This third part of the series focuses on the HIPAA Final Rule's impact on Business Associates and those doing business with Business Associates. The Final Rule largely conforms to the Proposed Rule issued July 14, 2010 as it expands the definition of Business Associate and modifies certain HIPAA Security and Privacy Rules to hold Business Associates directly liable for violations previously only applicable to Covered Entities. The Final Rule also provides important dates for compliance and insight into how Business Associate Agreements should be modified to comply with the Final Rule.
Expanded Definition of Business Associate
Like the Proposed Rule, the Final Rule expands the definition of Business Associate to include subcontractors of Business Associates that use or disclose PHI on behalf of Business Associates. Thus, a subcontractor that takes on part of a Business Associate's responsibilities involving the use or disclosure of PHI is subject to HIPAA provisions governing Business Associates now as well.
The regulations provide that it is the responsibility of the Business Associate, not the Covered Entity, to obtain assurances that a subcontractor will comply with the applicable HIPAA provisions. Accordingly, a Business Associate that retains a subcontractor that is also considered a Business Associate under the Final Rule must enter into a Business Associate Agreement with the subcontractor. The requirement to enter Business Associate Agreements with subcontractors continues down the line so long as PHI is used or disclosed by the respective subcontractor. This extension is designed to prevent potential lapses in PHI protections where a subcontractor has no direct relationship with a Covered Entity.
Other entities falling into the Final Rule's definition of Business Associate include patient safety organizations (PSOs), health information organizations, e-prescribing gateways, persons that facilitate data transmission on a routine basis, and vendors of personal health records. The Final Rule also clarifies that persons or entities that maintain PHI on behalf of Covered Entities are Business Associates, opposed to mere conduits, even where the PHI is not actually viewed or accessed by the entity. Like the inclusion of subcontractors within the definition of Business Associate, this definition change is significant as it extends liability and increases the need for parties to enter into Business Associate Agreements.
Increased Business Associate Liability
As required by the HITECH Act, the Final Rule applies the Security Rule as well as the majority of the Privacy Rule to Business Associates in the same way the Rules apply to Covered Entities. As a result, many companies previously not regulated by HIPAA will come under the U.S. Department of Health and Human Services' enforcement authority and face direct liability for uses and disclosures of PHI not in accord with their Business Associate Agreements or the Privacy Rule.
Of course, these changes have many important implications for Business Associates. For example, Business Associates must make reasonable efforts to limit PHI to the minimum necessary when using, disclosing, or requesting PHI. Business Associates must also provide an accounting of PHI disclosures, notify a Covered Entity of an unsecured breach of PHI, and enter agreements with subcontractors as required by the Rules. A Business Associate is directly liable for failing to take these steps.
Notably, a Business Associate is also directly liable for failing to disclose PHI when required by the Secretary to aid in the Secretary's investigation of the Business Associate's compliance with HIPAA Rules. Under the Final Rule, individuals may now file complaints to the Secretary alleging a Business Associate's violation of HIPAA's administrative simplification provisions. The Business Associate is required to cooperate with the Secretary in its investigation of such complaints. Furthermore, Business Associates must have in place policies and procedures to handle privacy complaints in addition to procedures to notify a Covered Entity as to a breach of PHI.
Finally, a Business Associate must develop appropriate policies and procedures to satisfy a Covered Entity's obligation to provide an individual with an electronic copy of his or her health information. A Covered Entity's obligation to provide electronic PHI to individuals is a new requirement which will likely require special consideration and careful planning when developing a Business Associate Agreement outlining each entity's responsibilities.
Both Covered Entities and Business Associates should also note changes under the Privacy Rule concerning decedent health information. While there was previously no limit on the length of time decedent PHI needed to be protected, the Final Rule provides that decedent PHI must be protected for 50 years after the decedent's death. However, under the Final Rule, Covered Entities may disclose PHI to individuals close to a decedent unless the Covered Entity knows this disclosure is against the decedent's wishes.
Business Associate Agreements
Given the time and effort required to revise Business Associate Agreements, the Final Rule provides a transition period for some entities with agreements already in place that were HIPAA compliant before issuance of the Final Rule. Entities entering into and operating under such Business Associate Agreements before January 25, 2013 are deemed to comply with the Final Rule for up to 12 months after the compliance date of the Final Rule, unless the agreement is modified or renewed between March 26, 2013 and September 23, 2013. This limited deemed compliance period ends the earlier of September 22, 2014 or the date the agreement is modified or renewed on or after September 23, 2013. Contracts not in effect before January 25, 2015, however, must be amended to comply with the Final Rule by September 23, 2013. See 45 C.F.R. § 164.532.
As mentioned above, the Final Rule mandates Business Associate Agreements be formed with subcontractors as well as with other entities falling into the new definition of Business Associate as parties to an agreement. These agreements should provide that the Business Associate will comply with the applicable Privacy and Security Rule provisions and ensure that subcontractors agree to comply with the restrictions applicable to Business Associates.
In drafting Business Associate Agreements, Covered Entities and Business Associates should also be aware that the Final Rule limits the defenses to violations available. Previously, a Covered Entity was not vicariously liable for acts of its Business Associates that were agents of the Covered Entity if a valid Business Associate Agreement was in place. Under the Final Rule, this exception is removed, and a parallel provision added that holds Business Associates liable for the acts of its agents, including workforce members and subcontractors, acting within the scope of the agency. The Preamble of the Final Rule provides that Business Associates and Covered Entities may be held liable for the acts of their agents when delegating HIPAA obligations to another party or when preserving authority to provide interim instructions over certain tasks. Accordingly, careful consideration must be given to how Covered Entities and Business Associates delegate HIPAA obligations in light of increased exposure to liability.
The Enforcement Provisions of the HITECH Act garnished much attention because they increased the civil penalties that may be imposed and made Business Associates directly liable for non-compliance. The following table shows the penalties imposed by the HITECH Act for HIPAA violations implemented in the Interim Final Rule and retained in the Final Rule:
Click here to view table.
The fines listed above are for violations of a single HIPAA provision, not an entire incident; however, the total penalty that may be imposed under any one level may not exceed $1,500,000 during a calendar year.
Despite the increased penalties, the Final Rule mandates that the Secretary conduct a formal investigation of a complaint if the preliminary investigation indicates a possible violation due to willful neglect by a Covered Entity or Business Associate. Willful neglect amounts to "a conscious, intentional failure or reckless indifference" to comply with a particular HIPAA provision.
The provisions regarding enforcement were made effective under the HITECH Act on February 18, 2009. Although both the Interim Final Rule and the Final Rule allow for grace periods, grace periods do not apply to the Enforcement Provisions because no specifications or standards need to be implemented by the Covered Entity or Business Associate. Thus, Covered Entities and Business Associates are currently subject to the civil monetary penalty ranges retained by the Final Rule and outlined above for penalties occurring on or after February 18, 2009.
Given the increased penalties and the significant modifications to the Business Associate scheme, Covered Entities and Business Associates should carefully review, and develop as needed, their policies and practices in light of the Final Rule in order to ensure compliance.