Question: New HIPAA privacy regulations were published last week.  I understand they include some changes that affect business associates.  Do we need to send new business associate agreements to all of our business associates?  Should we put a moratorium on any business associate agreements that are currently in production, to give us a chance to first make amendments?

Answer: The new HIPAA privacy regulations do, in fact, make some changes regarding business associates.  They add subcontractors of business associates to the definition of “business associate” (though they do not require covered entities to enter into business associate agreements with subcontractors).  The rule also expands the definition of business associate so that “health information organizations” and those that provide data transmission services with respect to PHI (if routine access to PHI will be required) and those that offer personal health records on behalf of covered entities will be covered.  The rule also clarifies that those that maintain (rather than transmit) PHI on behalf of a covered entity are business associates, regardless of whether they have routine access to the PHI in their possession.  Accordingly, since the rule provides some changes and clarification to the definition of “business associate,” it may require you to send out business associate agreements to current and new business partners who were previously not identified as business associates.  It is not as clear whether covered entities will need to revise the substance of their business associate agreements, but that largely depends on whether you have been diligent in amending your business associate agreements to comply with changes to the HIPAA rules over the past several years (for example, as the HITECH Act was passed).

Though slightly unrelated, you should be aware that the new rule requires some changes to your Notice of Privacy Practices (NPP), which means that once those changes are made, you will need to replace all of the NPPs posted in your facilities and on your website and make copies of the new NPP available to patients who request them.  Likewise, the new Notice will need to be distributed to new patients.