The HIPAA final rule 2013 made effective from March 26, 2013 makes a few important changes in the definitions.
Firstly, the definition of “Business Associate” has been expanded to include “Patient Safety Organizations”. Hence Health Information Organizations (HIO), E-Prescribing Gateways, and Other Persons That Facilitate Data Transmission; as well as Vendors of Personal Health Records will be considered as “Business Associates” and such Business Associates will be directly covered under the obligations of Privacy, Security and Enforcement rules.
Secondly, any “Sub Contractor” of the business associate will also be considered as covered under the provisions of the Final rule as applicable for Privacy, Security and Enforcement. For this purpose, a Sub Contractor means “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.”. Hence the provision of obtaining satisfactory assurances for meeting HIPAA obligations extend to Sub Contractors as much as the primary business associates.
The third definitional aspect that is modified by the Final rule is to define that the ter “PHI” extends to the information of a deceased person upto a period of 50 years after death.