Header graphic for print
Inside Privacy Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

HITECH Update # 7: New HIPAA Requirements for Business Associates and Their Subcontractors

Posted in Health Privacy

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule includes a number of changes that will significantly affect business associates.  Business associates are now directly subject to various aspects of the HIPAA Privacy, Security, and Breach Notification Rules.  Furthermore, liability now extends much further down the chain, as the new rule also applies these requirements to subcontractors of business associates.

We discuss these and other changes affecting business associates, and their subcontractors, below.

Definition of “Business Associate.”  The final rule revises the definition of “business associate” to include an entity that “creates, receives, maintains, or transmits” protected health information (PHI).  This includes claims processing or administration, data analysis processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing.  HHS explained that this new definition will include entities that maintain or store PHI, even if they do not actually view the PHI.  As a result, organizations such as Health Information Exchange Operations, E-prescribing Gateways, Personal Health Record (PHR) vendors, and others that provide data transmission services involving PHI will now be considered business associates.

Direct Liability under the Security Rule.  The final rule alters the regulations to expressly subject business associates to the administrative, physical, and technical safeguard requirements of the Security Rule.  HHS commented that, because business associates previously had to agree in their business associate agreements with covered entities to appropriately protect and safeguard PHI, business associates and subcontractors “should already have in place” security practices that are compliant with the rule or need only “modest improvements.”  HHS recognized, however, that many business associates will not have engaged in the “formal administrative safeguards” required by the rule.

Direct Liability under the Privacy Rule.  The final regulations modify the Privacy Rule to extend direct liability for disclosures of PHI by business associates.  However, the rule does not subject business associates to liability for all aspects of the Privacy Rule.  Business associates are liable for:

  • uses or disclosures of PHI in a manner not in accord with the business associate agreement or the Privacy Rule;
  • failure to disclose PHI when required by HHS for an investigation and/or determination of the business associate’s compliance with HIPAA;
  • failure to disclose PHI to the covered entity, an individual (to whom the information pertains), or the individual’s designee with respect to an individual’s request for an electronic copy of the information;
  • failure to make reasonable efforts to limit PHI uses, disclosures, and requests to the minimum necessary amount; and
  • failure to enter into a business associate agreement with a subcontractor that creates or receives PHI on their behalf.

Thus, while covered entities may disclose or use PHI as permitted or required by the Privacy Rule, business associates may use or disclose PHI only as permitted or required by their business associate agreements or as required by law.  If a permitted disclosure is not specified in a business associate agreement or other similar contract, the disclosure is not permitted—even if it would otherwise be permissible by a covered entity.

As we explained in our previous post, business associates remain contractually obligated to comply with the requirements of the Privacy Rule in the same manner as the covered entity when taking on these responsibilities in a business associate agreement —even if they are not directly subject to these requirements under HIPAA.

Direct Liability under the Breach Notification Rule.  The HITECH Act requires a business associate to notify the covered entity when it discovers a breach of unsecured PHI.  The final rule implements this statutory requirement.  The rule requires the business associate to provide notice of the breach to the covered entity “without unreasonable delay and in no case later than 60 days” following discovery of a breach.

If the business associate is acting as an agent of the covered entity, then the business associate’s discovery will be imputed to the covered entity.  A covered entity is required to notify HHS of breaches within a certain allotted time measured by when its agent (the business associate) discovered the breach, not when the covered entity became aware.  HHS noted that it will use federal common law of agency to determine whether the business associate is acting as an agent.  Thus, covered entities should ensure that their business associate contracts adequately address how and when a business associate will notify the covered entity of a suspected breach.

Subcontractors  One of the most significant changes in the rule is the extension of HIPAA requirements applicable to business associates to subcontractors.  Under the final rule, a subcontractor is an entity that “creates, receives, maintains, or transmits” PHI on behalf of a business associate.  HHS explained that downstream entities must be required to abide by the same requirements as business associates because, otherwise, business associates could avoid statutory liability.  As we described in our previous post, a subcontractor must enter into a business associate agreement with the primary business associate.

The final rule requires a business associate to obtain assurances from its subcontractors that they will appropriately safeguard PHI.  This provision “mirrors” the one requiring covered entities to obtain similar assurances from business associates.  Similarly, a business associate that is aware of noncompliance by its subcontractor must respond in the same manner as a covered entity that is aware of noncompliance by its business associate.

Minimum Necessary Standard.  The final rule requires that, when business associates use, disclose, or request PHI from another covered entity, they limit PHI to that minimally necessary to accomplish the purpose of the use, disclosure, or request.  Failure to abide by the minimum necessary requirement is a violation of the Privacy Rule.  HHS noted that how business associates will apply this standard will “vary based on the circumstances,” and left to the discretion of the parties to ensure that a business associate is acting in compliance with the covered entity’s minimum necessary policies and procedures.  HHS stated that, at a later date, it will issue further guidance on the specific application of the minimum necessary standard to business associates.

Implications.  Both covered entities and business associates must now be mindful of whether a business associate is also an agent of the covered entity, in order to ensure that Breach Notification Rule timelines are met.  Primary business associates and subcontractor business associates should be mindful of the potential for direct liability under the Privacy, Security and Breach Notification Rules and take steps to ensure compliance.  Special attention may be required in order to ensure compliance with formal administrative safeguards, such as performing a risk assessment, establishing a risk management program, designating a security official, establishing written policies and procedures, conducting employee training, and documenting compliance.