HIPAA Omnibus Rule: Part 2 (Business Associates & Subcontractors)

Business Associates and subcontractors have expanded obligations under the Omnibus Rule. (That’s Health and Human Services Office for Civil Rights (OCR), Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013)).

To summarize, Business Associates (BA’s) are directly liable under HIPAA for:

  • Impermissible uses and disclosures;
  • Failure to provide breach notification to the covered entity;
  • Failure to provide access to a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate contract);
  • Failure to disclose PHI where required by HHS to investigate or determine the business associate’s compliance with HIPAA;
  • Failure to provide an accounting of disclosures; and
  • Failure to comply with the applicable requirements of the security rule.

Covered entities can be liable for acts of business associates who are considered agents (see Part 3: Enforcement and Penalties), and CEs should review their business associate agreements in light of expanded liability wher ethe BA might be considered an agent.

Business Associate–Definition

The definition of Business Associate is:

Business associate: (1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:

(i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or

(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(2) A covered entity may be a business associate of another covered entity.

(3) Business associate includes:

(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.

(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.

(iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

(4) Business associate does not include:

(i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.

(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of § 164.504(f) of this subchapter apply and are met.

(iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.

(iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.

Notably, HHS said this about what it means to have “access on a routine basis” to protected health information with respect to determining which types of data transmission services are business associates versus mere conduits:

…such a determination will be fact specific based on the nature of the services provided and the extent to which the entity needs access to protected health information to perform the service for the covered entity. The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services. As we have stated in prior guidance, a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law. For example, a telecommunications company may have occasional, random access to protected health information when it reviews whether the data transmitted over its network is arriving at its intended destination. Such occasional, random access to protected health information would not qualify the company as a business associate….

Thus, organizations that store PHI, such as cloud vendors, are considered business associates even if they do not access PHI.

Business Associates—Security Rule Compliance

Note that HITECH already extended direct liability for compliance with the Security Rule to Business Associates. In the Final Rule, HHS comments:

Moreover, the requirements of the Security Rule were designed to be technology neutral and scalable to all different sizes of covered entities and business associates. Covered entities and business associates have the flexibility to choose security measures appropriate for their size, resources, and the nature of the security risks they face, enabling them to reasonably implement any given Security Rule standard. In deciding which security measures to use, a covered entity or business associate should take into account its size, capabilities, the costs of the specific security measures, and the operational impact. Thus, the costs of implementing the Security Rule for large, mid-sized, or small business associates will be proportional to their size and resources.

HHS refers smaller business associates to HHS guidance on HIPAA Security Rule Compliance, so they can figure out such matters as conducting risk analyses and implementing other administrative safeguards.

Business Associates—Minimum Necessary (Section 164.502(a) and (b))

There are some additional modifications regarding the minimum necessary requirement:

  • As noted, section 13404 of the HITECH Act makes specific requirements of the Privacy Rule applicable to business associates, and creates direct liability for noncompliance by business associates with regard to those Privacy Rule requirements.
  • The Final Rule confirms the above by making technical modifications to the Privacy Rule.
  • The BA must abide by the “minimum necessary” rule in disclosing PHI. The BA Agreement should specify this.
  • Liability for impermissible uses and disclosures arises the moment a person “creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate and otherwise meets the definition of a business associate,” whether or not a contract is in place.

Additional BA Liability

  • HHS clarifies:

In response to comments requesting clarification on with which HIPAA provisions a business associate is directly liable for compliance, we provide the following. Business associates are directly liable under the HIPAA Rules for impermissible uses and disclosures, [4] for a failure to provide breach notification to the covered entity, [5] for a failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement), [6] for a failure to disclose protected health information where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules, [7] for a failure to provide an accounting of disclosures, [8] and for a failure to comply with the requirements of the Security Rule. [9] Business associates remain contractually liable for other requirements of the business associate agreement (see below for a discussion of the business associate agreement provisions).

  • A BA can be liable for failure to provide access to a copy of electronic PHI.

Subcontractors

According to HHS, a subcontractor means: “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.”

HHS says: “Thus, a subcontractor is a person to whom a business associate has delegated a function, activity, or service the business associate has agreed to perform for a covered entity or business associate. A subcontractor is then a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information.”

“Thus, under the final rule, covered entities must ensure that they obtain satisfactory assurances required by the Rules from their business associates, and business associates must do the same with regard to subcontractors, and so on, no matter how far “down the chain” the information flows.”

***

See our full series of articles:

HIPAA Omnibus Rule: Part 1 (Overview)

HIPAA Omnibus Rule: Part 2 (Business Associates & Subcontractors)

HIPAA Omnibus Rule: Part 3 (Enforcement & Penalties)

HIPAA Omnibus Rule: Part 4 (Security Rule Changes)

HIPAA Omnibus Rule: Part 5 (Privacy Rule Changes)

HIPAA Omnibus Rule: Part 6 (Business Associate Agreements)

HIPAA Omnibus Rule: Part 7 (Notice of Privacy Practices & Other Provisions)

HIPAA Omnibus Rule: Part 8 (Breach Analysis)

The healthcare privacy and security requirements of HIPAA and HITECH can be daunting. Even small healthcare offices can be subject to federal and state privacy and confidentiality compliance rules. For healthcare legal and regulatory expertise, contact the HIPAA and HITECH legal team at the Cohen Healthcare Law Group.

ctav3-400
Michael H Cohen Healthcare & FDA Lawyers

Contact our healthcare law and FDA attorneys for legal advice relevant to your healthcare venture.

Leave a Comment

Start typing and press Enter to search