Final answer:
Post-2009, following the enactment of ARRA and the HITECH Act, Business Associates are directly subject to HIPAA regulations and must sign business associate agreements, ensuring the protection of Protected Health Information. Option b is the correct answer.
Step-by-step explanation:
After the enactment of the American Recovery and Reinvestment Act (ARRA) in 2009, the roles and responsibilities of Business Associates (BAs) in healthcare significantly changed. One of the key aspects of ARRA was the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which expanded the reach of the Health Insurance Portability and Accountability Act (HIPAA) regulations to directly apply to BAs. While, before HITECH, BAs were not directly subject to HIPAA regulations and relied on contracts with covered entities to determine their compliance obligations, ARRA and the subsequent HITECH Act made BAs directly liable for compliance with certain HIPAA privacy and security rules.
With these changes, BAs are required to sign business associate agreements (BAAs) that specifically bind them to HIPAA compliance, including the protection of Protected Health Information (PHI). This means that BAs can indeed handle PHI, but they must do so under the terms of BAAs and are required to implement the safeguards necessary to protect the information in accordance with HIPAA rules. Therefore, BAs are not exempt from privacy requirements; instead, they are more integrated into the regulatory framework that governs patient privacy and data security in the healthcare sector.
In conclusion, the correct statement about a business associate after the enactment of ARRA post-2009 is: b) BAs are subject to HIPAA regulations. They are still required to sign BAAs and are definitely not exempt from privacy requirements, nor are they prohibited from handling PHI under the proper agreements and safeguards.