- Do you perform any work for health care providers, health plans, or others who provide services to health care entities?
- Do you handle any protected health information1 (which may be as basic as a patient's name)?
- If so, do you understand what your obligations may be to comply with HIPAA and that a failure to do so could cost you up to $1.5 million per incident?
Recently the U.S. Department of Health and Human Services finalized modifications to HIPAA—the Health Insurance Portability and Accountability Act of 1996. Given HIPAA's highly technical nature, it might be tempting to all those not working directly in health care settings to turn a blind eye to these changes. But ignoring the changes could prove to be a costly mistake. The changes expand liability for certain individuals and entities—known as "business associates"—for failure to comply with the privacy and security obligations in HIPAA. Because business associates are now subject to audits, investigations, and enforcement (including penalties up to $1.5 million per violation), it is important to assess whether your business could qualify as a business associate and to plan accordingly.
This Update outlines the expanded definition of business associate and is meant to assist you in determining whether your business qualifies. For more detailed information regarding other important revisions to HIPAA, please see von Briesen's Health Law Update on the full scope of the changes available here.
In short, if you provide services or perform functions on behalf of a health care provider or plan and, in doing so, deal with information about patients or plan members, you likely qualify as a business associate. A "business associate" performs functions or activities on behalf of, or certain activities for, a health care provider or health plan that involve the use or disclosure of protected health information (also known as "PHI") such as a person's name and their status as a patient.
The recent changes specify that the definition of business associate includes persons or entities that create, receive, maintain, or transmit protected health information on behalf of a provider or plan. The following functions, if they involve protected health information, would qualify an entity as a business associate:
- claims processing or administration;
- data analysis, processing, or administration;
- utilization review;
- quality assurance;
- patient safety activities;
- billing;
- benefit management;
- practice management; and
- repricing.
Those who provide any of the following services to or for a health provider or health plan, involving the disclosure of protected health information from the provider or the plan are business associates:
- legal;
- actuarial;
- accounting;
- consulting;
- data aggregation;
- physical or electronic data storage;
- management;
- administrative;
- accreditation; and
- financial services.
Under the recent rule changes, a business associate's subcontractors are now directly liable for complying with the privacy and security obligations in HIPAA. This means that not only is a company that has a direct relationship with a HIPAA-covered entity a business associate—but any companies that may be contracted to support the work are also subject to regulation as a business associate—if the subcontractor has access to protected health information.
In addition to expanding the types of businesses that may qualify as business associates, the new rules also expand penalties for violations. Previously, business associate liability was generally limited to contractual breaches. Now, business associates and subcontractors are liable under civil and criminal penalties for any impermissible use and disclosure of protected health information. This means that business associates and subcontractors must comply with HIPAA's technical, administrative, physical safeguard, and disclosure requirements—even if there is no contractual agreement in place with the health provider or plan or between the business associate and its subcontractor.
Business associates are now required to implement written agreements with all subcontractors who have access to protected health information, even if the subcontractors do not access or view the information. It is important to note, business associates are liable for the acts or omissions of subcontractors acting within the scope of the agency relationship.
The rule changes will be effective on March 26, 2013, and business associates must comply with a majority of the provisions by September 23, 2013. By that time, business associates and subcontractors should develop work plans for coming into compliance, including a review of their operations, IT systems, HIPAA policies, training procedures, and vendor assessment practices. Business associates should update and implement agreements with health care providers and subcontractors consistent with the recent changes to HIPAA.
HIPAA is technical and complex. If you suspect you may be a business associate or a subcontractor, it is important that you contact an attorney about your obligations under the recent rule changes.