The Department of Health and Human Services recently published proposed regulations for the implementation of statutory changes made to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as provided by the Health Information Technology for Economic and Clinical Health Act (HITECH). This proposed rule is the latest piece of guidance regarding the regulation of protected health information and how it is to be safeguarded by covered entities and business associates.
To understand the new guidance, it is necessary to have some background on HIPAA and the more recent changes made to HIPAA by the HITECH Act. The privacy and security provisions of HIPAA regulate individually identifiable health information that is created or received by or on behalf of covered entities. This sensitive information is referred to as protected health information (PHI). HIPAA defines a “covered entity” as a health plan, health care provider, or health care clearing house. A “business associate” is defined as an entity, other than an employee, that performs a function or activity involving the use or disclosure of PHI on behalf of a covered entity. These functions or activities include financial, legal, actuarial, accounting, and consulting services. To protect PHI, a covered entity and business associate are required to enter into a contract, or a business associate agreement, that provides assurances that the business associate will safeguard the confidentiality of the covered entity’s PHI.
In 2009, the HITECH Act was signed into law as part of the American Recovery and Reinvestment Act. Among other changes to HIPAA’s privacy and security provisions, HITECH expanded the scope of HIPAA by applying most of the privacy and security standards directly to business associates. Previously, these provisions of HIPAA only applied indirectly to business associates through a business associate agreement entered into with a covered entity.
One important aspect of the new proposed regulations is that they address the duties and responsibilities regarding a business associate’s use of subcontractors. Under the new regulations, the definition of “business associate” has been expanded to include subcontractors who provide services to business associates. This in effect creates a new category of business associates that previously were unconcerned with complying with HIPAA requirements. In addition, the new regulations make it clear that it is the business associate’s (not the covered entity’s) responsibility to enter into a business associate agreement with each of its subcontractors to obtain assurances from the subcontractors that they will adequately protect the security of the covered entity’s PHI. In the event that a subcontractor discovers a breach of unprotected PHI, the subcontractor will be required to notify the business associate, who in turn will be required to notify the covered entity.
Since February 2009, when HITECH was enacted, is has been unclear whether all business associate contracts would need to be revised as a result of the HITECH changes, or whether they would be deemed updated as an operation of law. By providing covered entities and business associates with an extended period of time in which to revise agreements, these new regulations implicitly answer this question: these contracts must ultimately be renegotiated and re-executed. While the new regulations will generally provide covered entities and business associates with 180 days (six months) beyond the effective date of the final rule to comply with the majority of the new provisions (“compliance date”), it is permitting covered entities and business associates to operate under their existing agreements for one year beyond this compliance date. In other words, after the effective date of the final rules, parties will have 18 months in which to revise existing business associate agreements, assuming the agreements existed prior to the publication date of the modified rules.
Sponsors of health plans should use this opportunity to inventory the outside relationships associated with their health plans to identify existing business associate relationships and confirm that an adequate business associate agreement is in place. Although amendments to existing business associate agreements (as well as notices of privacy practices and privacy and security policies) will likely be required, plan sponsors may wish to wait for the proposed regulations to be finalized before making any changes to existing agreements.
While this article only highlights certain provisions of this proposed regulation, additional information can be found one reading on of our client alerts: Proposed Modifications to HIPAA’s Privacy, Security, and Enforcement Rules.