HITECH Final Rule: Business Associate Contract Changes

Posted May 21, 2013 Company News

The 2013 HITECH Final Rules, which went into effect March 26, 2013, impose significant new obligations on covered entities, business associates, and subcontractors. HHS recognizes the additional burden the new requirements impose on these entities so many organizations will have additional time to execute amended business associate contracts beyond the September 23, 2013 compliance date. Businesses that qualify for transition relief may have an additional year beyond September 23, 2013 to execute amended business associate contracts.

 

Employer Obligations

Fully-insured Plans

The impact of HIPAA’s Privacy and Security Rules on fully-insured plan sponsors is fairly minimal, provided that the plan sponsor does not create or receive any protected health information other than “summary health information” or enrollment information. Employers that meet this criteria are not covered entities, therefore, do not generally need to appoint a privacy officer, distribute a privacy notice and adopt a formal privacy policy. They also are not directly impacted by the HITECH regulations and will not need to execute business associate contracts.

Self-insured Plans

Self-insured group health plans are “covered entities” under HIPAA’s Privacy and Security Rules. Employers who sponsor a self- insured comprehensive medical, dental or vision plan, health FSA or health reimbursement arrangement (HRA), etc… must comply with HIPAA privacy and security regulations, including the HITECH regulations. These plan sponsors must make certain that a business associate contract is properly executed with all service providers associated with the plan. Plan sponsors of self-insured health plans will want to make sure that a compliant business associate contract is in place with the claims administrator (TPA), broker or consultant and other service providers.

 

Contracts that Qualify for the Transition Period

The information below will help you to determine whether your business associate contracts qualify for transition relief:

  • Determine whether the business associate contract was in place prior to January 25, 2013.

The additional transition period is available only if the parties had a written business associate contract in place before January 25, 2013, and that business associate contract complied with the privacy and security requirements that were in effect at that time.

No transition period is available if a business associate contract was not in place before January 25, 2013. A compliant contract must be in place by the general compliance date of September 23, 2013.

  • Determine whether the business associate contract must be renewed or modified between March 26, 2013 and September 23, 2013.

The additional transition period is available only if the contract does not need to be renewed or modified in the six month period following March 26, 2013. Contracts that are not renewed or modified between March 26, 2013 and September 23, 2013 will be considered compliant for the transition period.

No transition period is available if the contract is modified or renewed between March 26, 2013 and September 23, 2013, therefore, the contract will need to be compliant by the general compliance date of September 23, 2013.

A business associate contract that qualifies for transition relief does not have to be amended or modified to comply with the 2013 final regulations until the earlier of (a) the date it is renewed or modified, or (b) September 22, 2014.

 

Evergreen Contracts

Many business associate contracts that have been executed are what we call “evergreen” contracts. These contracts renew automatically without any action by the parties involved. The preamble to the final regulations indicates that HHS intended that these contracts would be eligible for the additional transition period.

It is important to understand that the transition period applies to the contracts (documentation) only. All parties are required to comply with the HITECH final regulations by the compliance date of September 23, 2013.

 

What Is a “Business Associate?

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. The HIPAA Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.

Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103.

Examples of Business Associates

  • A third party administrator that assists a health plan with claims processing.
  • A CPA firm whose accounting services to a health care provider involve access to protected health information.
  • An attorney whose legal services to a health plan involve access to protected health information.
  • A consultant that performs utilization reviews for a hospital.
  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
  • An independent medical transcriptionist that provides transcription services to a physician.
  • A pharmacy benefits manager that manages a health plan’s pharmacist network.

 

The Next Steps

Henderson Brothers, Inc. benefit consultants and analysts will be working with self-insured plan sponsors to make sure that a business associate agreement is executed between Henderson Brothers, Inc. and their plan(s). Although HBI staff will assist with this process, it is important to understand that self-insured plan sponsors are ultimately responsible for making certain a compliant business associate contract is completed and on file for every service provider involved with the administration of their plans.

 

Please note that the information contained in this document is designed to provide authoritative and accurate information, in regard to the subject matter covered. However, it is not provided as legal or tax advice and no representation is made as to the sufficiency for your specific company’s needs. This document should be reviewed by your legal counsel or tax consultant before use.

Additionally, the messages and content within the Pittsburgh Health Care Reform group do not reflect the advisory services of Henderson Brothers, Inc.


 

Contributing EXPERT: Shari Herrle

 

To download the PDF version of this EXPERT UPDATE, please click on the link below: