HITECH Update # 6: New Requirements for Business Associate Agreements
This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.
The final rule addresses several changes to business associate agreements as a result of the new obligations imposed upon business associates by HITECH.
New Obligations on Business Associates. A revised section 164.504(e) expands the list of specific requirements for business associate agreements to require that business associates:
- comply with the Security Rule with regard to electronic PHI;
- report breaches of unsecured PHI to covered entities;
- comply with the requirements of the Privacy Rule applicable to covered entities when carrying out their obligations; and
- ensure that any subcontractors that create or receive PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate.
In the event that the covered entity is aware that actions of the business associate constitute a material breach or violation of the business associate agreement, the revised rule removes the requirement that covered entities report to the Secretary when termination of a business associate agreement is not feasible. HHS explained that it viewed the reporting requirement as unnecessary because business associates now have direct liability for failure to abide by certain HIPAA provisions and have their own independent obligation to report breaches to the Secretary.
Subcontractors. The final rule allows a business associate to disclose protected health information (PHI) to a business associate that is a subcontractor, as long as the business associate enters into an appropriate business associate agreement with its subcontractor. The covered entity is not required to enter into an agreement with a subcontractor; rather, the responsibility is on the business associate. The business associate is therefore contractually liable to the covered entity for any business associate operations that it outsources to a contractor. A subcontractor that enters into a business associate agreement with the primary business associate will be directly liable under HIPAA.
Furthermore, the final rule clarifies that a subcontractor may not use PHI in any way that is not permitted by the business associate agreement between the primary business associate and the covered entity. HHS explained that each agreement in the “business associate chain must be as stringent or more stringent” than the agreements above it in the chain.
The final rule also adds a new obligation on business associates with regard to their subcontractors that “mirrors” the obligations covered entities have for business associates. If a primary business associate is aware that its subcontractor is out of compliance with its business associate agreement, the primary business associate is required to take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful, then the primary business associate must terminate the arrangement, if feasible.
Obligations of Business Associates Under Agreements. Although the HITECH Act and the final HITECH omnibus rule impose direct liability on a business associate for failure to abide by certain HIPAA requirements, the business associate still retains contractual liability to the covered entity for failure to comply with the business associate agreement. The final rule adds a provision that clarifies that when a covered entity delegates its responsibility to a business associate to carry out certain responsibilities, the business associate is contractually obligated to comply with the requirements of the Privacy Rule in the same manner as the covered entity.
The example given in the preamble concerns a Notice of Privacy Practices (NPPs). If a business associate agrees to distribute a health plan’s NPP, and fails to do so, then it is contractually liable to the health plan—even though the HITECH Act and the final rule do not make the business associate directly liable for failing to provide the notice. The covered entity retains ultimate responsibility for this function and therefore would be directly liable to HHS.
Timeline for Compliance. HHS has allowed additional time for covered entities and business associates to revise their agreements in accordance with the new requirements. For agreements in effect as of January 25, 2013, parties have until September 22, 2014, to modify their business associate agreements, unless the parties renew or modify their current contracts between March 26, 2013 (date the final rules take effect) and September 23, 2013 (deadline for compliance with other provisions of the final rule). In these circumstances, the business associate agreement must be in compliance with the new rules by September 23, 2013.
Conclusion. Covered entities should begin analyzing their business associate agreements and determine what amendments need to be made. Business associates should take steps immediately to ensure compliance with their new obligations, particularly those that are likely to be the most time-consuming, i.e., those obligations related to the security of electronic PHI, breach notification, and executing business associate agreements with subcontractors.