By Kristen A. Larremore with Bradley Arant Boult Cummings LLP
The Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services published its final privacy and security regulations under the Health Insurance Portability and Accountability Act (“HIPAA”) on January 25, 2013 (the “Final Rule”). The Final Rule implements the Health Information Technology for Economic and Clinical Health Act (“HITECH”) under HIPAA. The Final Rule becomes effective March 26, 2013, and, in general, covered entities and business associates are required to comply by September 23, 2013. Previously, business associates were generally not directly governed by the Privacy or Security Rules under HIPAA, but that is no longer the case.
“Covered entities” are defined by HIPAA as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which the U.S. Department of Health and Human Services has adopted standards. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons. The definition of “business associate” has been modified by the Final Rule and is discussed below.
What does this mean for you?
Compliance with the Final Rule will require significant effort on the part of covered entities and business associates (including subcontractors of traditional business associates). It will be necessary for these entities to: revise policies and procedures; train workforces regarding new requirements (in particular breach reporting requirements); update business associate agreements, notices of privacy practices, marketing authorizations and other forms; and maintain documentation to demonstrate compliance with the Final Rule.
Some of the most significant changes under the Final Rule are those affecting business associates. The Final Rule expands the definition of a “business associate” to cover certain organizations, some of which have only indirect relationships with the health care industry and may have little awareness of their compliance obligations. The definition now includes health information organizations, personal health record vendors, patient safety organizations, and e-prescribing gateways (or others providing data transmission services with respect to protected health information (“PHI”) to a covered entity that requires routine access to the PHI). Additionally, and significantly, the Final Rule expands the definition of “business associate” to include subcontractors who create, receive, maintain or transmit PHI on behalf of a business associate. A “subcontractor” means a person to whom a business associate delegates a function, activity or service (other than in the capacity of a member of the workforce of such business associate) that the business associate has agreed to perform on behalf of the covered entity. Under the Final Rule, the business associate designation follows subcontractors down the chain of the information flow. As a result, if a subcontractor delegates a function to a third party, that third party is now also a business associate to the subcontractor under HIPAA and subject to direct compliance obligations under the Final Rule in the same manner as any other business associate.
The expansion of the definition of a “business associate” is significant because, under the Final Rule, business associates are directly liable for:
1. uses and disclosures of PHI not permitted under HIPAA;
2. a failure to provide breach notification to the covered entity;
3. a failure to provide access to a copy of electronic PHI to the covered entity, the individual, or the individual’s designee (as specified in the business associate agreement);
4. a failure to disclose PHI to the Secretary of Health and Human Services to investigate or determine the business associate’s compliance with the HIPAA Rules;
5. a failure to provide an accounting of disclosures; and
6. a failure to comply with the HIPAA Security Rule.
Additionally, business associates remain contractually liable for other provisions of business associate agreements and, accordingly, careful negotiation of business associate agreements is necessary.
Covered entities should inventory their existing business associates and business associate agreements, and business associates should begin to assemble lists of their direct subcontractors with whom they may be required to enter into a business associate agreement under the Final Rule. A transition rule under the Final Rule permits covered entities and business associates to continue operation under certain existing business associate agreements for up to one year beyond the compliance date of September 23, 2013. An existing business associate agreement will be deemed compliant until the earlier of (i) the date such agreement is renewed or modified on or after September 23, 2013, or (ii) September 22, 2014. The transition rule applies only to language in existing business associate agreements; the parties must operate as otherwise required under the Final Rule in accordance with the applicable compliance dates.