HITECH Final Rule - Impact on Business Associates (Part 1 of 2)

On January 25, 2013, the Department of Health and Human Services (“HHS”) formally published its Omnibus Final Rule (“Final Rule”), which includes modifications to the HIPAA Privacy and Security Rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”). Because the Final Rule covers a broad range of topics, we will be issuing a series of articles in our HIPAA Impact Series to provide further analysis on these topics. This article focuses on the revised definition of who is a Business Associate and on new obligations and liabilities for Business Associates under the Final Rule.

Expanding the Definition of a Business Associate

HIPAA generally defines a Business Associate as a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information (“PHI”). In the Final Rule, HHS significantly expanded the types of persons or entities that qualify as Business Associates.

First, HHS revised the definition of a Business Associate to specifically include the following:

Patient Safety Organizations;
Data transmission organizations that require routine access to PHI, such as Health Information Organizations or E-prescribing Gateways; and
Vendors of personal health records that provide services on behalf of a covered entity.

In regard to data transmission services, HHS clarified that whether an organization needs “routine access to PHI” is a fact-specific analysis based on the nature of the services provided and the extent to which the entity needs to access PHI to perform the service for the covered entity. Conversely, Business Associates would not include mere conduits who transmit or transport PHI but do not access it other than on a random or incidental basis as necessary to perform the service or as required by other law (i.e., internet service providers or courier services).

HHS also expanded the definition of a Business Associate to include a person who maintains PHI on behalf of a covered entity, such as a data storage company, on the basis that such persons have the persistent opportunity to access such PHI, even if they do not actually access the PHI or do so only randomly or infrequently. HHS differentiated this from conduits providing transmission services who only have transient opportunity for such access.

Finally, HHS expanded the definition of a Business Associate to include subcontractors of the Business Associate to ensure that subcontractors have the same obligation to comply with the applicable Privacy and Security Rules provisions as the primary Business Associate. However, this does not require that the covered entity have a contract directly with the subcontractor. Instead, the obligation is on each Business Associate to enter into a written agreement or other arrangement with the subcontractor to ensure appropriate compliance.

Exceptions to the Business Associate Definition

There was some confusion under the prior HIPAA Rules regarding which permissible disclosures did not result in a Business Associate relationship. In the Final Rule, HHS makes this clear by specifically listing the following exceptions to the definition of a Business Associate:

A health care provider with respect to disclosures concerning the treatment of the individual;
A plan sponsor with respect to disclosures by a group plan to the plan sponsor;
A government agency with respect to determining eligibility for, or enrollment in, a government health plan administered by a government agency to the extent authorized by law; and
A covered entity participating in an organized health care arrangement that performs functions or activities on behalf of such organized health care arrangement.

Impact on Business Associates

In addition to expanding the definition of a Business Associate, the Final Rule also extends direct liability for compliance with the HIPAA Privacy and Security Rules to Business Associates (including subcontractors). In this regard, Business Associates are now required to comply with the Security Rule in the same manner as covered entities, including implementing administrative, physical and technical safeguards; establishing policies and procedures; and complying with certain documentation requirements. Similarly, Business Associates are now obligated to comply with the Privacy Rule’s requirements and are directly liable for the following:

Impermissible uses and disclosures;
The failure to provide breach notification to the covered entity;
The failure to provide access to a copy of electronic PHI to the covered entity, individual or individual’s designee (whichever is specified in the business associate agreement);
The failure to disclose PHI as required for the government to investigate or determine the Business Associate’s compliance with the HIPAA rules; and
The failure to provide an accounting of disclosures to the covered entity, individual or the individual’s designee (whichever is specified in the business associate agreement).

Violations of an applicable provision may result in civil and criminal penalties being imposed on the covered entity, the Business Associate or both. Further discussion of penalties and enforcement for both covered entities and Business Associates will be addressed in a future article as part of this HIPAA Impact series.

Timeline for Compliance

Business Associates must be in compliance with the Final Rule by March 26, 2013. However, HHS has provided additional time for covered entities and Business Associates to enter into or revise their current business associate agreements as necessary to comply with the Final Rule. Deadlines for updating these agreements will be either September 23, 2013 or September 23, 2014, depending on certain facts and circumstances. We will outline additional steps that covered entities should take with respect to business associate agreements specifically in our January 31, 2013 article.

Practical Takeaways

We recommend covered entities begin assessing which of their service providers may qualify as Business Associates under the expanded definition. Covered entities should also begin assessing their current business associate arrangements to determine whether any changes to their business associate agreements may be needed in order to comply with the Final Rule. We will provide additional guidance on business associate agreements and deadlines for revising them in our January 31, 2013 article.

We also recommend that persons or entities that qualify as Business Associates under the Final Rule begin the process of becoming compliant with their obligations under the Rule. Business Associates will need to perform a variety of actions to ensure timely compliance, including: performing a risk assessment to identify vulnerabilities or weaknesses in HIPAA compliance; implementing appropriate administrative, physical and technical safeguards to address those vulnerabilities; developing and implementing policies, procedures and forms addressing privacy and security obligations; and developing a template business associate agreement to use with subcontractors.

For more information, please contact: