The HIPAA Omnibus Rule – with a compliance deadline of September 23, 2013 – updated the definition of the term “Business Associate”. The definition includes a laundry list of business functions and services that cause a vendor to be a HIPAA Business Associate. The service needs to involve the disclosure of protected health information.
For the County Board of Developmental Disabilities, the new definition provides some welcome clarity. In particular, the definition eliminates from the laundry list the phrase “or any other function or activity regulated by this subchapter.”
Many County Boards use contractors for physical, occupational or speech therapy. In the past, we would include these contractors as business associates since their function – treatment – was clearly regulated by the HIPAA rules. Under the new rules, this type of vendor clearly is NOT a Business Associate. Other vendors who were captured by this “catch all” phrase can also be eliminated from the ranks of business associate.
A redlined version of the definition changes is listed HIPAA Omnibus Rule Definitions for those who wish to view the actual text of the new regulations.
Careful observers will note that this may open a loophole that needs to be filled. If the HIPAA Business Associate agreement is dropped, say for a contracted Physical Therapist, then there are no safeguards to insure confidentiality. The County Board remains obligated to implement appropriate physical, technical and administrative safeguards to protect confidentiality. This author’s recommendation is to use a confidentiality agreement – an “administrative safeguard” — in the place of the HIPAA Business Associate agreement that you drop. The confidentiality agreement can be a simpler and more straightforward agreement than the complex Business Associate Agreement.
