On January 25, the Office for Civil Rights (OCR) of the Department of Health and Human Services published new regulations that dramatically extend the reach of federal healthcare privacy and security law to a vast array of companies that do business with the healthcare industry, including many HIT companies. The long-awaited final omnibus regulations (the “Final Rule”) amend the privacy, security, enforcement, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Final Rule represents the most significant development in health care privacy and security law since the original HIPAA regulations were published a decade ago.
The Final Rule became effective on March 26, and compliance is generally required by September 23. HIPAA has previously regulated “covered entities,” which include health plans, health care providers, and health care clearinghouses. The Final Rule extends certain HIPAA requirements to “business associates” of those covered entities, as well as to their subcontractors.
Why are HIT companies and other business associates being regulated now? To answer that question, a bit of background is helpful. These changes to HIPAA were first introduced in 2009 in the HITECH Act, which is part of the American Recovery and Reinvestment Act (ARRA). ARRA’s financial stimulus measures include new incentives for providers to adopt electronic health records (EHRs), which are intended to help control health care costs. Congress decided that if it was going to encourage providers and patients to have confidence in EHRs, they would also need to have greater confidence in the privacy and security measures of the companies providing those innovative products and services. As a result, business associates are facing an array of new legal obligations.
Here are 10 things that you need to know as a HIT company to be ready for the new phase of HIPAA regulation and enforcement that arrives with the September 23 compliance date.
1. The definition of “business associate” has been broadened (cloud service providers take note).
A business associate is an individual or organization acting on behalf of a HIPAA covered entity that creates, receives, maintains, or transmits protected health information (PHI) in connection with a function or activity regulated by HIPAA. Business associates include a wide range of HIT companies, including those providing certain software products, electronic health records, cloud computing services, outsourcing services, data centers and claims processing.
There are many nuances to who is and who is not a business associate, and some of these rules are clarified in the Final Rule. For example, the Final Rule provides that a company that merely “maintains” protected health information without actually accessing the data may be a business associate. This modification is likely to cause many cloud service providers to be regulated.
“Mere conduits” that transmit, but do not access PHI, except on a random or infrequent basis, are not business associates. OCR notes that the “conduit” exception is limited to services that transmit PHI, even when there is temporary storage of the transmitted data incident to the transmission. However, a company that maintains PHI on behalf of a covered entity, such as a data storage company, is a business associate, even if the entity does not actually view the PHI. This distinction between “transient” and “persistent” access to a PHI is a fine one, but it will determine whether certain companies are business associates.
2. Don’t assume that your company is a business associate just because a customer asks you to sign a business associate agreement.
Many hospitals, physician practices and other covered entities do not fully appreciate the many nuances to HIPAA’s “business associate” definition. Instead, these covered entities routinely ask nearly all vendors to sign business associate agreements without any input from the compliance or legal department. In response, some HIT companies find it necessary to make nuanced arguments to their customers to demonstrate why they are not business associates, preparing letters or position papers that their sales force can provide when they are incorrectly asked to sign a business associate agreement.
For example, in accordance with a Frequently Asked Question response on the OCR website, a software company is typically not a business associate because its personnel do not access PHI. However, if the software company’s personnel access PHI in the course of providing software installation or service, then the company may be a business associate.
3. Breaching the required terms of a business associate agreement will be a HIPAA violation.
Prior to the Final Rule, business associates were merely subject to the terms of legally mandated business associate agreements entered into with covered entities; but now, such business associates are directly regulated under HIPAA. This means they are subject to newly enhanced criminal and civil sanctions for noncompliance. Penalties for a HIPAA violation may run as high as $50,000 per violation, not to exceed $1.5 million for all violations of an identical provision per calendar year.
4. You must have a HIPAA Security Rule compliance program in place by September 23.
The Final Rule requires a business associate to comply with the HIPAA security regulations (the “Security Rule”) in the same manner as a covered entity, meaning that the business associate must: