On January 25, the Office for Civil Rights (OCR) of the Department of Health and Human Services published new regulations that dramatically extend the reach of federal healthcare privacy and security law to a vast array of companies that do business with the healthcare industry, including many HIT companies. The long-awaited final omnibus regulations (the “Final Rule”) amend the privacy, security, enforcement, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Final Rule represents the most significant development in health care privacy and security law since the original HIPAA regulations were published a decade ago.
The Final Rule became effective on March 26, and compliance is generally required by September 23. HIPAA has previously regulated “covered entities,” which include health plans, health care providers, and health care clearinghouses. The Final Rule extends certain HIPAA requirements to “business associates” of those covered entities, as well as to their subcontractors.
Why are HIT companies and other business associates being regulated now? To answer that question, a bit of background is helpful. These changes to HIPAA were first introduced in 2009 in the HITECH Act, which is part of the American Recovery and Reinvestment Act (ARRA). ARRA’s financial stimulus measures include new incentives for providers to adopt electronic health records (EHRs), which are intended to help control health care costs. Congress decided that if it was going to encourage providers and patients to have confidence in EHRs, they would also need to have greater confidence in the privacy and security measures of the companies providing those innovative products and services. As a result, business associates are facing an array of new legal obligations.
Here are 10 things that you need to know as a HIT company to be ready for the new phase of HIPAA regulation and enforcement that arrives with the September 23 compliance date.
1. The definition of “business associate” has been broadened (cloud service providers take note).
A business associate is an individual or organization acting on behalf of a HIPAA covered entity that creates, receives, maintains, or transmits protected health information (PHI) in connection with a function or activity regulated by HIPAA. Business associates include a wide range of HIT companies, including those providing certain software products, electronic health records, cloud computing services, outsourcing services, data centers and claims processing.
There are many nuances to who is and who is not a business associate, and some of these rules are clarified in the Final Rule. For example, the Final Rule provides that a company that merely “maintains” protected health information without actually accessing the data may be a business associate. This modification is likely to cause many cloud service providers to be regulated.
“Mere conduits” that transmit, but do not access PHI, except on a random or infrequent basis, are not business associates. OCR notes that the “conduit” exception is limited to services that transmit PHI, even when there is temporary storage of the transmitted data incident to the transmission. However, a company that maintains PHI on behalf of a covered entity, such as a data storage company, is a business associate, even if the entity does not actually view the PHI. This distinction between “transient” and “persistent” access to a PHI is a fine one, but it will determine whether certain companies are business associates.
2. Don’t assume that your company is a business associate just because a customer asks you to sign a business associate agreement.
Many hospitals, physician practices and other covered entities do not fully appreciate the many nuances to HIPAA’s “business associate” definition. Instead, these covered entities routinely ask nearly all vendors to sign business associate agreements without any input from the compliance or legal department. In response, some HIT companies find it necessary to make nuanced arguments to their customers to demonstrate why they are not business associates, preparing letters or position papers that their sales force can provide when they are incorrectly asked to sign a business associate agreement.
For example, in accordance with a Frequently Asked Question response on the OCR website, a software company is typically not a business associate because its personnel do not access PHI. However, if the software company’s personnel access PHI in the course of providing software installation or service, then the company may be a business associate.
3. Breaching the required terms of a business associate agreement will be a HIPAA violation.
Prior to the Final Rule, business associates were merely subject to the terms of legally mandated business associate agreements entered into with covered entities; but now, such business associates are directly regulated under HIPAA. This means they are subject to newly enhanced criminal and civil sanctions for noncompliance. Penalties for a HIPAA violation may run as high as $50,000 per violation, not to exceed $1.5 million for all violations of an identical provision per calendar year.
4. You must have a HIPAA Security Rule compliance program in place by September 23.
The Final Rule requires a business associate to comply with the HIPAA security regulations (the “Security Rule”) in the same manner as a covered entity, meaning that the business associate must:
- Perform a formal security risk assessment;
- Implement written policies and procedures that address Security Rule standards;
- Appoint a security officer; and
- Conduct security training for workforce members.
In commentary to the Final Rule, the OCR expresses the view that most business associates should already have in place security practices that either complies with the Security Rule or that require only “modest improvements” to come into compliance. Developing a Security Rule compliance program can, in fact, be a significant undertaking. If your organization does not have a formal security compliance program already in place, then you may have a considerable amount of work to do by September 23.
5. Some, but not all, HIPAA Privacy Rule obligations will apply to you.
A business associate must comply with all aspects of the Security Rule, but is only subject to certain obligations under the HIPAA privacy regulations (the “Privacy Rule”). Most notably, business associates may be directly liable under the Privacy Rule for uses and disclosures of PHI in violation of the required terms of a business associate agreement or the Privacy Rule. Under the prior regulatory approach, a business associate violating a business associate agreement was only subject to contractual remedies asserted by the covered entity for breach of contract.
Under the Final Rule, a business associate must also comply with HIPAA’s “minimum necessary” standard, meaning that when business associates use, disclose or request PHI from a covered entity, they must limit PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary standard is vague and difficult to apply, but business associates must make efforts to address its requirements.
Although it is not required by the Final Rule, it is often advisable for a business associate to implement privacy policies and procedures to ensure that its workforce is handling PHI in accordance with the privacy obligations contained in business associate agreements. For example, if a business associate experiences a security breach involving PHI but does not notify the covered entity of the incident within the mandated time frame under the HIPAA breach notification regulations (the “Breach Notification Rule”), the business associate has violated HIPAA.
6. “Downstream” business associate agreements should be in place with your subcontractors receiving PHI.
Significantly, the Final Rule amends the definition of “business associate” to include all downstream contractors of a business associate that create, receive, maintain, or transmit PHI on behalf of a covered entity. As a result, a business associate must enter into business associate agreements with subcontractors receiving PHI, and those subcontractors will be directly regulated by HIPAA in the same manner as the business associate. A wide range of these downstream businesses, some of which are only tangentially related to the health care industry, will be required to comply with the new privacy and security obligations under the Final Rule.
7. You may be liable for the HIPAA violations of your subcontractors.
The Final Rule makes covered entities liable for the actions of business associates who are agents, as that term is defined by the federal common law of agency. Of particular significance for HIT companies, the same rule would make also a business associate liable for the HIPAA violations of a subcontractor business associate acting as its agent.
The determination of whether a subcontractor is the agent of an HIT company will be fact-specific, but OCR states that the “essential factor” in determining whether an agency relationship exists is the right to control the conduct of the entity in performing its services. If an HIT company gives interim instructions or directions to its subcontractor, rather than relying solely on performance under the terms of a contract, then that would suggest an agency relationship. HIT companies should take care in structuring relationships with subcontractors receiving PHI in order to minimize this risk of agency liability when possible.
8. Update your business associate agreements to include new, required provisions.
The Final Rule also requires that several new provisions be added to business associate agreements to reflect the new obligations. Because business associate agreements are commonplace in the healthcare industry, with large organizations entering into hundreds or thousands of the contracts, implementing these amendments is not a simple task. Fortunately, the Final Rule creates a transition period for amending business associate agreements. A business associate agreement that is compliant with pre-Final Rule HIPAA requirements need not be amended, if it is not renewed or modified until September 23, 2014; but new business associate agreements entered into after January 25, 2013 must contain the newly required provisions by September 23.
9. Adopting a written security breach response plan is advisable.
Business associates should also consider developing a security breach response plan that tracks the requirements of the Breach Notification Rule and applicable state security breach notification laws. A formal breach response provides a roadmap for quickly assessing and responding to a breach, mitigating potential damage, and managing any public response. The Final Rule amends the definition of “breach” to include an express presumption that an impermissible use or disclosure of PHI is considered a breach unless the covered entity or business associate is able to demonstrate that there is a “low probability” that the PHI has been compromised. Business associates must apply this standard by conducting and documenting a risk assessment of a security breach event.
10. Consider how other Final Rule provisions may affect your business.
The Final Rule also modifies various aspects of the Privacy and Security Rules applicable to covered entities, such as sales of PHI; marketing communications to patients subsidized by third parties; authorizations obtained from patients to participate in clinical research; covered entity notices of privacy practices; and fundraising by covered entities. However, the Final Rule’s expansion of HIPAA regulations to cover business associates and their subcontractors is likely to have the most far-reaching impact.
For example, HIT companies that provide computers to customers for data transmission may be impacted by the new rules prohibiting sales of PHI. If the customer retains the computer after the arrangement terminates and is able to use that computer for unrelated purposes, then the computer could be deemed to be prohibited remuneration in exchange for disclosing PHI.
September 23 marks the beginning of a new phase of regulation of business associates and HIT companies should be preparing for heightened scrutiny from customers and, eventually, regulators.
Reece Hirsch is a partner in the San Francisco office of Morgan, Lewis & Bockius. He specializes in health care, privacy, and security law.