Header graphic for print
HealtHITechLaw HIPAA, HITECH and Beyond

HIPAA Final Rule Clarifies Business Associate Obligations

Posted in Rulemaking

Business Associates:  You’re on notice.

When the Health Information Technology for Economic and Clinical Health Act (“HITECH”) was enacted nearly four years ago, business associates were aware that HIPAA compliance was going to be required of them – they were just not sure of the extent.  Historically, business associates have been required to comply with HIPAA only insofar as dictated by their contractual relationships with covered entities.  HITECH drastically changed this, mandating that certain HIPAA provisions apply directly to business associates.

In addition to specifying these obligations (discussed below), the Final Rule clarified to whom these obligations apply:

  1. Patient Safety Organizations – the Final Rule adopted the proposal to add patient safety activities to the list of functions and activities a person may undertake on behalf of a covered entity that give rise to a business associate relationship.
  2. Health Information Organizations (HIO), E-Prescribing Gateways, and Other Persons That Facilitate Data Transmission; Vendors of Personal Health Records – such entities that provide services with respect to PHI and require access on a routine basis to such PHI are considered business associates.  Note that this is consistent with HHS’s prior interpretation, which advises that entities that act as “mere conduits” for transporting PHI, but do not access PHI other than on a random or infrequent basis, are not business associates.
  3. Subcontractors of Business Associates – downstream entities, i.e. persons to whom a business associate has delegated a function, activity or service that the business associate has agreed to perform for a covered entity or business associate, are now considered business associates.  HHS made clear that no matter how far downstream the PHI flows, entities which meet the definition are business associates.
  4. Exceptions – the final rule carves out from the definition of business associate health care providers with respect to disclosures by a covered entity to the provider concerning the treatment of the individual.  This change moves the exception from 164.502(e)(1)(ii), the standard for disclosures to a business associate.

Having clarified who is a business associate, the Final Rule adopted the following key proposed changes relative to business associates:

  1. Compliance and Enforcement:  HITECH provided statutory authority requiring HHS to formally investigate a complaint if a preliminary investigation indicates a possible violation due to willful neglect, and to impose a civil monetary penalty (CMP) for the violation.  The Final Rule clarifies that these changes apply to business associates as well as covered entities.
  2. Civil Monetary Penalty Liability:  Consistent with HITECH, business associates now are subject to severe CMPs.  The amount of the penalties increase based on the level of culpability, with the most draconian penalties to be levied for violations due to willful neglect.  Each violation carries a minimum penalty of $50,000; the maximum is $1,500,000 for identical violations during a calendar year.
  3. Security Rule Obligations:  Just like covered entities, business associates are now required as a matter of law to comply with the entirety of the Security Rule.  This includes the administrative, physical, and technical safeguards; organizational requirements (including business associate agreements with subcontractor business associates); and maintaining policies, procedures, and proper documentation of Security Rule compliance.  For unsuspecting business associates, these requirements may be particularly onerous, and the September 23, 2013 compliance date may come very quickly – even though HITECH was clear in this regard.
  4. Privacy Rule Obligations:  The business associate Privacy Rule obligations were likely the most uncertain in the four years since HITECH first came on the scene.  The Final Rule mandates that the Privacy Rule applies to business associates “where provided.”  A few of the most noteworthy provisions:
  • Adds a new section specifying required and permitted business associate uses and disclosures of PHI;
  • Requires business associates to report breaches of unsecured PHI upstream; and
  • Requires business associates to impose business associate regulatory and contractual obligations on subcontractor business associates.

HIPAA business associates who have not been paying attention since HITECH need to take notice.  The timeframe for compliance is less than nine months.  For those business associates who had been hoping for relief in the Final Rule (or simply have had their head in the sand for four years), waiting is no longer an option.

As we continue to digest the Final Rule, be sure to check in frequently as we anticipate much more to come in the next few weeks.