Day Pitney remains committed to providing quality legal counsel, while protecting our clients and employees, and transforming our communities into more just, equal and equitable spaces. For more information, please visit our COVID-19 Resource Center | Racial Justice and Equity Task Force.


Publications Events

New Guidance Clarifies HHS's Position on Business Associates and HIPAA Transactions

Publisher: Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter
March 29, 2022
Day Pitney Author(s) William J. Roberts

On March 22, the Department of Health and Human Services (HHS) issued guidance letter GL-2022-03 regarding HIPAA-covered entities' responsibility to require that business associates comply with HIPAA's requirements related to standards for electronic transactions, code sets, unique identifiers and operating rules. The guidance is both a clarification of HHS's read of HIPAA and also a signal to covered entities to ensure compliance by their business associates.

The guidance sets forth the general rule that requirements related to standards for electronic transactions, code sets, unique identifiers and operating rules apply only to covered entities. However, the guidance also states that HIPAA requires covered entities to require their business associates to comply as well. HHS notes that, effectively, this means that when a covered entity engages a business associate to conduct all or part of a transaction for which a standard has been adopted on behalf of the covered entity, the business associate must comply with the applicable standard's requirements.

The guidance also illustrates how HHS's National Standards Group (NSG) may enforce business associate noncompliance. NSG may find a covered entity noncompliant if its business associate's action or inaction is noncompliant with an applicable HIPAA Administrative Simplification requirement. The guidance explains, for example, that if a health plan engages a business associate to transmit remittance advices to healthcare providers and the remittance advices do not use the adopted standard, the health plan may be found noncompliant for failure to conduct a transaction using the adopted standards. NSG may also find the health plan noncompliant for failure to require the business associate to comply with the applicable standard.

Would you like to receive our Day Pitney C.H.A.T. Newsletter? Sign up here.

Related Professionals
New York, NY
T: (212) 297 2477
Parsippany, NJ
T: (973) 966 8138
Boston, MA
T: (617) 345 4872
Hartford, CT
New Haven, CT
T: (860) 275 0294
Parsippany, NJ
T: (973) 966 8041
Hartford, CT
T: (860) 275 0168
Hartford, CT
T: (860) 275-0184
Hartford, CT
T: (860) 275 0139
Parsippany, NJ
T: (973) 966 8115
Parsippany, NJ
T: (973) 966 8034
Parsippany, NJ
T: (973) 966 8154