On March 22, the Department of Health and Human Services (HHS) issued guidance letter GL-2022-03 regarding HIPAA-covered entities' responsibility to require that business associates comply with HIPAA's requirements related to standards for electronic transactions, code sets, unique identifiers and operating rules. The guidance is both a clarification of HHS's read of HIPAA and also a signal to covered entities to ensure compliance by their business associates.
The guidance sets forth the general rule that requirements related to standards for electronic transactions, code sets, unique identifiers and operating rules apply only to covered entities. However, the guidance also states that HIPAA requires covered entities to require their business associates to comply as well. HHS notes that, effectively, this means that when a covered entity engages a business associate to conduct all or part of a transaction for which a standard has been adopted on behalf of the covered entity, the business associate must comply with the applicable standard's requirements.
The guidance also illustrates how HHS's National Standards Group (NSG) may enforce business associate noncompliance. NSG may find a covered entity noncompliant if its business associate's action or inaction is noncompliant with an applicable HIPAA Administrative Simplification requirement. The guidance explains, for example, that if a health plan engages a business associate to transmit remittance advices to healthcare providers and the remittance advices do not use the adopted standard, the health plan may be found noncompliant for failure to conduct a transaction using the adopted standards. NSG may also find the health plan noncompliant for failure to require the business associate to comply with the applicable standard.
Would you like to receive our Day Pitney C.H.A.T. Newsletter? Sign up here.
Day Pitney Healthcare, Life Sciences, and Technology Counsel Damian Privitera's arrival was featured in the Law360 article "Moses & Singer Healthcare Atty Joins Day Pitney in Hartford."
Day Pitney Healthcare Partner Magda Rodriguez authored the article "When Physician Retirement Arrangements May Be Legal" for Law360.
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – February 2024
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – February 2024
Day Pitney Artificial Intelligence Committee Chair Kritika Bharadwaj and Healthcare and Technology Associate Colton Kopcik authored the article "Generative AI in Health Care: Diagnosing the Legal Landscape for Dr. GenAI" for the New York Law Journal's Legal Technology Special Section.
Day Pitney Alert
Day Pitney Miami Healthcare Partner Magda Rodriguez was recently featured in a Q&A with her alma mater, Gulliver Prep's, alum newsletter.
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – December 2023
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – December 2023
Copyright © 2024 Day Pitney LLP, all rights reserved.