we begin to examine new definitions in the Final Rule, and next week we look at modifications in the Final Rule regarding enforcement.

Tags: activityauthorized by lawbusiness associatebusiness associate contractcompliance datecovered entitydefinitionDisclosureeffective dateeligibilityEnforcementenrollmententityexceptionsFederal Registerfunctiongovernment agencygovernment health plangroup health planHealth Care Providerhealth insurance issuerHIPAA Final RuleHIPAA rulesHMOIndividually Identifiable Health InformationMarch 26 2013modificationorganized health care arrangementpersonplan sponsorprotected health informationpublic benefitsSeptember 23 2013SubcontractorTreatment
No Comments
Share
0

You also might be interested in

Clock Running Down on Business Associate Compliance with HIPAA Security Rule Required by HITECH Act

Jan 19, 2010

Less than one month to go:  Business Associates must comply[...]

Final Rules for EHR Incentives and Certification Criteria at OMB for Review

Jul 8, 2010

The Office of Management and Budget (OMB) received in early[...]

Contingency Plan-What This HIPAA Security Rule Administrative Safeguard Standard Means

Apr 1, 2009

This is the seventh Administrative Safeguard Standard of the HIPAA[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next