As promised, this is the first in our series “The Final HIPAA/HITECH Rule – Breaking It Down.” This installment outlines the changes specific to business associates. In the coming days, we will focus on breach reporting, individual PHI issues (including marketing and sale of PHI), and enforcement.
On January 17, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS-OCR”) released its final rule (the “Final Rule”) which modifies the Privacy, Security, and Enforcement Rules under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Breach Notification Rule under the Health Information Technology for Economic and Clinical Health Act (“HITECH”). The complete text of and comments to the Final Rule was published in the Federal Register on January 25, 1013. While HIPAA traditionally applied directly only to covered entities including treatment providers, health plans, and health care clearinghouses, HITECH expanded the direct applicability of the Privacy and Security Rules to business associates.
The Final Rule takes effect March 26, 2013, and covered entities and business associates must comply with the applicable requirements by September 23, 2013. So, what’s new for business associates?
- Direct Application – HIPAA’s Privacy and Security rules now directly apply to business associates, which includes subjecting both covered entities and business associates to HHS-OCR compliance reviews. Prior to HITECH, a business associate’s obligations were strictly a matter of contract between the business associate and the covered entity.
Business associates will be required to comply with the physical, administrative, and technical safeguards and related HIPAA documentation requirements of the HIPAA Security rule. This means performing a HIPAA security risk analysis, implementing HIPAA security policies and training workforce members – mere compliance with the provisions of an existing business associate contract is no longer sufficient.
- Broader Definition - The definition of “business associate” has been expanded to include:
- a Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information (“PHI”) to a covered entity that requires access to such PHI on a routine basis;
- a person that offers a personal health record to one or more individuals of a covered entity; and
- a subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate.
The expanded definition of business associate is specifically designed to include entities that provide data storage and transmission of PHI, and personal health record venders acting for covered entities. In the comments to the Final Rule, HHS-OCR made clear that a data storage vendor that maintains PHI, such as a cloud services provider, is a business associate even if the vendor never actually views or accesses the data. HHS-OCR further clarified that the “conduit exception” is a very narrow one intended to exclude only those entities providing mere courier services and that do not require access to PHI on a routine basis, such as the U.S. Postal Service or United Parcel Service. The conduit exception extends to the electronic transmission of data though an entity, such as an internet service provider, performing mere data transmission services.
- Subcontractor Compliance - Subcontractors of business associates will automatically become business associates themselves, and business associates will be required to obtain “satisfactory assurances” that the subcontractors will appropriately safeguard PHI.
A business associate who uses subcontractors to create, receive, or transmit PHI on its behalf must have a written business associate agreement (“BAA”) with each subcontractor, thereby creating a continuous “chain of trust” for PHI. The subcontractors will be directly liable under HIPAA, and business associates must take reasonable steps to cure any breach or terminate the contract if a subcontractor materially breaches its BAA.
- Mandatory Updates to BAAs – Covered entities and business associates must amend existing BAAs, and in some cases, execute new agreements to comply with the Final Rule. BAAs must address each of the following:
- reporting breaches of unsecured PHI to covered entities;
- mandatory compliance with HIPAA Privacy and Security obligations;
- detailed description of permitted uses and disclosures of PHI.
BAAs must be modified to conform to HITECH’s additional requirements. Under the revised BAAs, business associates must report breaches of unsecured PHI to covered entities, and comply with all requisite Privacy and Security rule requirements. Because a business associate may only use or disclose PHI as provided in its business associate agreement, or as required by law, care should be taken to specifically describe the scope of those permissible uses and disclosures. Otherwise, a use or disclosure made but not specifically included in the agreement renders the business associate potentially vulnerable to a HIPAA violation. It is likewise noteworthy that a subcontractor’s permitted uses and disclosures may not be broader than those of the business associate from which the subcontractor receives the PHI.
Another important part of complying with the Privacy and Security Rules is the application of the “minimum necessary” standard when using or disclosing PHI or requesting PHI from a covered entity or business associate. A business associate or subcontractor’s application of the minimum necessary standard will vary based on the circumstances and the context of the governing BAA. HHS-OCR will issue further guidance on the application of the minimum necessary standard to address questions raised by commenters to the Final Rule.
Acknowledging the potential costs and burdens associated with revising existing agreements, HHS-OCR provides an additional one year transition period for amending existing BAAs until September 22, 2014, if the parties otherwise had an agreement in place which complied with the previous rule prior to January 25, 2013. If no such compliant business associate agreement was in place on that date, or if the parties renew or modify such agreement after March 23, 2013, then an updated business associate agreement need to be executed which is fully compliant with the Final Rule.
- Increased Penalties - Business associates may be liable for increased penalties for noncompliance with the Privacy Rule up to a maximum penalty of $1.5 million depending upon the following factors:
- the number of individuals affected;
- the time period during with the violation occurred,
- the financial harm to affected individuals,
- the harm to affected individual’s reputation, and
- the harm to an individual’s ability to obtain health care.
The increased penalties imposed under the Final Rule highlights the importance of compliance with the changes described above. Although a business associate is not liable for compliance with the entire Privacy Rule, it will be directly liable for the following:
- uses and disclosures of PHI that are not in accordance with its BAA or the Privacy Rule;
- failure to disclose PHI to HHS-OCR for compliance purposes;
- failure to disclose PHI to an individual, or the individual’s designee for the covered entity to comply with its obligations to provide electronic access to PHI;
- failure to comply with the minimum necessary standard; and
- failure to enter BAAs with subcontractors.
Contact the Jackson Kelly Health Law Group with any questions specific to how these changes impact you. Stay tuned for our next installments of “The Final HIPAA/HITECH Rule – Breaking It Down.”
Comments