Since the HITECH Notice of Proposed Rulemaking (NPRM) was released in July of 2010, covered entities and business associates have been waiting (im)patiently for the Final HITECH Omnibus Rule to be released. As of this past Thursday, we all finally have some guidance on how to implement provisions of the HITECH Act, including but not limited to provisions governing business associate and subcontractor liability, individual access rights, fundraising, marketing, breach standards, and much more.
True to its name, the HITECH “Omnibus” Rule or Final Rule packs in a lot of changes to the HIPAA Privacy and Security Rules, enforcement provisions and breach notification requirements of the HITECH Act, as well as amendments to GINA and handling of genetic information. To make dissecting this 500+ page rule manageable, the next few posts will focus on key aspects of the HITECH Final Rule, starting today with the provisions of the Final Rule which impact business associates and their subcontractors.
A covered entity is and has been required by HIPAA to enter into a HIPAA Business Associate Agreement (HIPAA BAA) with any entity that would create, receive or transmit PHI for or on their behalf in connection with certain health care operations purposes. However, before the implementation of the HITECH Act, business associates of covered entities were not directly liable for improper uses or disclosures of protected health information (PHI) in the performance of services or functions.
Ultimately, only covered entities were responsible in the event a business associate failed to appropriately safeguard the PHI they were provided with or used/disclosed it improperly. However, as you know, HITECH made provisions of the Privacy and Security Rules directly applicable to business associates, with the NPRM proposing several modifications to the definition of a “business associate”, including adding Patient Safety Organizations and patient safety activities as well as certain health information exchange organization (HIOs) and personal health record (PHR) activities.
The HITECH Final Rule modifies the definition of “business associate” to mean that a business associate is any person who “creates, receives, maintains, or transmits” PHI on behalf of a covered entity, in order to clarify that any entity that maintains PHI, such as a data storage organization, is a business associate even if it does not access or view the PHI. PHRs vendors will also be considered business associates where they provide PHRs for or on behalf of a covered entity, rather than simply establishing a connection for the covered entity to send PHI to the individual’s PHR. Rather than acting simply as a “conduit”, the PHR vendor is maintaining PHI on behalf of the covered entity for the benefit of the individual.
For HIOs and other entities, they will be considered business associates where they (1) provide data transmission services with respect to PHI and (2) require routine access to the PHI. The Preamble to the HITECH Final Rule clarifies “access on a routine basis” to mean circumstances where an entity requires access to PHI in order to perform services and functions on behalf of a covered entity, such as management of an exchange network through use of record locator and other services on behalf of its participants. However, HHS recognizes that it will depend upon the circumstances and states its intention of issuing future guidance in this area.
Most importantly, and perhaps a sore point for business associates and their subcontractors, the HITECH Final Rule makes subcontractors of a business associate that create, receive, maintain or transmit PHI on behalf of such business associate likewise HIPAA business associates. Therefore, these downstream subcontractors will be subject to the same requirements that the first business associate is subject to. Each business associate now also is required to have a HIPAA compliant BAA in place with its subcontractors, its subcontractor with its own subcontractors, and so forth down the chain of subcontractors no matter how long.
HHS recognized that,
“The intent of the proposed extension of the Rules to subcontractors was to avoid having privacy and security protections for [PHI] lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity. Allowing such a lapse in privacy and security protections could allow business associates to avoid liability….”
Furthermore, the Preamble stated, “applying HIPAA privacy and security requirements directly to subcontractors also ensures that the privacy and security protections of the HIPAA Rules extend beyond covered entities to those entities that create or receive [PHI] in order for the covered entity to perform in health care functions.”
The HITECH Final Rule also provides some clarification as to when a business associate will be an “agent” of a covered entity. Although generally determinations of whether a business associate will be acting as an agent of a covered entity are fact specific, the Preamble to the Final Rule makes it clear that federal common law agency principles will be applied, regardless of whether the parties consider or state themselves to be independent contractors. If the covered entity has the right to control or direct any given service or function provided or performed by the business associate, then an agency relationship will likely be created (i.e., how a business associate will make available access to PHI by an individual).
Liability for a business associate’s actions, however, will only extend to the scope of the agency. For example, if a business associate fails to limit PHI disclosed to the minimum necessary while performing services it was engaged by a covered entity to perform (as an agent), then the business associate is likely acting within the scope of agency. However, a business associate’s conduct is outside the scope of agency where it acts for its own benefit or for that of a third party.
Business associates are also subject to the HITECH marketing requirements, to be discussed in a future blog post. And finally, the HITECH Final Rule applies certain other provisions of the Privacy Rule directly to business associates. Business associates will have direct liability for impermissible uses or disclosures in violation of the HIPAA BAA or the Privacy Rule, as well as:
- failure to disclose PHI where required by the Secretary;
- failure to disclose PHI for access rights;
- failure to limit PHI used/disclosed to the minimum necessary;
- failure to obtain a HIPAA compliant BAA with subcontractors;
- failure to provide breach notification;
- failure to provide an accounting of disclosures (subject of a separate future rulemaking)
Covered entities and business associates are permitted under the Final Rule transition provisions to continue operating under existing HIPAA BAAs for up to one year beyond the compliance date of the Final Rule, or initial renewal/modification, whichever earlier. The minimum requirements of a HIPAA BAA were slightly modified by the Final Rule, and now:
- Must include the requirement that a business associate report any Breach of which it becomes aware to the covered entity, in addition to security incidents;
- Must include the requirement that a business associate, to the extent the business associate is to carry out a covered entity's obligation under the Privacy Rule, comply with the requirements that apply to the covered entity in the performance of such obligation; and
- Need not include the requirement that the covered entity report a business associate to the Secretary for patterns or practices which constitute a material breach or violation of the HIPAA BAA.
Stay tuned for a discussion of the new Breach Presumption and Risk Assessment requirements implemented by the Final Rule...