Some of the most significant changes that were made by the final HIPAA omnibus rule, published on January 25, 2013, in the Federal Register (the Final Rule) relate to the expanded definition of HIPAA Business Associate (BA) and newly imposed legal obligations on BAs. The Final Rule also included an expansion of the elements that are required to be included in Business Associate Agreements (BAAs). The purpose of this e-alert is to provide a comprehensive look at: (i) the expansion of, clarifications to, and explicit inclusion of certain entities in the definition of a BA; (ii) the direct liability that the Final Rule imposes on BAs for noncompliance; and (iii) the elements that the Final Rule requires be included in BAAs and the compliance dates related thereto.
I. Expansion of, Clarifications to, and Explicit Inclusions in the Definition of BA
The Final Rule included several additions and clarifications to the HIPAA definition of BA. Identifying persons and entities which meet the definition of BA is important because the Final Rule clarified that a person or entity becomes a BA by meeting the definition of a BA and by creating, receiving, maintaining, or transmitting protected health information on behalf of a Covered Entity, not by contracting with the Covered Entity and entering into a BAA. Moreover, the type of protected health information involved does not matter; if the information is tied to a Covered Entity, it is considered protected health information by definition (even if it is, for example, strictly limited to demographic information). Whether or not a person or entity is a BA is significant because as will be further discussed below, BAs have direct liability under the Final Rule for not complying with certain HIPAA requirements.
A. HIOs, e-Prescribing Gateways, PHRs, and Entities that Maintain Protected Health Information
Pursuant to the Final Rule, the following types of entities are now considered BAs: (i) health information organizations, e-prescribing gateways, or other persons or entities that provide data transmission services with respect to protected health information to a Covered Entity and that require routine access to such protected health information; (ii) a person or entity that offers a personal health record (PHR) to one or more individuals on behalf of a Covered Entity; and (iii) persons or entities that maintain protected health information, even if the person or entity does not actually view the protected health information.
The Final Rule explained that when interpreting the term “routine access,” the often relied upon “conduit exception” will be construed very narrowly. Historically, entities that act as a temporary conduit for protected health information, such as the United States Postal Service, UPS, other courier services, and their electronic equivalents, such as internet service providers, have been excluded from the BA definition. While these entities will continue to be excluded from the definition of BA, those companies that maintain protected health information for a Covered Entity, but do not actually view the protected health information or only do so on a random or infrequent basis, such as a storage company or a cloud-computing company, will now meet the definition of a BA.
The Final Rule also clarified that all vendors of PHRs are not automatically considered BAs. Rather, the vendor of the PHR must offer the PHR on behalf of the Covered Entity health care provider or health plan. This means that some vendors of PHRs may wear two separate hats when it comes to complying with HIPAA – when the vendor provides the PHR on behalf of a Covered Entity, the vendor of PHR would be subject to the HIPAA requirements and the HIPAA Breach Notification Rule. However, when the vendor of PHR does not offer its services on behalf of a Covered Entity, the vendor of PHR is not subject to HIPAA; rather, it must comply with the breach notification requirements set forth by the Federal Trade Commission.
B. Subcontractors of BAs
The Final Rule expands the definition of BA to include subcontractors of a BA (i.e., those persons that perform functions for or provide services to a BA involving protected health information for purposes of the BA fulfilling its obligations to the Covered Entity with which it has contracted). As such, the definition creates a BA relationship chain which starts with the Covered Entity and a primary BA and flows down through subcontractor BAs, with each subcontractor BA having contractual obligations (in addition to the legal obligations of a BA) to the party immediately preceding such party in the BA relationship chain. Legal and contractual obligations of a BA are discussed in more detail below. The Final Rule clarified that disclosures of protected health information that a BA makes to a subcontractor for purposes of the BA’s own management and administration or to carry out the BA’s legal responsibilities do not create a BA subcontractor relationship.
C. Other Modifications and Clarifications
- Patient Safety Activities. The Final Rule adds patient safety activities to the list of functions and activities that a person or entity may undertake as a BA. Related to this change, the Final Rule also added “patient safety activities” to the HIPAA definition of “health care operations.” This modification makes it clear that entities that perform patient safety activities on behalf of a Covered Entity, such as Patient Safety Organizations, must have a BAA in place with the Covered Entity. Further, when a committee is formed by a Covered Entity to perform patient safety activities and the committee includes persons who are not workforce members of the Covered Entity, the Covered Entity should have BAAs in place with the nonworkforce members.
- Banking and Financial Institutions. The Final Rule explained that banking and financial institutions are not BAs with respect to payment process activities (as identified in § 1179 of HIPAA) (e.g., activities that constitute authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for health care or health plan premiums). However, where a bank or financial institution provides activities which go beyond the exempted activities, such as performing accounts receivable functions on behalf of a health care provider, then the bank or financial institution will be considered a BA.
- Health Plan Products and Other Insurance. The Final Rule clarified that when a Covered Entity purchases a health plan product or other insurance (such as professional liability insurance) from an insurer, the insurer is not a BA of the Covered Entity merely for purposes of providing the insurance. However, if the insurer performs a function on behalf of the Covered Entity that involves protected health information (such as providing legal services for the Covered Entity), then the insurer becomes a BA of the Covered Entity.
- Hybrid Entities. Under the Final Rule, if an entity is a hybrid entity (i.e., it performs both HIPAA covered and non-covered functions) and the component of the hybrid entity providing non-covered functions provides BA functions for the division that provides covered functions, the component providing noncovered functions must be included as part of the covered division and thus subject to and directly liable for HIPAA compliance.
II. BAs’ Direct Liability Under the Final Rule
Under the Final Rule, BAs are directly liable for:
- The impermissible use and disclosure of protected health information. A BA makes an impermissible use or disclosure of protected health information when the BA uses or discloses protected health information for any reason or purpose other than as is allowed by the BAA. Further, a BA is not making a permitted use or disclosure if it does not apply the minimum necessary standards, where appropriate.
- A failure to provide notifications of a breach to the Covered Entity. The details of the BA’s obligations to the Covered Entity related to breach notification are set forth in the BAA.
- A failure to provide access to a copy of electronic protected health information to either the Covered Entity, the individual, or the individual’s designee, as specified in the BAA.
- A failure to disclose protected health information where required by the Secretary of the United States Department of Health and Human Services (HHS) to investigate or determine the BA’s compliance with the HIPAA rules.
- A failure to provide an accounting of disclosures to the Covered Entity in order to allow the Covered Entity to comply with its accounting of disclosures obligations to an individual. The details of such obligations should be set forth in the BAA.
- A failure to comply with the requirements of the Security Rule. The Security Rule now applies to BAs. This means that BAs must have administrative, physical, and technical safeguards in place, in accordance with 45 C.F.R. §§ 164.306, 164.308, 164.310, 164.312, and 164.314), as well as the policies and procedures and documentation requirements found in 45 C.F.R. § 164.316. When fulfilling their obligation to comply with the Security Rule, BAs may use the same process as Covered Entities. For instance, in deciding which security measures to implement, a BA may take into consideration its size, capabilities, the costs of the specific security measures, and the operational impact. BAs should note that as part of their compliance with the administrative safeguards, BAs must perform their own risk analyses, establish a risk management program, and designate a security officer, as well as have in place written policies and procedures, conduct employee training, and document compliance with the requirements.
- Failure to enter into BAAs with subcontractors that create or receive protected health information on their behalf.
- While the Final Rule imposes direct liability on BAs for the foregoing, it does not impose direct liability for BAs with respect to all requirements of the HIPAA Privacy Rule. Rather, BAs will remain contractually liable to Covered Entities for any other requirements appearing in the BAA which are not described above.
III. BAAs: Required Provisions Under the Final Rule and the Compliance Date
The Final Rule included an expansion of the elements which must be contained in the BAA. Under the Final Rule, all BAAs must include provisions which require the BA to:
- Comply with the Security Rule.
- Report breaches of Unsecured Protected Health Information to Covered Entities.
- Obtain satisfactory assurances (in the form of a written BAA) from any subcontractor that creates or receives protected health information on behalf of the BA that the subcontractor agrees to the same restrictions and conditions that apply to the BA with respect to such information. From a practical perspective, this means that each BAA in the BA/ subcontractor relationship chain must be as stringent or more stringent as the BAA above it with respect to the permissible uses and disclosures of protected health information.
- To the extent the BA is to carry out a Covered Entity’s obligations under the Privacy Rule, the BA must comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligations.
It should be noted that the Final Rule removes the requirement that Covered Entities report to HHS when a Covered Entity is aware of noncompliance by a BA, the BA is unable to cure the breach, and termination of the BAA is not feasible. This is a provision that previously appeared in BAAs.
While compliance with most of the requirements of the Final Rule is required by September 23, 2013, the Final Rule contains a transition period for HIPAA-compliant BAAs that were already in effect prior to January 25, 2013. If any such BAA is not renewed or modified between March 26, 2013, and September 23, 2013, it will “grandfather” in and the Covered Entity and BA may operate under the existing BAA for up to one (1) year beyond the compliance date (i.e., September 23, 2014). The Final Rule also clarified that BAAs which contain evergreen clauses (i.e., they renew automatically and indefinitely) would be eligible for the transition period and would not terminate when the BAA automatically rolled over. New BA relationships and the resulting BAAs entered into after January 25, 2013 but prior to September 23, 2013, must comply with the Final Rule requirements prior to September 23, 2013, and are not subject to the transition period. As a starting point, HHS released a new, updated version of its sample BAA (click here to view). However, please note that HHS provides no guarantee that its sample BAA fully complies with the provisions of the Final Rule; thus, entities should evaluate and tailor BAAs to meet their specific needs.
In conclusion, because the Final Rule imposes direct liability on BAs, it is now more important than ever for a Covered Entity to identify persons and entities that meet the HIPAA definition of a BA and for any such persons and entities to confirm a compliant BAA is in place. Further, it is critical that BAs fully understand their duties and obligations under HIPAA.