On January 17, 2013, the U.S. Department of Health and Human Services (HHS) released the omnibus regulations under the Health Insurance Portability and Accountability Act (HIPAA), including implementing changes made by the Health Information Technology for Economic and Clinical Health Act (HITECH) (the final rule). Some of the most sweeping changes directly affect business associates and subcontractors of business associates.
Who Is a Business Associate?
The final rule affirms that individuals and entities that are not part of a covered entity’s workforce and that engage in activities such as claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing continue to be business associates. The final rule amends the definition of a “business associate” to mean a person or entity that creates, receives, maintains or transmits protected health information to perform certain functions or activities on behalf of a covered entity. The final rule also adds a new category of services, patient safety activities, to the list of functions and activities a person or entity may undertake on behalf of a covered entity that give rise to a business associate relationship. Three categories of service providers are specifically identified as business associates under the final rule:
- Health information organizations, e-prescribing gateways, and other people or entities that provide data transmission services to a covered entity with respect to protected health information and that require access on a routine basis to such protected health information
- People or entities that offer personal health records to one or more individuals on behalf of a covered entity
- Subcontractors that create, receive, maintain or transmit protected health information on behalf of business associates
The addition of subcontractors means that all requirements and obligations that apply to direct contract business associates of a covered entity also apply to all downstream service providers.
The preamble to the final rule provides additional guidance on which entities are considered to be business associates. A data storage company that has access to protected health information (whether digital or hard copy) is a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. Document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold. A researcher may be a business associate if the researcher performs a function, activity or service for a covered entity that falls within the definition of business associate—for example, creating a de-identified or limited data set for the covered entity. Both data transmission services and personal health record vendors may be business associates based on the facts and circumstances surrounding their duties and responsibilities. If the vendor has access to protected health information in order to perform its duties and responsibilities, regardless of whether the vendor actually exercises this access, the vendor is a business associate.
Who Is a Subcontractor?
Prior to the enactment of HITECH, business associates and their subcontractors were not directly subject to the compliance obligations and penalties under HIPAA. Although subcontractors existed prior to the final rule, “subcontractor” is a newly defined term in the final rule. A subcontractor is a person or entity to which a business associate delegates a function, activity or service in a capacity other than as a member of the workforce of such business associate. The analysis of whether a subcontractor is acting on behalf of a business associate is the same analysis as that with respect to whether a business associate is acting on behalf of a covered entity.
Who Is Not a Business Associate?
The final rule lists four categories of persons or entities that are not business associates. A plan sponsor that has amended its group health plan to include the required HIPAA provisions is not a business associate with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor. A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual, is not a business associate. A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law, is not a business associate. A covered entity that participates in an organized health care arrangement and performs a specific service, function or activity on behalf of that organized health care arrangement is not a business associate. These exclusions previously were listed elsewhere in the HIPAA privacy and security regulations but are moved to the definition of a business associate in the final rule.
The preamble to the final rule identifies other types of persons or entities that are not business associates. An external researcher is not a business associate, even if the covered entity has hired that researcher to perform the research. External or independent Institutional Review Boards are not business associates. Banking and financial institutions with respect to payment processing activities are not business associates. Finally, entities that act as mere conduits for the transport of protected health information, but do not access the information other than on a random or infrequent basis are not business associates (e.g., the U.S. Postal Service, United Parcel Service, telecommunications companies or internet service providers (ISPs) providing mere data transmission services).
Obligations for Business Associates and Subcontractors
Covered entities were always required to enter into HIPAA compliant business associate contracts with their business associates. Under the final rule, business associates are also required to enter into HIPAA compliant business associate agreements with their subcontractors, first degree subcontractors are required to enter into HIPAA compliant business associate agreements with their own subcontractors, and so on down the line. Covered entities are not required to enter into business associate contracts with their business associates’ subcontractors. The final rules reflect HITECH changes to apply the HIPAA electronic security rules to business associates. For example, business associates and subcontractors must have HIPAA compliant written electronic security policies and procedures. Business associates must timely report “breaches” of unsecured protected health information to a covered entity.
Effective Date for Compliance
Business associates must comply with the final rule beginning September 23, 2013. However, there is a special one-year transition period for implementing business associate agreements that comply with the final rule. A business associate agreement is deemed to comply with the final rule through September 22, 2014, as long as the agreement was in place before January 25, 2013 (the date the final rule was published in the Federal Register), complied with the prior provisions of the HIPAA privacy and security rules, and is not renewed or modified on or after March 26, 2013. If the business associate agreement is renewed or modified at any time between March 26, 2013, and September 23, 2013, the business associate agreement renewal or modification must include the new provisions in the final rule on or before September 23, 2013. The transition period will automatically terminate if the agreement is renewed or modified before September 23, 2014. The automatic renewal of evergreen contracts would not cut off the transition period.
Potential Liability for Business Associates and Subcontractors
Consistent with HITECH requirements, the final rule reflects HHS’s direct enforcement authority over business associates and subcontractors. HHS clarified in the preamble to the final regulations that business associates are directly liable under the HIPAA privacy and security rules for impermissible uses and disclosures of protected health information (PHI), failure to provide breach notification to the covered entity, failure to disclose PHI as necessary to satisfy a covered entity’s obligations with respect to an individual’s request for an electronic copy of PHI, failure to disclose PHI to the Secretary of HHS to investigate or determine the business associate’s compliance with the rules, failure to comply with minimum necessary standards, failure to enter into business associate agreements with subcontractors that create or receive a covered entity’s PHI on its behalf, failure to provide an accounting of disclosures and failure to comply with the electronic security requirements. Although there is direct enforcement authority, business associate agreements are still necessary to address other requirements under the HIPAA privacy and security rules, and business associates/subcontractors remain contractually liable under those business associate/subcontractor agreements.
Vicarious Liability for Covered Entities and Business Associates
The final rule adds a vicarious liability component to covered entities and business associates. Covered entities are liable under the final rule for violations resulting from the acts or omissions of a business associate if that business associate is an agent of the covered entity and the business associate is acting within the scope of that agency arrangement. Similarly, a business associate is liable for violations resulting from the acts or omissions of a subcontractor if that subcontractor is an agent of the business associate and the subcontractor is acting within the scope of that agency arrangement. In making its determination whether there is an agency relationship, HHS’s Office for Civil Rights (OCR) will apply federal common law. The preamble to the final rule indicates that OCR will look at the business associate agreement and the totality of the facts and circumstances surrounding the relationship. The key indicator in determining whether an agency relationship exists is the right or authority of the covered entity to control the business associate’s conduct in the course of performing a service for the covered entity. For example, if the only way to control the actions of a business associate is through a contract that sets the terms and conditions of the provision of services, and the only way to direct the business associate is to amend the contract or sue for breach of contract, then the business associate generally would not be an agent of the covered entity. This same analysis would apply in analyzing the relationship between a business associate and subcontractor. When evaluating whether an act or omission is within the “scope of the agency,” OCR will consider such factors as the time, place and purpose of the agent’s conduct; whether the agent engaged in a course of conduct subject to the covered entity or business associate’s control; whether a business associate or subcontractor agent’s conduct is commonly done by the business associate or subcontractor to accomplish the service on behalf of the covered entity or business associate; and whether the covered entity or business associate reasonably expected that the business associate or subcontractor agent would engage in the conduct in question. Labeling the parties as independent contractors in the agreement will not trump OCR’s agency analysis.
Next Steps
- Business associates and subcontractors will need HIPAA compliant privacy and security policies and procedures. We also recommend applicable forms, such as a HIPAA compliant authorization form.
- In new relationships between a covered entity and a business associate, both parties must execute a HIPAA compliant business associate agreement. For existing relationships with compliant business associate agreements in place prior to January 25, 2013, the agreements should be amended in accordance with the final rule.
- In new relationships between a subsidiary and a business associate, both parties must execute a HIPAA compliant agreement. For existing relationships with agreements in place prior to January 25, 2013, that satisfy current business associate agreement requirements, the agreements should be amended in accordance with the final rule.
- We also suggest keeping in mind the agency law analysis and vicarious liability when drafting or revising business associate and subcontractor agreements.