The Final Rule broadens the definition of Business Associate under HIPAA, such that HIPAA now applies to a whole new group of entities that will all need to be compliant by September 23, 2013. The Final Rule clarifies that the following persons and entities are now Business Associates under HIPAA:
1) Any person or entity that provides data transmission services of PHI to a Covered Entity and requires access on a routine basis to such PHI. (Covered Entities will need to review their relationships with vendors and others who transmit PHI on their behalf and determine whether that person or entity requires access to its PHI on a routine basis. Many Covered Entities will gain an expanded list of Business Associates through this clarification of the Final Rule and will need to put Business Associate Agreements in place by the compliance date).
2) Any subcontractor of a business associate that handles PHI. (If a Business Associate subcontracts part of its function requiring access to or use of PHI to another organization, that subcontractor is now a Business Associate under HIPAA, and under the new regulations, there must be a written agreement in place between the Business Associate and its subcontractor that meets all of the requirements of a Business Associate Agreement under HIPAA. The Final Rule also makes it clear that in this situation, it is the Business Associate who retains the subcontractor, and not the Covered Entity, that is responsible for ensuring there is a proper Business Associate Agreement in place).
3) Any entity that maintains PHI on behalf of a Covered Entity. (Under the Final Rule, a Business Associate now includes a person or entity that maintains PHI on behalf of a Covered Entity, even if that person or entity does not access or view the PHI. If a Covered Entity uses an outside organization to store and/or maintain its PHI, it now needs to make sure it has a Business Associate Agreement in place with that vendor that meets all the requirements under HIPAA).
Taken in part from: Miller & Martin, PLLC 3/8/2013