Final Omnibus Rules Under HIPAA Will Affect Business Associate Arrangements
In a previous post about the new Final Omnibus Rule under HIPAA, we highlighted important changes regarding the process by which potential privacy breaches must be evaluated and classified for notification purposes. As we observed in that post, changes that have been characterized by the Office of Civil Rights ("OCR") of the Department of Health and Human Services as "modifications and clarifications" can have far reaching legal compliance implications for covered entities, including employer sponsored group health plans. We now turn to rule changes affecting business associates and the legal relationships between business associates and employer sponsored group health plans. Plan sponsors certainly will need to take actions to respond to the Final Rule, but the new rules have a particularly significant impact on the legal obligations of business associates.
Broader Definition of Business Associate
The Final Rule expands the definition of "business associate" to include:
- Entities that provide data transmission services to a covered entity with respect to PHI and have regular access to such PHI (referred to as "health information organizations");
- A person who offers a personal health record to one or more individuals on behalf of a covered entity;
- Entities that undertake patient safety activities on behalf of a covered entity (referred to as "patient safety organizations"); and
- Subcontractors of business associates that create, receive, maintain, or transmit PHI on behalf of a business associate.
The Final Rule makes clear that entities storing or maintaining electronic PHI ("ePHI") for covered entities qualify as business associates because they have regular access to PHI, even if they do not actually view the information or do so only on a random or infrequent basis. (Some commentators have even suggested that cloud providers storing or maintaining ePHI on behalf of covered entities may qualify as business associates.) The Final Rule notes, however, that an entity simply providing data transmission services (e.g., data conduits) and having only random or infrequent access to ePHI is not considered a business associate.
Direct Liability of Business Associates
The Final Rule implements the well publicized provisions of the HITECH Act that extend to business associates direct liability for a failure to comply with the applicable privacy and security standards of HIPAA. In particular, a business associate must comply with the following requirements (just as a covered entity must) or face direct liability under HIPAA:
- Refrain from any uses and disclosures of PHI that are not in accord with its business associate agreement or the HIPAA privacy rule;
- Disclose PHI when required by the Secretary of HHS as part of an investigation of the business associate's compliance with the HIPAA Rules;
- Disclose PHI to the covered entity or individual as necessary to satisfy a covered entity's obligations with respect to an individual's request for an electronic copy of PHI;
- Provide breach notification to the covered entity;
- Provide an accounting of disclosures;
- Comply with the requirements of the Security Rule;
- Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request; and
- Enter into business associate agreements with subcontractors that create or receive PHI on their behalf.
The Final Rule helpfully clarifies that covered entities are not required to obtain "satisfactory assurances" with respect to compliance from subcontractors of business associates. Instead, the business associate is required to obtain such assurances from a subcontractor. Direct liability under HIPAA will attach regardless of whether the business associate and subcontractors have entered into the required business associate agreements.
Amendments to Business Associate Agreements
In order to comply with the Final Rule, a business associate agreement ("BAA") must include, among other things, provisions requiring the business associate to:
- Comply with applicable provisions of the HIPAA security rule;
- Ensure that any subcontractor creating, receiving, maintaining, or transmitting ePHI on behalf of the business associate agrees to comply with applicable requirements of the security rule by entering into a contract or other arrangement that complies with the business associate provisions;
- Ensure that any subcontractor creating, receiving, maintaining, or transmitting PHI on behalf of the business associate agrees to the same restrictions and conditions that apply to the business associate with respect to such information;
- Report to the covered entity breaches of unsecured PHI as required by the breach notification rules; and
- To the extent the business associate carries out a covered entity's obligations under the privacy rule, comply with the requirements of the privacy rule that apply to the covered entity in the performance of such obligation.
If a BAA currently in place does not include all of those provisions, any necessary amendments must be executed by September 23, 2013 (the generally applicable compliance deadline under the Final Rule). The Final Rule does, however, include helpful transition relief regarding BAA amendments. Specifically, the Final Rule allows a covered entity and a business associate to continue to operate under an existing BAA for up to one year beyond the compliance date (i.e., until September 22, 2014) if, prior to January 25, 2013 (the publication date of the Final Rules), the covered entity and the business associate were parties to a BAA that complied with the prior provisions of the HIPAA rules and such BAA is not renewed or modified after March 25, 2013. Any BAA that is modified or renewed (other than an automatic renewal with no changes) between March 26, 2013 and September 23, 2013 must include the new provisions. And, of course, any BAA first entered into on or after September 23, 2013 must comply fully upon execution.
Clearly business associates and covered entities will have work to do comply with these provisions of the Final Rule. As a start, employers and business associates should review existing BAAs to determine whether the transition relief is available. Even if transition relief is available, it is not too early for employers who sponsor self-funded group health plans to contact their known business associates to ask when they can expect to see new BAAs and for larger employers to update their own model BAA.
There is more to say about the Final Omnibus Rules and more for employers to do in response to them. Our series on this topic will continue with a review of the greatly augmented enforcement and penalty provisions, as well as an examination of changes that employers may need to make in their HIPAA policies and procedures.