top of page

The A - Z Of Proposed Changes Coming To The HIPAA Business Associates Rule

In the Notice of Proposed Rulemaking (NPRM) issued by the Department of Health and Human Services (HHS) on December 10, 2020, were some proposed changes that would specially affect Business Associates (BA) and other third parties.

The updated rule that is being proposed would prohibit covered entities (CEs) and BA’s from imposing unreasonable identifying verification measures on someone exercising their right to access of Protected Health Information (PHI).

To guard against unauthorized disclosures of PHI, CEs and BAs are to take reasonable steps to verify the identity of an individual requesting such data. Understanding that individuals are increasingly requesting access to PHI in an electronic format or electronic Protected Health Information (ePHI) through apps which are not acting on behalf of a CEs or BA, these health apps would not be considered BAs.

The updated rule would prohibit CEs and BAs from applying onerous or infeasible registration requirements for health apps, like requiring an app that does not qualify as a BA to sign a Business Associate Agreement (BAA) or preventing an app from registering with the API (Application Programming Interface) which the CE or BA make public, unless there is an identified security risk when conducting a Risk Analysis by the CE or the BA of the app.

The NPRM would require CEs and BAs to allow apps to register with their public APIs, without a BAA to give individuals who are requesting access to their ePHI. How is this proposed rule going to change the registration of apps with a CE of the BA? Should this portion of the NPRM pass, it will require enhanced data protection measures, regular Risk Analysis, Risk Assessments, vetting of third parties accessing your systems, along with updated policies, procedures.

The current version of this NPRM would exclude “personal health applications and Telecommunications Relay Services (TRS) from being defined as a BA. A TRS is typically a service for providers to facilitate phone calls for people with hearing and speech disabilities. The health app is defined as a service offered directly to consumers that individuals use for their own purposes, which does not act on behalf of or at the direction of CEs. The NPRM would modify the definition of BAs to exclude TRS providers.

The NPRM provision will facilitate many required changes for covered entities and business associates. Here are just a few of the areas that will need to be reviewed, addressed, and updated:

  • · Policies and procedures

  • · Security standards

  • · Notices of privacy practice (NPP)

  • · Authorization and disclosure forms

  • · Business associate agreements

Regulatory Compliance comes in many forms, shapes, and sizes. Dsyfer provides organizations a suite of products for managing your Compliance Program. From customized policies and procedures to organizational adoption and training among your employees through Dsyfer’ s eLearning offerings.

Sybersafe has solutions for your organization. For more information, call a client service member at 480.779.4653 or email

# # # # # #

This press release contains forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995 (the "Act"). In particular, when used in the preceding discussion, the words "believes," "expects," "intends," "will," “plans,” “hopes,” "anticipated," or "may," and similar conditional expressions are intended to identify forward-looking statements within the meaning of the Act, and are subject to the safe harbor created by the Act. Except for historical information, all of the statements, expectations and assumptions contained in the foregoing are forward-looking statements that involve a number of risks and uncertainties. Actual results could differ from those projected in any forward-looking statements due to numerous factors. Such factors include, among others, the inherent uncertainties associated with the Company’s business focus, Sybersafe assumes no obligation to update or correct forward-looking statements, and also assumes no obligation to update or correct information prepared by third parties that are not paid for by the Company.


bottom of page