Dentists must amend their Business Associate Agreements

The U.S. Department of Health and Human Services (HHS) published the long-awaited final omnibus rule under HIPAA (Omnibus Rule) on Jan. 25, 2013. The rule implements the Health Information Technology for Economic and Clinical Health Act (HITECH) and requires that health care providers amend their Notice of Privacy Practices (NPP) and Business Associate Agreements to include new elements.

The compliance date for the final rule is Sept. 23, 2013.

Business Associate Agreements

Covered entities are required to enter into Business Associate Agreements with any individuals or entities that provide services through which they receive protected health information (PHI). These agreements must require that the business associate comply with the following:

  • business associates are prohibited from using PHI in a manner that would violate the Privacy Rule;
  • business associate must comply with the Security Rule with respect to ePHI;
  • business associate may only use or disclose PHI as permitted by the Business Associate Agreement or required by law;
  • business associate will report to the covered entity any breach of unsecured PHI;
  • business associate will enter into downstream Business Associate Agreements with any subcontractors* and will take steps to cure any breach by a subcontractor.
  • business associates may only use, disclose or request the minimum PHI necessary to accomplish their business obligations;
  • business associate must disclose PHI when required by the Secretary of Health and Human Services for investigation or determining compliance with the Privacy Rule, and to a covered entity or an individual to satisfy the covered entity’s obligations with respect to an individual’s request for access to PHI.

A sample Business Associate Agreement can be found at cda.org/compass.

Notice of Privacy Practices

A covered entity’s Notice of Privacy Practices must also be reviewed and revised for compliance with the omnibus rule. NPPs must now include a statement that certain uses and disclosures of PHI, such as some related to marketing, require an authorization. NPPs should also be amended to reflect the prohibition on the sale of PHI, breach notification requirements, the right for patients to opt-out of fundraising and the right to restrict disclosure of PHI when paying out-of-pocket.

*a subcontractor is any person or entity to whom a business associate delegates a function, activity or service on behalf of a covered entity.

A sample Notice of Privacy Practices can be found at cda.org/compass.

The omnibus rule can be found on the US Department of Health & Human Services website.

Related Items

A HIPAA covered entity is required to provide patients with its notice of privacy practices. The notice must include descriptions of the types of uses and disclosures of protected health information (PHI) that the covered entity is permitted to make without the individual's written authorization, including for each of the following purposes: treatment, payment, and health care operations. The notice also must include a statement about the other uses and disclosures the practice may use PHI; a statement on the individual’s rights with respect to the information; and description of procedures followed when a patient chooses to exercise those rights.

HIPAA requires a covered entity to have a business associate agreement with any entity, individual, or organization that creates, receives, maintains, or transmits patient health information to perform nonclinical functions, such as claims processing or information systems management, on behalf of a covered entity. A dental practice that is a covered entity must have a business associate agreement with each entity that uses its patients’ information for nonclinical functions.