Thought Leadership

On March 22, the Department of Health and Human Services (HHS) issued guidance letter GL-2022-03 regarding HIPAA-covered entities' responsibility to require that business associates comply with HIPAA's requirements related to standards for electronic transactions, code sets, unique identifiers and operating rules. The guidance is both a clarification of HHS's read of HIPAA and also a signal to covered entities to ensure compliance by their business associates.

The guidance sets forth the general rule that requirements related to standards for electronic transactions, code sets, unique identifiers and operating rules apply only to covered entities. However, the guidance also states that HIPAA requires covered entities to require their business associates to comply as well. HHS notes that, effectively, this means that when a covered entity engages a business associate to conduct all or part of a transaction for which a standard has been adopted on behalf of the covered entity, the business associate must comply with the applicable standard's requirements.

The guidance also illustrates how HHS's National Standards Group (NSG) may enforce business associate noncompliance. NSG may find a covered entity noncompliant if its business associate's action or inaction is noncompliant with an applicable HIPAA Administrative Simplification requirement. The guidance explains, for example, that if a health plan engages a business associate to transmit remittance advices to healthcare providers and the remittance advices do not use the adopted standard, the health plan may be found noncompliant for failure to conduct a transaction using the adopted standards. NSG may also find the health plan noncompliant for failure to require the business associate to comply with the applicable standard.

Would you like to receive our Day Pitney C.H.A.T. Newsletter? Sign up here.