HITECH Final Rule Released (HIPAA)

In a recent bulletin provided by Reed Smith, the Optical Lab Division's retained legal firm, it was announced that the Health Information Technology for Economic and Clinical Health Act (HITECH) final rule (the "Final Rule") has been released, which finalizes regulations under the Health Insurance Portability and Accountability Act (HIPAA). The HITECH Final Rule alert can be found here.

What's New?

The Final Rule requires that Business Associates comply with the Security Rule and aspects of the Privacy Rule. The definition of "Business Associate" is also expanded and includes subcontractors of Business Associates who have access to Protected Health Information (PHI), as well as subcontractors of subcontractors and so on. Subcontractors will be regulated in the same manner as a Business Associate, and will be directly liable for HIPAA infractions.

Who is affected?

Covered Entities (labs that electronically submit claims for payment to insurance providers), which utilize lab management software are likely to be affected, as well as their Business Associates (vendors).

What must be done?

HIPAA requires Covered Entities to execute a Business Associate Agreement (BAA) with Business Associates (vendors) that have access to PHI, either within your system directly, or on storage devices, in order to perform activities or services for or on behalf of the Covered Entity. Covered Entities must review existing BAAs to determine which agreements require revisions as a result of new requirements in the HITECH Final Rule. Any BAAs entered into after January 25, 2013 (the date the HITECH Final Rule was released) must comply with the HITECH Final Rule before September 23, 2013. If a BAA was executed prior to January 25, 2013, is in compliance with HIPAA, and is not renewed or modified, then a Covered Entity has until September 22, 2014 to execute a revised BAA. Additionally, a Business Associate Subcontractor Agreement (BASA) must be executed between a Business Associate and its subcontractors, if the subcontractors have access to PHI in order to perform activities or services for, or on behalf of, the Business Associate.

  • You need only execute a BAA with your vendor, not his subcontractors; Vendors are responsible for executing BASAs with their subcontractors.
  • A third party contracted to do work for a covered entity is considered a Business Associate and a BAA is required.
  • Revised BAAs should be executed as soon as possible.
  • Labs are not usually Business Associates of Eye Care Professionals. A model response letter for ECPs who request a BAA from labs is available below.
  • New HIPAA Security and HIPAA Privacy development manualsĀ have been developed for members. These new manuals should replace any that may have been completed prior to July 2013.

HITECH Final Rule and Related Materials


Members with questions pertaining to this issue should contact Greg Jacobs of Polsinelli PC at GJacobs@Polsinelli.com.