Big Changes for Business Associates
On Thursday, January 17, 2013, the Department of Health and Human Services (HHS) released its Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule, making significant modifications to the Act’s Privacy, Security, Enforcement, and Breach Notification Rules. Troutman Sanders has analyzed these changes to HIPAA and is providing a series of summaries to help our clients understand how these changes will affect them and what they need to do to comply.
This is our fourth e-alert in the series, which will address issues impacting business associates. For other e-alerts published by Troutman Sanders on the HIPAA Omnibus Rule, click here.
The HIPAA Omnibus Rule makes significant changes to both the definition of who qualifies as a business associate and the requirements of business associate agreements. Covered entities routinely hand out business associate agreements to their “business associates,” and their “business associates” routinely sign them, often without giving them a second thought. Going forward, covered entities will have more “business associates” and those business associates will face new obligations to ensure that they are compliant with the Security Rule and some aspects of the Privacy Rule. Almost all covered entities and business associates will need to revise their business associate agreements to incorporate the new requirements of the HIPAA Omnibus Rule.
More Business Associates than Ever Before
The term “business associate” has always covered a fairly significant number of a covered entity’s vendors. The HIPAA Omnibus Rule expands the coverage even further to encompass not only those vendors that “create, receive or transmit PHI on behalf of a covered entity,” but also those that “maintain” PHI on behalf of a covered entity. The Rule also lists, by name, the following types of vendors, which are now considered “business associates.”
- Patient Safety Organizations where they receive PHI in order to analyze patient safety events data
- Health Information Organizations, E-Prescribing Gateways, or other data transmission services where “routine access” to PHI is required
- A Person Offering a Personal Health Record (PHR) to individuals on behalf of a covered entity, such as when a vendor is hired by a covered entity to provide PHR to its patients or enrollees.
Perhaps most importantly, the HIPAA Omnibus Rule makes a business associate’s subcontractor a “business associate.” Prior to the Rule, a business associate was responsible for getting “reasonable assurances” from its subcontractors that the subcontractors would comply with the provisions of the applicable business associate agreement. After the Rule, a business associate must enter into a business associate agreement with each of its subcontractors. Because the subcontractor is a “business associate,” the subcontractor must also comply with the Security Rule and some provisions of the Privacy Rule, including entering into a business associate agreement with each of its subcontractors.
Importantly, the Final Rule reaffirms that regardless of whether a business associate agreement exists, one is deemed to be a business associate from the moment that person or entity creates, receives, maintains, or transmits PHI on behalf of a covered entity or another business associate.
Covered entities should review their current list of business associates and determine if more need to be included. However, the greater impact will be on those whose business makes them business associates to covered entities and those subcontractors that have not previously implemented their own HIPAA compliance programs.
Business Associates Must Comply with All Aspects of the Security Rule
The Health Information Technology for Economic and Clinical Health (HITECH) Act made business associates civilly and criminally liable for violations of several Security Rule provisions. Consistent with the HITECH Act, the HIPAA Omnibus Rule expands the scope of the Security Rule to apply not only to covered entities but also to business associates. In practice, this means that business associates must have HIPAA compliance policies and procedures in place to address the Security Rule’s administrative, physical, and technical safeguards for handling electronic PHI.
Although business associates have been on notice of these changes since the passage of the HITECH Act and subsequently the proposed rule, this short provision in the HIPAA Omnibus Rule gives HHS the clear authority to enforce these duties against noncompliant business associates. It is important that all business associates evaluate the requirements of the Security Rule and ensure that they are compliant.
Business Associates Must Comply with Some Provisions of the Privacy Rule
The HIPAA Omnibus Rule clarifies that business associates can only use and disclose PHI as permitted by the Privacy Rule and its business associate agreements. Business associates are also required to comply with various provisions of the Privacy Rule, including those requiring disclosure to the Secretary as part of a compliance investigation, disclosure to the covered entity or individual upon request, and the Minimum Necessary Standard. Business associates will need to review their policies and procedures to identify any changes that need to be made in response to these requirements.
Business Associate Liability
The HIPAA Omnibus Rule increases the consequences of non-compliance for all business associates. They always have been liable to the covered entities that they serve for failure to comply with the terms of their business associate agreements. Now, business associates are also directly liable to HHS for failure to comply with the following HIPAA rules:
- Making only permissible uses and disclosures;
- Providing breach notification to a covered entity;
- Providing access to copies of electronically held PHI to a covered entity or the individual upon request;
- Disclosing PHI to the Secretary for investigation into the business associate’s HIPAA compliance;
- Providing an accounting of disclosures;
- Complying with the Security Rule requirements;
- Making “reasonable efforts” to adhere to the Minimum Necessary Standard; and
- Entering into business associate agreements with subcontractors that receive PHI.
Business Associate Agreements
With the passage of the HITECH Act and the HIPAA Omnibus Rule, many questioned whether business associate agreements are still necessary. HHS answered in the affirmative – business associate agreements are still needed and may be more important than ever.
The HIPAA Omnibus Rule imposes many important compliance obligations on business associates, but there are a number of areas that the Rule intentionally does not cover and leaves to the parties to address. For example, the Rule still leaves it to the covered entity to define the business associate’s scope of permitted uses and disclosures. The Rule also relies upon the parties to determine where the responsibility should lie with respect to providing access to PHI in response to an individual’s request for his or her own PHI. While these are typically standardized provisions in a covered entity’s template business associate agreement, now is a good time for covered entities to revisit these provisions and ensure that they correctly allocate responsibilities.
It is also a good time for covered entities to review their business associate agreements to remove provisions that are no longer required. For instance, it is no longer necessary for a covered entity to report to the Secretary when there has been an incurable breach of the business associate agreement, but the agreement cannot be terminated. Many covered entities incorporated this requirement into their template agreements and can now remove it so that they are not imposing on themselves an unnecessary contractual requirement.
All of the requirements for a business associate agreement apply equally to business associate-subcontractor agreements as they do to agreements between covered entities and business associates. As a result, business associates will need to develop their own business associate agreements to use with their subcontractors.
Generally, compliance with the HIPAA Omnibus Rule is required by September 23, 2013. However, if a covered entity (1) had a compliant business associate agreement in place on January 25, 2013, and (2) did not modify the agreement between March 26, 2013 and September 23, 2013, then the covered entity has until the earlier of September 23, 2014, or when the agreement renews, to modify the business associate agreement to be compliant with the HIPAA Omnibus Rule.
Breach Notification
The HIPAA Omnibus Rule made some major changes to the current Breach Notification Rule, and most of these changes have a direct effect on business associates’ duties in documenting and notifying others of a breach. For information on the changes to the Breach Notification Rule in the HIPAA Omnibus Rule, see Breach Notification Changes—What You Need to Know, published on February 6, 2013.
Expanded Enforcement to Business Associates
The HIPAA Omnibus Rule implements the HITECH Act’s mandate that the Enforcement Rule of HIPAA apply to business associates. This means that business associates can be subject to civil or criminal penalties for violations of the Privacy, Security, or Breach Notification Rules. For more information on how the modifications to the Enforcement Rule will impact covered entities and business associates, please watch for our upcoming e-alert.
The HIPAA Omnibus Rule makes extensive changes and clarifications to the HIPAA Rules regarding business associates. With the increased liabilities and responsibilities, covered entities, business associates and those who work with business associates will want to make sure they understand and comply with all of the new legal requirements. For covered entities, this will mean updating their business associate agreements. For business associates, this will mean putting into place, new business associate agreements, updating existing business associate agreements, and implementing HIPAA Privacy and Security compliance policies and procedures.
If you have any questions regarding the provisions of the Rule related to business associates or any other part of the HIPAA Omnibus Rule, please do not hesitate to contact the Health Care Practice Group.
© TROUTMAN SANDERS LLP. ADVERTISING MATERIAL. These materials are to inform you of developments that may affect your business and are not to be considered legal advice, nor do they create a lawyer-client relationship. Information on previous case results does not guarantee a similar future result.