On March 22, the U.S. Department of Health and Human Services (HHS) issued guidance clarifying the obligations of covered entities to require their business associates to comply with HIPAA Administrative Simplification requirements related to standards for electronic health care transactions, code sets, unique identifiers, and operating rules.

While these requirements apply only to covered entities, federal regulation (45 C.F.R. § 162.923(c)) requires covered entities to require their business associates to comply. In other words, when a covered entity engages a business associate to conduct all or part of a transaction for which a standard has been adopted on behalf of the covered entity, the business associate (and any agents or subcontractors) must comply with the requirements.

Actual noncompliance by the business associate could be used as evidence of a covered entity’s failure to require its business associate to comply with all applicable requirements regardless of whether there is an agreement between the covered entity and the business associate obligating the business associate to comply, and even if the business associate is itself a covered entity. As a result, the covered entity may be held responsible for implementing any corrective action and for payment of any civil money penalty.

Sign up to receive Rivkin Rounds at www.RivkinRounds.com.