By: Julie Simer, Esq.

New HIPAA rules became effective for covered entities and business associates on September 23, 2013.  A “covered entity” is a health plan, health care provider, or health care clearinghouse. The term “business associate” now includes any person or entity who “creates, receives, maintains, or transmits” protected health information on behalf of the covered entity. Under the new rules, document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold. After September 23, 2013, covered entities must have legally-compliant business associate agreements in place with any person or entity that falls under the new definition of “business associate.”