On Thursday, July 8, 2010, the Department of Health and Human Services (HHS) announced proposed modifications to the HIPAA Privacy & Security Rules implementing the HITECH Act.  The proposed modifications include new requirements on business associates with regard to their subcontractors.  

The Office for Civil Rights (OCR) within HHS proposes to include in the definition of “business associate” in § 160.103 subcontractors that create, receive, maintain, or transmit protected health information on behalf of a business associate. OCR specifies that it does not intend this proposed modification to mean that a covered entity is required to have a contract with the subcontractor. Rather, the “obligation is to remain with the business associate who contracts with the subcontractor.” In § 164.308(b)(2), OCR proposes “to make clear that it is the business associate that must obtain the required satisfactory assurances from the subcontractor to protect the security of electronic protected health information.”  

The proposed rule casts business associates into a much more active role, requiring them to enter into business associate agreements (BAAs) with their subcontractors. In effect, business associates would be expected to act as though they are covered entities in terms of identifying when protected health information (PHI) is transmitted to third parties and policing the privacy and security of PHI whenever it flows downstream or outside the business associate workforce.

Because a covered entity with which a business associate has contracted still has an ultimate responsibility for the privacy and security of the PHI of its patients or clients, existing BAAs may require further review and amendments to protect the covered entity sufficiently should this rule be adopted.