Health Information Compliance Alert

Proposed modifications to the Health Insurance Portability and Accountability Act's privacy rule look to offer some breathing space for covered entities rushing to bring their business associate contracts into compliance.

While leaving unchanged the elements required in such contracts, the proposed rule changes would allow covered entities other than small health plans to continue operating under existing business associate contracts until April 14, 2004. That's one year beyond the current compliance deadline of April 14, 2003.

Small health plans are excluded from the extension because HIPAA already provides an extra year for these smaller businesses to come into compliance.

To qualify for the extension a covered entity's contract with a business associate must meet two requirements. First, it must have been in effect prior to the proposed modifications' effective date. And while it's impossible to predict precisely when that will be, any revisions to the Privacy Rule are statutorily required to become effective by Oct. 13, 2002.

Secondly, qualifying contracts must not be renewed or modified between the effective date and the Privacy Rule's original compliance date of April 14, 2003.

Any contract meeting these two basic requirements will be deemed to be in compliance with the Privacy Rule, even if it fails to meet the rule's applicable privacy provisions. The contract will be considered to be in compliance until it is renewed or modified following either the original compliance date of April 14, 2003 or April 14, 2004.

In addition, any "evergreen contracts" i.e., contracts that renew automatically and remain unchanged that meet the original extension requirements will continue to be considered compliant when they automatically roll over.

While the extension undoubtedly takes the compliance pressure off for the moment, it is important to remember that the extension does not relieve covered entities of their responsibilities with respect to business associates that kick in after the original April 14, 2003 compliance deadline.

Covered entities, for example, must still make protected health information available to the Department of Health and Human Services for compliance purposes, including information held by a business associate.

Similarly, the proposed extension does not relieve a covered entitity of its responsibility to allow an individual to access or amend protected health information held by the entity's business associates. Individuals likewise retain their right to receive an accounting of how a covered entity's business associates use and disclose protected health information.

The changes to the business associate requirements come in response to concerns that the original compliance deadline did not provide enough time to reopen and renegotiate the sometimes hundreds of contracts maintained by large covered entities.

And while the proposed extension certainly relieves that deadline pressure, it also means that covered entities will have to take care to track which business associate contracts are compliant under the privacy rule's final provisions and which are compliant only because of the extended deadline.