10 Things that Every HIT Company Needs to Know to Prepare for the September 23 HIPAA Final Rule Compliance Date

For example, in accordance with a Frequently Asked Question response on the OCR website, a software company is typically not a business associate because its personnel do not access PHI. However, if the software company’s personnel access PHI in the course of providing software installation or service, then the company may be a business associate.

3. Breaching the required terms of a business associate agreement will be a HIPAA violation.

Prior to the Final Rule, business associates were merely subject to the terms of legally mandated business associate agreements entered into with covered entities; but now, such business associates are directly regulated under HIPAA. This means they are subject to newly enhanced criminal and civil sanctions for noncompliance. Penalties for a HIPAA violation may run as high as $50,000 per violation, not to exceed $1.5 million for all violations of an identical provision per calendar year.

4. You must have a HIPAA Security Rule compliance program in place by September 23.

The Final Rule requires a business associate to comply with the HIPAA security regulations (the “Security Rule”) in the same manner as a covered entity, meaning that the business associate must:

• Perform a formal security risk assessment;
• Implement written policies and procedures that address Security Rule standards;
• Appoint a security officer; and
• Conduct security training for workforce members.

In commentary to the Final Rule, the OCR expresses the view that most business associates should already have in place security practices that either complies with the Security Rule or that require only “modest improvements” to come into compliance. Developing a Security Rule compliance program can, in fact, be a significant undertaking. If your organization does not have a formal security compliance program already in place, then you may have a considerable amount of work to do by September 23.

5. Some, but not all, HIPAA Privacy Rule obligations will apply to you.

A business associate must comply with all aspects of the Security Rule, but is only subject to certain obligations under the HIPAA privacy regulations (the “Privacy Rule”). Most notably, business associates may be directly liable under the Privacy Rule for uses and disclosures of PHI in violation of the required terms of a business associate agreement or the Privacy Rule. Under the prior regulatory approach, a business associate violating a business associate agreement was only subject to contractual remedies asserted by the covered entity for breach of contract.

Under the Final Rule, a business associate must also comply with HIPAA’s “minimum necessary” standard, meaning that when business associates use, disclose or request PHI from a covered entity, they must limit PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary standard is vague and difficult to apply, but business associates must make efforts to address its requirements.

Although it is not required by the Final Rule, it is often advisable for a business associate to implement privacy policies and procedures to ensure that its workforce is handling PHI in accordance with the privacy obligations contained in business associate agreements. For example, if a business associate experiences a security breach involving PHI but does not notify the covered entity of the incident within the mandated time frame under the HIPAA breach notification regulations (the “Breach Notification Rule”), the business associate has violated HIPAA.

6.  “Downstream” business associate agreements should be in place with your subcontractors receiving PHI.

Significantly, the Final Rule amends the definition of “business associate” to include all downstream contractors of a business associate that create, receive, maintain, or transmit PHI on behalf of a covered entity. As a result, a business associate must enter into business associate agreements with subcontractors receiving PHI, and those subcontractors will be directly regulated by HIPAA in the same manner as the business associate. A wide range of these downstream businesses, some of which are only tangentially related to the health care industry, will be required to comply with the new privacy and security obligations under the Final Rule.

7. You may be liable for the HIPAA violations of your subcontractors.

The Final Rule makes covered entities liable for the actions of business associates who are agents, as that term is defined by the federal common law of agency. Of particular significance for HIT companies, the same rule would make also a business associate liable for the HIPAA violations of a subcontractor business associate acting as its agent.

The determination of whether a subcontractor is the agent of an HIT company will be fact-specific, but OCR states that the “essential factor” in determining whether an agency relationship exists is the right to control the conduct of the entity in performing its services. If an HIT company gives interim instructions or directions to its subcontractor, rather than relying solely on performance under the terms of a contract, then that would suggest an agency relationship. HIT companies should take care in structuring relationships with subcontractors receiving PHI in order to minimize this risk of agency liability when possible.

8. Update your business associate agreements to include new, required provisions.