New Guidance Clarifies HHS's Position on Business Associates and HIPAA Transactions
On March 22, the Department of Health and Human Services (HHS) issued guidance letter GL-2022-03 regarding HIPAA-covered entities' responsibility to require that business associates comply with HIPAA's requirements related to standards for electronic transactions, code sets, unique identifiers and operating rules. The guidance is both a clarification of HHS's read of HIPAA and also a signal to covered entities to ensure compliance by their business associates.
The guidance sets forth the general rule that requirements related to standards for electronic transactions, code sets, unique identifiers and operating rules apply only to covered entities. However, the guidance also states that HIPAA requires covered entities to require their business associates to comply as well. HHS notes that, effectively, this means that when a covered entity engages a business associate to conduct all or part of a transaction for which a standard has been adopted on behalf of the covered entity, the business associate must comply with the applicable standard's requirements.
The guidance also illustrates how HHS's National Standards Group (NSG) may enforce business associate noncompliance. NSG may find a covered entity noncompliant if its business associate's action or inaction is noncompliant with an applicable HIPAA Administrative Simplification requirement. The guidance explains, for example, that if a health plan engages a business associate to transmit remittance advices to healthcare providers and the remittance advices do not use the adopted standard, the health plan may be found noncompliant for failure to conduct a transaction using the adopted standards. NSG may also find the health plan noncompliant for failure to require the business associate to comply with the applicable standard.
Would you like to receive our Day Pitney C.H.A.T. Newsletter? Sign up here.
Recommended
The arrival of Day Pitney Counsel Laura Land Himelstein was featured in the New York Law Journal's Attorneys 'On the Move' column.
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – September
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – September
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – July 2024
Day Pitney Tax Partner Ryan Leichsenring authored an article for the Hartford Business Journal titled, "Here's How to Avoid Common Pitfalls When Managing Charitable Assets."
The news of Ryan Leichsenring joining Day Pitney as a partner in the firm's Tax practice was featured in Thomson Reuters' The Daily Docket Industry Moves column.
Day Pitney Data Privacy Associate Stephanie M. Gomes-Ganhão authored the article "A Review of Part 2: Consider a More Flexible Compliance Program in the Wake of the Revised Rules," for the Journal of Health Care Compliance.
Hartford-based healthcare attorneys Stephanie Gomes-Ganhão and Phoebe Roth authored the article, "Valuable OIG Compliance Advice for New Healthcare Entrants," in the May edition of The Health Care Compliance Association's (HCCA) monthly magazine Compliance Today.
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – April 2024