On January 25, 2013, the Department of Health and Human Services (“HHS”) formally published its Omnibus Final Rule (“Final Rule”), which includes modifications to the HIPAA Privacy and Security Rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”). Because the Final Rule covers a broad range of topics, we will be issuing a series of articles in our HIPAA Impact Series to provide further analysis on these topics. This article focuses on the impact of the Final Rule on business associate agreements (“BAAs”) and the timeline for compliance.
Business Associate Agreements
As previously discussed in our January 28, 2013 article, the Final Rule extends direct liability for failure to comply with the HIPAA Privacy and Security Rules to business associates (including subcontractors). While some commenters questioned the continued need for BAAs given the direct liability of business associates, HHS provided commentary in the Final Rule stressing the important functions that BAAs continue to serve. Importantly, HHS pointed out that HITECH ties the business associate’s direct liability to making uses and disclosures of protected health information (“PHI”) in accordance with the uses and disclosures permitted by the BAA. Thus, the BAA serves to clarify the permissible uses and disclosures and allows the covered entity to limit the uses and disclosures of PHI by a business associate based on the services or activities being performed by the business associate. HHS also indicated that the BAA can be used to contractually require the business associate to perform certain activities for which the business associate does not have direct liability, such as requiring the business associate to amend PHI in accordance with applicable HIPAA regulations. Further, HHS stated that the BAA serves to notify the business associate of its status under the HIPAA Rules so that the business associate is fully aware of its obligations and potential liabilities.
With the above considerations in mind, HHS established in the Final Rule additional requirements for BAAs to address the new obligations of business associates. Specifically, under the Final Rule, BAAs must now specify that the business associate will:
- Comply, where applicable, with the Security Rule with regard to electronic PHI;
- Report breaches of unsecured PHI to the covered entity;
- Ensure that any subcontractors of the business associate that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to the information; and
- If a business associate carries out a covered entity’s obligation under the HIPAA Privacy Rules, the business associate must comply with the requirements of the HIPAA Privacy Rule that apply to the covered entity in the performance of such obligation.
HHS also clarified that subcontractors of business associates may only use or disclose PHI in a manner that would be permissible if it were being done by the business associate. In other words, any restrictions and conditions on the subcontractor’s use or disclosure of PHI must be the same or more stringent than those to which the business associate is subject and must be specified in the BAA between the business associate and the subcontractor. Any use or disclosure of PHI by a subcontractor that is inconsistent with the BAA is a violation of law and can result in direct, and potentially contractual, liability for the subcontractor.
Timeline for Compliance
Business associates must be in compliance with the Final Rule by March 26, 2013. However, HHS has provided additional time for covered entities and business associates to enter into new, or revise current, BAAs to comply with the Final Rule. The Final Rule provides for two different deadlines depending on whether or not the covered entity and business associate had a BAA in place prior to January 25, 2013 that was compliant with prior HIPAA Rules:
- If the parties had a compliant BAA in place prior to January 25, 2013, and such BAA is not renewed or modified between March 26, 2013 and September 23, 2013, then the parties can rely on the existing BAA until either (1) the agreement is renegotiated or renewed, or (2) until September 22, 2014, whichever is earlier.Note that if a compliant BAA that was in place prior to January 25, 2013 has an automatic renewal or “evergreen” clause and is allowed to automatically renew without modification before September 23, 2013, the covered entity still has until September 22, 2014 to modify the BAA.
- If the parties did not have a compliant BAA in place prior to January 25, 2013, then the parties must enter into a BAA that complies with the Final Rule by September 23, 2013.
Practical Takeaways
For many covered entities, the task of updating BAAs will be a substantial undertaking. We recommend that covered entities take the following steps to ensure timely compliance with the Final Rule requirements for BAAs:
- Audit the covered entity’s existing BAAs to determine which BAAs will need to be revised to be compliant with the Final Rule by September 23, 2013 and which BAAs might qualify for the September 23, 2014 compliance extension.
- Determine whether the covered entity has any relationships with entities that will now be considered business associates under the Final Rule and work to establish BAAs with those business associates.
- Review the covered entity’s template BAA and update as necessary to comply with the Final Rule.
- Have practices in place to ensure that business and privacy/security personnel communicate to ensure BAAs are entered as needed when establishing new business relationships or updated when revising/renewing underlying contracts.
- Perform audits of business associate relationships to ensure that the covered entity’s business associates comply with the HIPAA Privacy and Security Rules, the terms of the BAA and the covered entity’s policies and procedures.
- If the covered entity performs any business associate activities for another covered entity, ensure that it is acting in compliance with the Final Rule requirements.
- Review and revise the covered entity’s HIPAA policies and procedures to reflect the new BAA requirements.
We also recommend that business associates take the above steps, as applicable, with respect to their relationships with subcontractors.
If you have any questions, please contact:
- Monica Hocum at mhocum@hallrender.com or 414-721-0454;
- Leia Olsen at lolsen@hallrender.com or 414-721-0466;
- Anne Ruff at aruff@hallrender.com or 414-721-0489; or
- Your regular Hall Render attorney.