The Final Omnibus HIPAA/HITECH Rule: What Does It Mean for Business Associates?
On January 17, 2013, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued its long-awaited omnibus final rule implementing changes to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules (Final Rule). The Final Rulesignificantly impacts business associates and their subcontractors, as well as covered entities that regularly engage business associates. This Alert highlights provisions of the Final Rule applicable to business associates.
DEFINITION OF BUSINESS ASSOCIATE
The Final Rule expands the definition of business associate and extends provisions of the HIPAA Privacy and Security Rule to business associates (including subcontractors who qualify as business associates). As a result, The Final Rule expands both the reach of HIPAA and the exposure to liability for those who violate it.
The Final Rule expressly adds the following entities to the definition of a business associate:
- An organization that creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered entity in the performance of specified patient safety activities.
- A health information organization including a regional health information organization (RHIO), e-prescribing gateway, or other person that provides data transmission services with respect to PHI to a covered entity and that requires access to PHI on a routine basis.
- A vendor that offers a personal health record to individuals on behalf of a covered entity. (Note, however, that if the personal health record service is not offered on behalf of a covered entity, the Final Rule clarifies that the vendor is not subject to HIPAA as a business associate).
- A subcontractor of a business associate that creates, receives, maintains, or transmits PHI on behalf of the business associate. The Final Rule defines the term “subcontractor” as “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.”
Additionally, the Final Rule clarifies that a business associate is a person who “creates, maintains, or transmits PHI” on behalf of a covered entity irrespective of whether the person is designated as a business associate in an agreement or otherwise. Entities that maintain PHI on behalf of a covered entity, such as physical storage facilities or companies that store electronic PHI on an ASP basis, even if they do not access or view the PHI, are clearly considered business associates under the Final Rule. Conversely, an entity that is a mere conduit for the transmission of PHI (e.g., the U.S. Postal Service), will not be considered a business associate under the Final Rule because it has only random, infrequent access to PHI. Notably, the Final Rule indicates that the term, “conduit” is intended to be construed narrowly.
EXPANDED OBLIGATIONS AND LIABILITY FOR BUSINESS ASSOCIATES
The Final Rule solidifies the HITECH Act’s impetus to make business associates directly liable for violations of the Security Rule and for impermissible uses and disclosures of PHI under the Privacy Rule. In particular:
- The Final Rule authorizes the Secretary of HHS to investigate violations and impose direct civil monetary penalties on business associates for violations of the HIPAA Privacy and Security Rules.
- Business associates are directly obligated by the Final Rule to comply with certain Security and Privacy Rule provisions. For example, business associates are now required to adopt certain administrative, physical and technical safeguards in accordance with the Security Rule (including conducting a risk analysis, implementing security policies and procedures and entering into written business associate agreements with their own subcontractors).
- The Final Rule also imposes direct liability on business associates under the Privacy Rule for failing to provide access to an electronic copy of PHI to a covered entity or individual, or failing to provide an accounting of disclosures.
- The Final Rule also applies the minimum necessary standard directly to business associates who use, disclose or request PHI.
Not all of the requirements of the Privacy Rule apply to business associates. For example, business associates need not issue a Notice of Privacy Practices; however, any functions involving PHI that are delegated to a business associate by a covered entity must comply with the Privacy Rule.
The Final Rule’s inclusion of the subcontractors of business associates as business associates themselves means that a subcontractor that creates, receives or maintains PHI on behalf of a business associate must comply with the provisions of HIPAA applicable to business associates and is subject to enforcement actions and liability for failure to comply. The preamble to the Final Rule also clarifies that the term subcontractor includes those acting on behalf of a subcontractor, meaning that the designation of business associate and the associated liability will extend further to any downstream vendor that creates, receives or maintains PHI on behalf of a subcontractor.
The Final Rule also clarifies that a covered entity is not required to enter into a contract or other direct arrangement with a subcontractor that is a business associate of the covered entity’s business associate. Rather, it is the business associate that engages the subcontractor that must enter into a written agreement with the subcontractor. That agreement must describe the subcontractor’s permitted uses and disclosures of PHI and contain the elements traditionally required to be included in a business associate agreement. Each subcontractor, as a business associate, must, in turn, enter into a business associate agreement with each of its subcontractors that utilize PHI in their delegated functions, and so on down the line.
Prior to the Final Rule, covered entities contractually required business associates to ensure that any agents, including subcontractors, to whom the business associate disclosed PHI agreed to the same restrictions that applied to the business associate under the business associate agreement. The Final Rule represents a change in that it imposes a direct regulatory requirement on business associates to enter into written agreements with subcontractors. This regulatory change is important for covered entities, as well, who should now require their business associates to have such written agreements with their subcontractors.
BUSINESS ASSOCIATE AGREEMENTS
Covered entities, business associates and subcontractors should review and update their business associate agreements to ensure compliance with the requirements of the Final Rule. These agreements must require business associates to:
- Comply with the Security Rule;
- Report to covered entities breaches of unsecured PHI in accordance with the Breach Notification Rules;
- Enter into written business associate agreements with subcontractors who create, receive, maintain or transmit PHI on behalf of a business associate; and
- Comply with the Privacy Rule to the extent that the business associate carries out an obligation of the covered entity that is regulated by the Privacy Rule.
While the Final Rule requires business associate agreements to include an obligation for business associates to report breaches of unsecured PHI to covered entities, the Final Rule does not materially change a business associate’s obligations regarding breach notification. The preamble to the Final Rule makes clear that it is the covered entity that is ultimately responsible for providing notification to individuals, the media and the Secretary, as required. Nevertheless, OCR encourages covered entities and business associates to define in a business associate agreement the obligations of each party with respect to a breach to expedite notification to affected parties. Covered entities may wish to include indemnification obligations and other risk-shifting provisions in their business associate agreements. Finally, business associates and covered entities are no longer required to report breaches of a business associate agreement to the Secretary of HHS when termination of the business associate agreement is not feasible. Accordingly, this provision could be omitted from the business associate agreement.
HHS recently posted to its website sample business associate agreement provisions, which can be accessed here.
The Final Rule generally establishes a compliance date of September 23, 2013, but also includes a one-year extension to September 23, 2014, for covered entities and business associates to revise their business associate agreements if such agreements were entered into and compliant with HIPAA as of January 25, 2013. Practically speaking, this means that if parties have entered into a HIPAA-compliant business associate agreement prior to or as of January 25, 2013, the agreement will be deemed compliant until September 23, 2014 (even if it does not reflect changes required by the Final Rule). However, if the agreement is renewed between March 26, 2013 and September 2013, it must be updated to comply with the Final Rule. Parties that do not have compliant agreements in place that were executed on or before January 25, 2013, will need to execute such agreements by September 23, 2013.
OCR has clearly stepped up its enforcement activities as evidenced by its recent imposition of steep penalties for breaches and noncompliance. The Final Rule makes clear that this trend will continue. Accordingly, covered entities and business associates are well advised to:
- Identify all persons and entities that are business associates based on the expanded definitions of business associate in The Final Rule;
- Review existing business associate agreements to determine whether changes required by The Final Rule must be made by September 23, 2013 or September 24, 2014; and
- Modify their business associate agreements to meet the new requirements of the Final Rule.
For assistance in these efforts, please contact any of our Employee Benefits or Health Care Professionals.