On January 17, 2013, the federal Department of Health and Human Services (HHS) announced a final omnibus rule amending the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in accordance with the HITECH Act of 2009. The 2013 amendments, which are effective on March 26, 2013, supplement and modify the HIPAA Privacy, Security, Breach Reporting, and Enforcement Rules. Among the most significant changes in the 2013 amendments are the provisions that extend the Privacy and Security Rule's stringent compliance obligations to business associates (BA) and expand the definition of BAs to include subcontractors of BAs. Why the changes? The HITECH Act of 2009 specifically extends direct liability to BAs and expands the list of obligations for BAs. HHS extends BA obligations even further to ensure the privacy and security of all PHI throughout the HIPAA ecosystem.
Under the existing HIPAA Rules, a BA is a subcontractor of a HIPAA-covered entity (CE)—including a provider as defined by HIPAA, a health plan or a healthcare clearinghouse—that performs HIPAA-defined administrative and operational functions on behalf of the CE involving protected health information (PHI). Importantly, the definition of a BA now includes the BA's subcontractor (for purposes of this Alert, a BA Subcontractor) and the subcontractor of the subcontractor, i.e., all of the downstream entities that receive, access, maintain and/or disclose PHI. BA Subcontractors must ensure compliance with the 2013 amendments by September 23, 2013, including entering into Business Associate Agreements (BAAs), with some exceptions for entities with agreements in effect as of January 25, 2013, that comply with principal sections of the Security and Privacy Rule.
Here is a summary of the key provisions under the 2013 amendments:
Definition of BA: The 2013 amendments modify the definition of a BA to explicitly designate the following persons and entities as BAs:
- A subcontractor of the BA that handles PHI. A BA Subcontractor is any person or entity to whom a BA delegates a function, activity or service that involves PHI, whether or not there is a written agreement prior to the 2013 amendments. In practice, all downstream vendors of a CE that handle PHI must now comply with HIPAA's BA obligations. It is important to note that narrow exceptions to this provision of the Rule could apply; however, whether any potential exception applies will have to be determined on a case-by-case basis.
- A Health Information Organization (HIO), an E-Prescribing Gateway, other persons and entities that facilitate data transmission (Data Transmission BAs) and provide personal health records (Personal Health Record BAs). There is a narrow exception to the definition of a Data Transmission BA for those entities that do not require access to PHI "on a routine basis," i.e., those that provide "mere courier services," such as an Internet service provider or an entity that provides temporary storage of transmitted data. In effect, most entities that transmit or store electronic PHI (ePHI) on behalf of a CE or a BA are now BAs.
- Certain entities are not affected by the modifications to the definition of a BA under the 2013 amendments. The definition of a BA still excludes those entities that disclose PHI for treatment purposes and to plan sponsors in limited circumstances. Also, there is no change in the definition of a CE. Accordingly, an entity that is specifically not a CE per HIPAA (e.g., an employer that is not a HIPAA-covered provider, plan or clearinghouse, or a non-HIPAA-covered provider that does not conduct electronic transactions per HIPAA) does not have to comply with the HIPAA provisions regarding Business Associate Agreements (BAA) (although contracts with vendors that handle personal data may be required under other applicable law, such as the federal substance abuse provisions, or as a matter of good business practice).
If you are a CE or a BA (under the pre-2013 amendments), identify all entities that constitute BAs, including BA Subcontractors.
- The Business Associate Agreement (BAA) Requirement: Up until the 2013 amendments, a CE was required to obtain from a BA "satisfactory assurances" through "documentation" that it was appropriately safeguarding PHI. This meant that CEs were required to enter into BAAs with all BAs. With the expansion of the definition of a BA under the 2013 amendments, there must also be a BAA between BAs and BA Subcontractors. Thus, in addition to the BAA between the CE and its BA, the BA must enter into a BAA with any BA Subcontractor. Furthermore, the BA Subcontractor must enter into a BAA with its subcontractor. 45 CFR § 164.502(e). Note: The CE does not have to enter into a BAA with a BA Subcontractor.
You may want to ensure that BAAs are in effect with the entities identified as BAs under the 2013 amendments.
BA (Including BA Subcontractor) Obligations: The HITECH Act imposes direct liability on BAs (including BA Subcontractors) for a specific set of obligations under HIPAA's Privacy, Security and Breach Reporting Rules. The BA has to also comply with the contractual obligations imposed under a BAA. Specifically, the BA is required to:
- Comply with all of the Security Rule's administrative, physical and technical safeguards, as well as the Security Rule's BAA requirements in the same manner as those requirements apply to CEs;
- Comply with any request by the Secretary of HHS for PHI, policies, procedures and other information related to compliance;
- Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request;
- Enter into BAs with all BAA Subcontractors that handle PHI;
- Comply with all notification requirements under the Data Breach Rule;
- If the BA (or the BA Subcontractor) assists the CE in maintaining an electronic health record (EHR), support the CE in providing, upon request of the individual, an accounting of disclosures of PHI in the EHR within the prior three years, as well as an electronic copy of PHI that is part of an EHR;
- Comply with all of the contractual Privacy Rule obligations that are included in their BAAs (e.g., amendment of PHI, terminations).
In sum, BAs (including BA Subcontractors) are required to comply with all applicable HIPAA/HITECH obligations, including those imposed directly under law and those imposed contractually under BAAs. You may want to ensure that your BAAs reflect the obligations imposed on BAs under the 2013 amendments. If you are a BA, you should ensure that you are in compliance with the obligations under the 2013 amendments and have good security and privacy policies in place.
- Other Vendors That Handle Sensitive Personal Data: As explained by HHS, HIPAA is a floor, not a ceiling. In other words, other federal and state laws impose requirements in addition to HIPAA. For instance, the federal Drug and Alcohol Confidentiality Law requires that covered providers enter into Qualified Service Organization Agreements, which impose obligations on vendors that are stiffer than those imposed on BAs. State laws, such as the recently enacted Texas Medical Records Privacy Act, may have broader application than the terms than of HIPAA, as revised. Finally, state data breach reporting laws generally apply to entities that fit the description of BAs under HIPAA and impose specific requirements on these entities. BAs are still required to comply with more stringent federal and state laws that impose requirements in addition to the HIPAA requirements.
If you are subject to federal or state privacy and security laws in addition to HIPAA, you may want to ensure that you and your subcontractors comply with these other laws, which may be more stringent than those that apply under HIPAA.
Time Frames: The 2013 amendments become effective on March 26, 2013, and the time frames on CE and BA compliance with the new BA rules are firm. By September 23, 2013, CEs and BAs (including BA Subcontractors) have to meet all obligations imposed on them under the 2013 amendments—including entering into BAAs—except if prior to January 25, 2013, a CE or BA with respect to a subcontractor has entered into and is operating pursuant to a BAA or other written agreement that imposes the same obligations as those imposed under the HIPAA Security and Privacy Rules, and the agreement is not renewed prior to September 23, 2013, then the parties are deemed compliant under the earlier of September 23, 2013, or September 24, 2014. Generally, CEs and BAs have six months to comply with the 2013 amendments, with certain exceptions for parties that have preexisting agreements that satisfy the HIPAA Security and Privacy Rules. It is important to note that compliance is broader than simply entering into a BAA. BAs need to implement appropriate security and privacy policies and provide training, in addition to other obligations.
You should considering reviewing your BAAs and your HIPAA programs promptly to ensure compliance by September 23, 2013 (with the exception of certain CEs and BAs with agreements in effect as of January 25, 2013).
- The Scope of Penalties for HIPAA Violations by CEs and BAs: Failure to comply with the HIPAA Rules as amended by the 2013 amendments can result in significant penalties for CEs and BAs, based on increasing levels of culpability and a consideration of when the violation was corrected. A CE with respect to its BA, or a BA with respect to its BA Subcontractor, is liable for the actions of the BA or BA Subcontractor, respectively, to the extent that the BA or BA Subcontractor is acting as an "agent" under the federal common law of agency. According to HHS, agency exists when, depending on the facts, the CE or BA has the right to control the actions of the BA or BA Subcontractor, respectively, in the course of providing services on behalf of the CE or BA. Penalties for willful neglect and failure to correct in 30 days from the date that the CE or BA knew of or should have known about the violation run as high as $50,000 per violation, with a maximum of $1.5 million in a calendar year. Penalties even apply to violations where it is established that the CE or BA did not know about, and by exercising reasonable diligence would not have known about, the violation—a strict liability provision. The new penalties for BAs for noncompliance are steep, even draconian, to ensure the privacy and security of PHI.
It may be worthwhile to know the penalties for HIPAA violations and how they apply to you, including where you may be liable for the actions of a downstream vendor acting as your agent. Understanding the penalties reinforces the need for the immediate implementation of a compliant HIPAA program, including BAAs.