Benefits Law Update
        Practical advice from Verrill attorneys

        Final Omnibus Rules Under HIPAA Will Affect Business Associate Arrangements

        by Eric D. Altholz on March 5, 2013

        In a previous post about the new Final Omnibus Rule under HIPAA, we highlighted important changes regarding the process by which potential privacy breaches must be evaluated and classified for notification purposes. As we observed in that post, changes that have been characterized by the Office of Civil Rights (“OCR”) of the Department of Health and Human Services as “modifications and clarifications” can have far reaching legal compliance implications for covered entities, including employer sponsored group health plans. We now turn to rule changes affecting business associates and the legal relationships between business associates and employer sponsored group health plans. Plan sponsors certainly will need to take actions to respond to the Final Rule, but the new rules have a particularly significant impact on the legal obligations of business associates.

        Broader Definition of Business Associate

        The Final Rule expands the definition of “business associate” to include:

        • Entities that provide data transmission services to a covered entity with respect to PHI and have regular access to such PHI (referred to as “health information organizations”);
        • A person who offers a personal health record to one or more individuals on behalf of a covered entity;
        • Entities that undertake patient safety activities on behalf of a covered entity (referred to as “patient safety organizations”); and
        • Subcontractors of business associates that create, receive, maintain, or transmit PHI on behalf of a business associate.

        The Final Rule makes clear that entities storing or maintaining electronic PHI (“ePHI”) for covered entities qualify as business associates because they have regular access to PHI, even if they do not actually view the information or do so only on a random or infrequent basis. (Some commentators have even suggested that cloud providers storing or maintaining ePHI on behalf of covered entities may qualify as business associates.) The Final Rule notes, however, that an entity simply providing data transmission services (e.g., data conduits) and having only random or infrequent access to ePHI is not considered a business associate.

        Direct Liability of Business Associates

        The Final Rule implements the well publicized provisions of the HITECH Act that extend to business associates direct liability for a failure to comply with the applicable privacy and security standards of HIPAA. In particular, a business associate must comply with the following requirements (just as a covered entity must) or face direct liability under HIPAA:

        • Refrain from any uses and disclosures of PHI that are not in accord with its business associate agreement or the HIPAA privacy rule;
        • Disclose PHI when required by the Secretary of HHS as part of an investigation of the business associate’s compliance with the HIPAA Rules;
        • Disclose PHI to the covered entity or individual as necessary to satisfy a covered entity’s obligations with respect to an individual’s request for an electronic copy of PHI;
        • Provide breach notification to the covered entity;
        • Provide an accounting of disclosures;
        • Comply with the requirements of the Security Rule;
        • Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request; and
        • Enter into business associate agreements with subcontractors that create or receive PHI on their behalf.

        The Final Rule helpfully clarifies that covered entities are not required to obtain “satisfactory assurances” with respect to compliance from subcontractors of business associates. Instead, the business associate is required to obtain such assurances from a subcontractor. Direct liability under HIPAA will attach regardless of whether the business associate and subcontractors have entered into the required business associate agreements.

        Amendments to Business Associate Agreements

        In order to comply with the Final Rule, a business associate agreement (“BAA”) must include, among other things, provisions requiring the business associate to:

        • Comply with applicable provisions of the HIPAA security rule;
        • Ensure that any subcontractor creating, receiving, maintaining, or transmitting ePHI on behalf of the business associate agrees to comply with applicable requirements of the security rule by entering into a contract or other arrangement that complies with the business associate provisions;
        • Ensure that any subcontractor creating, receiving, maintaining, or transmitting PHI on behalf of the business associate agrees to the same restrictions and conditions that apply to the business associate with respect to such information;
        • Report to the covered entity breaches of unsecured PHI as required by the breach notification rules; and
        • To the extent the business associate carries out a covered entity’s obligations under the privacy rule, comply with the requirements of the privacy rule that apply to the covered entity in the performance of such obligation.

        If a BAA currently in place does not include all of those provisions, any necessary amendments must be executed by September 23, 2013 (the generally applicable compliance deadline under the Final Rule). The Final Rule does, however, include helpful transition relief regarding BAA amendments. Specifically, the Final Rule allows a covered entity and a business associate to continue to operate under an existing BAA for up to one year beyond the compliance date (i.e., until September 22, 2014) if, prior to January 25, 2013 (the publication date of the Final Rules), the covered entity and the business associate were parties to a BAA that complied with the prior provisions of the HIPAA rules and such BAA is not renewed or modified after March 25, 2013. Any BAA that is modified or renewed (other than an automatic renewal with no changes) between March 26, 2013 and September 23, 2013 must include the new provisions. And, of course, any BAA first entered into on or after September 23, 2013 must comply fully upon execution.

        Clearly business associates and covered entities will have work to do comply with these provisions of the Final Rule. As a start, employers and business associates should review existing BAAs to determine whether the transition relief is available. Even if transition relief is available, it is not too early for employers who sponsor self-funded group health plans to contact their known business associates to ask when they can expect to see new BAAs and for larger employers to update their own model BAA.

        There is more to say about the Final Omnibus Rules and more for employers to do in response to them. Our series on this topic will continue with a review of the greatly augmented enforcement and penalty provisions, as well as an examination of changes that employers may need to make in their HIPAA policies and procedures.

        Benefits Law Update

        Verrill’s Benefits Law Update blog delivers timely insights and practical guidance on the ever-evolving landscape of employee benefits and executive compensation. Our blog provides up-to-date analysis and commentary on a wide range of topics, including timely updates on developments in law affecting employee benefit plans and executive compensation arrangements.

        Key Contacts

        Subscribe

        Looking for more great content? Subscribe for regular legal updates and information delivered right to your inbox.

        Firm Highlights

        Alerts and Newsletters

        Maine’s New Employer Surveillance Law, 26 M.R.S. § 620-A

        Effective July 14, 2026 Maine employers that electronically monitor employees must comply with a new disclosure law effective July 14, 2026. Under...
        Press Releases

        Verrill Recognized by U.S. News as One of the Best Law Firms to Work for in 2026

        BOSTON, Mass., BANGOR and PORTLAND, Maine, GREENWICH and WESTPORT, Conn., – Verrill has been featured on U.S. News’ 2026 Best Companies to Work...
        Blog

        SECURE 2.0 Roth Catch-Up Rules and the 403(b) 15-Year Catch-Up: What Tax-Exempt Employers Need to Know

        Tax-exempt employers whose 403(b) plans offer catch-up contributions for participants age 50 and above should be well on their way to compliance with...
        Media Mentions

        Robert Keach Quoted in Law360 on SIMAD Summer Camp Bankruptcy Sale

        Verrill attorney Robert Keach was recently quoted in a Law360 article examining the Chapter 11 bankruptcy proceedings involving SIMAD Holdings and...
        Media Mentions

        Chris Tsouros Featured in Law360’s Coverage of Sports Real Estate Deals

        Verrill Partner Chris Tsouros was recently recognized in a Law360 article highlighting law firms involved in significant sports real estate projects...
        Blog

        What Maine’s New Employer Surveillance Law Means for Maine Employers

        Maine employers who monitor their workforce, whether through productivity software, GPS, call recording, or cameras, have a new compliance obligation...
        Blog

        Run Don’t Walk: The Implication of “While Supplies Last” Prize Promotions

        This month a big-chain grocery store has been offering daily mystery boxes during specific timed drops on a first-come, first-served basis, to users...
        Blog

        Maine’s Noncompete Statute is Reshaped for Health Care Workers: What You Need to Know

        Employers of individuals who are licensed under state law to perform, or provide, health care services in the State of Maine should be prepared for...
        Media Mentions

        Steven Davis Featured in the Environmental Business Journal

        Steven Davis, President of Verrill Strategic Consulting, was recently interviewed and featured in the Environmental Business Journal, Volume 39...
        Blog

        What is a Bonus for Purposes of ERISA?

        An ongoing dispute about a Department of Labor advisory opinion published last September raises a basic but unanswered question under the ERISA: What...
        Media Mentions

        Verrill Recognized by WMTW for Partnership Supporting Hunger Relief in Maine

        Verrill was recently featured in coverage by WMTW News 8 for its role in a collaborative effort to combat food insecurity across southern...
        Press Releases

        33 Verrill Attorneys, Across Four Offices, Recognized in the 2026 Chambers USA Guide

        BOSTON, Massachusetts, PORTLAND, Maine, WESTPORT, Connecticut, and WASHINGTON, D.C. – Verrill has been recognized as a Leading Firm in 14...