As a general rule of thumb for legal issues, being proactive tends to be much less expensive than being reactive. This general rule certainly applies to health care providers, their business associates and, now, business associate subcontractors with respect to changes required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Omnibus Final Rule (Final Rule), implementing provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act passed in 2009, became law last week on March 26, 2013. The Final Rule significantly modifies HIPPA requirements for compliance and security measures intended to protect health information (PHI), especially business associate agreements. Health care covered entities and their business associates and subcontractors have six months to become compliant with the rule, or face large fines (up to $1.5 million). The deadline for compliance is September 23, 2013, and the clock is ticking. Quickly.
According to the U.S. Department of Health & Human Services (HHS), the Final Rule is intended to bolster privacy and security protections for PHI under HIPAA by greatly enhancing the government’s ability to enforce the law. Health care provider audits are expected to dramatically increase in the coming months and years. Assuming that an audit will not happen is a mistake for any health care provider. Fines for HIPAA violations can be considerable, up to $1.5 million.
Under the Final Rule, parts of the HIPAA “Security Rule” (security requirements for electronic PHI) and “Privacy Rule” (security requirements for privacy of PHI) will now apply directly to business associates so that business associates will be potentially liable for civil and criminal penalties for any non-compliance with the HIPAA regulations, rather than just a breach of contract. Additionally, many subcontractors of business associates will now be covered. Liability for data breaches and other non-compliance can lie with the subcontractor, the business associate or the covered health care entity.
So, who is a “business associate”?
This is an important question because many changes under the Final Rule will profoundly impact not only covered entities and existing business associates, but other entities that now meet the definition of “business associate” and downstream business associate subcontractors whose services touch PHI. The Final Rule broadened the definition of “business associate” so that anyone who creates, receives, maintains, or transmits PHI might be deemed subject to HIPAA rules as a business associate. For example, the new definition includes companies or persons that “maintain” PHI, such as a data storage company or a company that provides data transmission services.
Legal counsel should be consulted to determine what business partners and vendors might be deemed “business associates” by HHS in the event of an audit. The reality is that many (probably most) business associates are currently not compliant with HIPAA and, if they consider the issue at all, may be in denial. HHS has decided it will deal with the issue more aggressively. Prudent health care providers must promptly inventory their business relationships to identify all business partners and vendors that meet the broadened definition of “business associate” under HIPAA rules and ascertain whether business associates are compliant with HIPAA’s risk assessment and other compliance protocol. This process should include evaluation of existing business associate agreements and, ultimately, health care providers should insist that every business associate demonstrate compliance.
Do your business associate agreements need to be updated?
Covered entities, business associates and subcontractors have until September 23, 2013 to execute business associate agreements compliant with the Final Rule. Under the Final Rule, business associate agreements must be updated to require that:
– the business associate comply with applicable requirements of the Security Rule.
– business associate ensure subcontractors that create, receive, maintain or transmit electronic PHI on behalf of the business associate agree to comply with the requirements of the Security Rule.
– the business associate ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such PHI.
– the business associate report breaches of unsecured PHI.
– the business associate carry out a covered health care entity’s obligation under the Privacy Rule (e.g., serving as the privacy official)
– the business associate comply with the requirements of the Privacy Rule that apply to the performance of such obligation.
It is estimated that up to 500,000 existing Business Associates will have to have new business associate agreements.
The Final Rule will impact other components of HIPAA as well. For example, breach notification triggers have changed. Through September 23, 2013, unauthorized disclosure of PHI will not trigger HIPAA’s notification requirements in the event of a data breach unless the event creates “significant risk of financial, reputational or other harm.” Under the Final Rule, however, any unauthorized disclosure of PHI is presumed to be a security breach. All health care providers and other covered entities should become (or ensure they are) compliant with HIPAA by obtaining a proper security risk assessment from a qualified vendor, consultant, or attorney, which should include employee training and management and appropriate analysis of information systems to protect PHI. Our law firm works with top tier vendors and consultants to help health care providers and business associates comply with the law of the land.
Kevin Little is a Georgia and South Carolina business lawyer focused on protecting the financial interests of health care providers and other health care businesses. If you have questions regarding business associate agreements or other HIPAA compliance and security matters, contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta) or firstname.lastname@example.org.
Source: HHS Press Release.
*Disclaimer: Thoughts shared here do not constitute legal advice.