On January 25, 2013, the Department of Health and Human Services (HHS) released a final rule (Final Rule) implementing numerous changes to the regulations under the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act. Importantly, the Final Rule will have a significant impact on some companies that provide goods or services to health care providers.
Business Associates Must Comply with Privacy and Security Law
The Final Rule dramatically changes the game for Business Associates, significantly increasing their compliance burden and in some cases making them responsible for the misconduct of their subcontractors. So companies that assist health care providers need to carefully examine these relationships and determine, in consultation with counsel, whether they are in fact Business Associates under HIPAA. “Business Associates” are defined by HIPAA as entities that have access to, or transmit, protected health information (PHI) in the course of their arrangement with health care providers. This might include companies that provide data aggregation services or technical support services, such as software support or utilization review. Companies that provide management services to health care providers may also be Business Associates.
Under the Final Rule, Business Associates are required by law to comply with the HIPAA Privacy and Security Rules, meaning they now have additional compliance obligations under HIPAA. Moreover, while previously Business Associates were only subject to breach of contract claims by their health care clients for HIPAA and HITECH violations, Business Associates are now directly liable under HIPAA and HITECH and are thus subject to government enforcement actions. Business Associates only have until September 23, 2013 to comply with the Privacy and Security Rules. Developing the numerous and highly technical policies and protocols necessary for compliance will likely involve a substantial amount of detailed work. Business Associates will also need to take the time to train their staff on these new policies and procedures, since even the best policy, in and of itself, is not sufficient to ensure compliance.
Also by September 23, 2013, Business Associates must enter into HIPAA-compliant business associate agreements with each of their subcontractors who handle PHI on their behalf. For many Business Associates, this will be a considerable undertaking. Business Associates need to catalogue all of their subcontractors and determine whether they handle PHI. Then, with the help of counsel, they will need to update or create their form business associate agreement, which must be signed by each applicable subcontractor.
In some instances, Business Associates also may be held liable if their subcontractors improperly disclose PHI (this is called vicarious liability). So it is very important that Business Associates do due diligence on their subcontractors and satisfy themselves that the subcontractors have sufficient safeguards in place to comply with privacy and security laws.
Penalties and Enforcement
Monetary penalties for HIPAA and HITECH violations are severe. Civil monetary penalties range from $100 to $50,000 per violation with an annual cap of $1,500,000. HHS’s Office of Civil Rights (OCR), the office tasked with enforcement of HIPAA and HITECH, continues to rigorously enforce these laws, and even relatively small violations are not safe from scrutiny. Just this January, the OCR entered into a $50,000 settlement with a hospice provider in Idaho for a data breach of PHI that involved fewer than 500 individuals. This recent settlement proves that even small-scale breaches can put a company at significant risk of an investigation and enforcement action.