On January 17, 2013, the Office for Civil Rights (“OCR”), Department of Health and Human Services, issued the long-awaited final rule: “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.” The final rule is effective March 26, 2013. Covered Entities (“CEs”) and Business Associates (“BAs”) must comply with the applicable requirements by September 23, 2013.
The final rule seeks to address OCR’s findings in carrying out Executive Order 13563, which required OCR to conduct a retrospective review of existing regulations to identify ways to reduce costs and increase flexibilities under HIPAA. The rule may or may not reduce costs, but the guidance provides more certainty for some businesses, and more flexibility for others, in interpreting privacy regulations that seemingly inhibited growth and development in the health care industry.
The rule clarifies that persons who undertake patient safety activities are BAs, as are organizations such as Health Information Organization, E-prescribing Gateways, or Regional Health Information Organizations that provide data transmission of PHI to a CE or its BA and that require access on a routine basis to such PHI. As much as the rule offers certainty on these entities, however, it also offers room for argument, as OCR declined to define them with specificity.
Indeed, OCR declined to statically define any type of BA, emphasizing repeatedly the necessity of performing a factual analysis in uncertain situations, guided by principals designed to meet the overarching goals of HIPAA, HITECH and GINA. OCR first settled a topic of some debate at health lawyers’ conferences by acknowledging that mere conduits are not BAs.
Read more about the Final HIPAA Rule after the jump
 This is to conform to the statutory provisions of the Patient Safety and Quality Improvement Act of 2005 (PSQIA), 42 U.S.C. 299b-21, et. seq. PSQIA provides for the establishment of Patient Safety Organizations (“PSOS”) to receive reports of patient safety events or concerns from providers and provide analyses of events to providers. Such reports may include PHI. 42 CFR 3.10 et seq.
 OCR declined requests for a more specific definition of “Health Information Organizations,” saying only that the term currently refers to organizations that govern health information exchange among organizations within a defined geographic area, but that as the industry evolves, the types of entities that fall within this definition may change.