Part II – Due Diligence – Business Associates and Subcontractors
Published in Federal Register on January 25, 2013
Becomes effective on March 26, 2013,
Compliance will be required by September 23, 2013.
This is the second of a four part series offering a glimpse at some of the deep changes that will be required under the “Omnibus HIPAA Rulemaking” which was issued earlier this year. As noted in Part I “Developing a To Do List”, Bond’s Health and Long Term Care Practice Team is devoting a significant level of due diligence in reviewing organizations’ policies and procedures to comply with these new rules.
This second part focuses on review of Business Associate (“BA”) addenda and subcontractors of BAs. The new rules now mandate that certain subcontractors of a Covered Entity’s vendors or agents be held to the same standards as Business Associates. This will be one of the most significant aspects of compliance under the new Omnibus rules. This Bond Guidance focuses on the type of due diligence needed in beginning to assess compliance under the new rules.
1. Transitional Period for Compliance
The new Rule gives covered entities and business associates up to one year after the 180-day compliance date (up to September 23, 2013) to modify contracts which will expire during this time frame or enter into contracts to comply with the rule. Importantly, for contracts in place as of the publication of the rule, additional time is allowed. For Business Associate contracts in effect prior to the publication date of the modified Rules (January 25, 2013), that complied with the prior provisions of the HIPAA Rules, there is an additional one year transitional period to ensure proper contracts are in place – so long as the arrangement was not renewed or modified between the effective date (March 27, 2013) and the compliance date (September 23, 2013).
This aspect of the regulation is intended to allow the business associate or subcontractor to continue to act under the existing contracts for up to one year beyond the compliance date (up to the earlier of the contract’s actual expiration or September 22, 2014), regardless of whether the contract meets the applicable contract requirements in the modifications to the Rules. Importantly, however, it does not allow the parties to violate any of the substantive provisions of the Omnibus Rule which go into effect regardless of the form of the contracts in place.
Similarly, with respect to business associates and their subcontractors, the Rules would grandfather existing written agreements between business associates and subcontractors entered into pursuant to § 164.504(e)(2)(ii)(D) (which requires the business associate to ensure that its agents with access to protected health information agree to the same restrictions and conditions that apply to the business associate).
2. Identifying Business Associates
New definitions in the HIPAA Rule have been added at section 160.103(3) and (4) which define the entities that are “Business Associates” and those that are not:
“Business Associates” includes:
(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.
(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.
(iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the Business Associate.
(iv) Any entity, other than in the capacity of a member of the workforce of such covered entity, that performs, or assists in the performance of:
a function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or any other function or activity regulated by this subchapter; or
legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
Critically, the new Rules expand the direct liability for violations of HIPAA privacy and security standards to “Subcontractors” of a covered entity’s Business Associates. The rule defines a “Subcontractor” as “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such Business Associate.” This will mean that all downstream contractors of covered entities could potentially be subject to penalties and liability under the enforcement provisions of the rule (to be discussed in Part IV of this series).
It is important to note that the new rules do NOT require that covered entities enter into any direct contract or other arrangement with Subcontractors of their Business Associates. Instead, covered entities must obtain appropriate assurances from their Business Associates that all of their Subcontractors will be in compliance with the new rules. These assurances must also be obtained by Subcontractors as to those they engage “no matter how far “down the chain’ the information flows”. (78 FR at 5574.)
Who is not a “Business Associate?” For the first time, the rules now clearly set forth situations which do not require Business Associate compliance, such as:
(i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.
(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of
§ 164.504(f) of this subchapter apply and are met.
(iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.
(iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (i) above for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.
The Rules also make minor but important changes to how covered entities must interact internally and with their affiliates in performing Business Associate functions. For certain “Hybrid Entities”, the new rule will require that any component of the entity which provides Business Associate functions not be designated under the entity’s “health care component”. As such, for an entity that is both a hospital and university, any Business Associate function being performed by the non-health care component (e.g., the university’s legal offices) would now be subject to direct compliance as if it were within the health component of the hospital department of the entity.
3. Establishing a Checklist for Due Diligence in Compliance
The following table outlines a sample form of due diligence and checklist which may be developed to start the process of compliance. Note that this is not a comprehensive checklist and is only designed to be a starting point:
Click here to view table.
The next Bond Guidance will focus on the new HITECH provisions involving breach notification for unauthorized disclosures of protected health information by covered entities, business associates and their subcontractors.