The Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act, 78 Fed. Reg. 5566 (Jan. 25, 2013), make some changes to the Security Rule.
The Final Rule does not substantively alter the Security Rule, but it does extend the requirements of the Security Rule to business associates, and in so doing, requires changes to business associate agreements. For example:
- The business associate agreement must require the business associate to comply with the Security Rule; and
- The business associate agreement must require the business associate to enter into Security Rule-compliant business associate agreements with its subcontractors.
These are mainly technical changes, although HHS has some important commentary (in bold).
- There is a technical change to § 164.308(a)(3)(ii)(C) regarding security termination procedures for workforce members, to add the words “or other arrangement with” after “employment of” in recognition of the fact that not all workforce members are employees (e.g., some may be volunteers) of a covered entity or business associate.
- There are modifications to § 164.308(b) to conform to modifications proposed in the definition of “business associate” (i.e., an exception that was in (b)(2) is now in the definition of “business associate”).
- § 164.308(b)(1) and (2) are modified to clarify that covered entities are not required to obtain satisfactory assurances in the form of a contract or other arrangement with a business associate that is a subcontractor; rather, it is the business associate that must obtain the required satisfactory assurances from the subcontractor to protect the security of electronic protected health information.
- Another technical change: HHS removed the provision at § 164.308(b)(3), which provides that a covered entity that violates the satisfactory assurances it provided as a business associate of another covered entity will be in noncompliance with the Security Rule’s business associate provisions, as a covered entity’s actions as a business associate of another covered entity would now be directly regulated by the Security Rule’s provisions that apply to business associates.
- The organizational requirements (Section 164.314) clearly apply to agreements between business associates and subcontractors.
- A business associate for purposes of the Security Rule is also always a business associate for purposes of the Privacy Rule.
- Requirements for a BA agreement between a CE and BA also apply to an agreement between a BA and a subcontractor:
For example, under these provisions, a business associate contract between a business associate and a business associate subcontractor would need to provide that the subcontractor report any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410, to the business associate. This would mean that if a breach of unsecured protected health information occurs at or by a second tier subcontractor, the subcontractor must notify the business associate subcontractor with which it contracts of the breach, which then must notify the business associate which contracts with the covered entity of the breach, which then must notify the covered entity of the breach. The covered entity then notifies the affected individuals, the Secretary, and, if applicable, the media, of the breach, unless it has delegated such responsibilities to a business associate.
- “Subcontractors are required to comply with the Security Rule to the same extent as business associates with a direct relationship with a covered entity.”
See our full series of articles:
The healthcare privacy and security requirements of HIPAA and HITECH can be daunting. Even small healthcare offices can be subject to federal and state privacy and confidentiality compliance rules. For healthcare legal and regulatory expertise, contact the HIPAA and HITECH legal team at the Cohen Healthcare Law Group.