September 23rd Deadline Has Passed


On September 23rd, all business associate agreements (BAA) that were active prior to the Omnibus Rule were required to be updated to be in compliance with the Omnibus Rule. The changes were significant and will be enforced by the Office for Civil Rights (OCR). In response, David Holtzman, recently authored an article, “Don’t Let Enforcement of new HIPAA Requirements Catch You Napping” in the October issue of Compliance Today. This article reviews what every covered entity and business associate needs to know about the September 23rd deadline, including:

The change of seasons from summer to fall has brought us to key dates for compliance with the HIPAA Privacy and Security Rule standards for business associate agreements (BAAs) and the right of individuals to access their protected health information (PHI) from medical laboratories.

Business Associate Agreements

Key dates are on the horizon affecting compliance with the HIPAA Privacy and Security Rule standards for Business Associate Agreements (BAA) and the right of individuals to access their protected health information (PHI) from medical laboratories. A delay in the enforcement of required changes to the Notice of Privacy Practices (NPP), issued by the Clinical Laboratory Improvement Amendments (CLIA), covered labs and non-CLIA labs ends with the October 6, 2014 compliance date for the right to access records of medical laboratories..

The HIPAA Omnibus Rule, issued in January 2013, changed the standards for BAAs, adding a number of requirements that include executing a new or revised BAA that included the new or modified provisions. The rules changing the required provisions of the BAA took effect in September 2013 for those agreements created or modified after the Omnibus Rule’s publication. HHS used its enforcement discretion to give Ccovered entities more time to revise the BAAs that were already in place, but the extended compliance deadline to update those BAA’s ended on September 23, 2014.

The modifications to the HIPAA Privacy and Security Rules, among other things, expand the definition of business associates (BAs). Under the revised rules, “business associate” now includes any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity or their BA, or any entity that provides services to or for the covered entity involving the use or disclosure of PHI. This means that all downstream subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate now meet the definition of a BA. Another major change is that BAs are now directly liable for certain Privacy and Security Rule violations. Prior to the new rule, BAs had only contractual liability to their covered entity but no direct liability to OCR for HIPAA violations.

In addition to broadening the definition of who is a BA and imposing direct liability for compliance with the Security Rule and certain provisions of the Privacy Rule, covered entities must update their BAAs to comply with the new HIPAA requirements. BAAs must provide that the business associate will (1) comply with HIPAA Security Rule, (2) report breaches of unsecured PHI to the covered entity, and (3) enter into BAAs with subcontractors in the same manner that the covered entity contracts with the BA.

Right to Access PHI & Notice of Privacy Practices

A second key provision that recently took effect is the right of individuals to access health information from medical laboratory providers who administer tests that are subject to the CLIA. The new rule, was published as a final rule in February 2014 and is being enforced as of October 8, 2014.

The right to access health data removes legal barriers that stopped medical laboratories from providing lab test results directly to patients and their designees, such as developers of their personal health records systems. The rule preempts laws that were in place in 13 states and lifts a federal exemption effective in 26 more states.

Previously, in those 39 states, patients could receive or view their lab test results only through their physician or other authorized healthcare provider, or with the consent of the provider who ordered the procedure. The final rule issued jointly by CMS and OCR in February 2014 amends the Clinical Laboratory Improvement Act, which regulates 239,000 healthcare testing labs.

Before the revisions, CLIA stipulated that labs could release test results to three types of individuals: the person authorized under state law to order or receive results (typically a physician), the person responsible for using the test results for treatment, and the referring lab that requested the test.

The new rule also eliminated an exemption for CLIA-covered labs to the requirements of the HIPAA Privacy Rule, which generally required healthcare providers to give patients access to [fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][review their PHI ]or a paper copy of their medical records on request. Under the new rule, labs are required to provide patients electronic access or paper copies of their lab test results within 30 days of a request.

The enforcement of the HIPAA Privacy Rule requirement on CLIA-covered labs that individuals be given access to their health records spells the end of a delay in OCR’s enforcement of the requirement that certain HIPAA–covered laboratories revise their NPPs to comply with the modifications made to the HIPAA Rules published through the changes in the Omnibus Rule. The enforcement delay applied to HIPAA-covered laboratories that are subject to CLIA (i.e., CLIA-certified) or exempt from CLIA (i.e., CLIA-exempt) and that were not required to provide individuals with access to their laboratory test reports. The enforcement delay did not apply to laboratories that operate as part of a larger legal entity, such as a hospital, and by virtue of that relationship, would not have their own laboratory-specific, NPPs.

Under the HIPAA Privacy Rule, a covered entity is required to promptly revise its NPP whenever there is a material change to any of its privacy practices stated in the NPP. The Omnibus Rule made a number of material changes to the privacy obligations of HIPAA covered entities, which in turn required revisions to the covered entities’ NPPs when the new rules took effect in September 2013. The purpose for requiring changes to the NPP is to ensure that individuals are aware of their new health information privacy protections and rights. With the amendments to CLIA regulations regarding the rights of individuals to receive their reports directly from CLIA and CLIA-exempt laboratories, the affected laboratories would need to ensure that their NPPs inform individuals of this new right and include a brief description of how to exercise the right.

This article was published in the October 2014 print edition of Compliance Today. Click here to download a copy of the article.

Holtzman, David. “Don’t Let Enforcement of HIPAA Requirements Catch You Napping.” Compliance Today Oct. 2014: 73-74. Print.