At the end of January the Office for Civil Rights (OCR) of the Department of Health and Human Services published new regulations that dramatically extend the reach of federal health care privacy and security law to a vast array of companies that do business with the health care industry. These long-awaited final omnibus regulations (the "Final Rule") amend the privacy, security, enforcement, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Final Rule represents the most significant development in health care privacy and security law since the original HIPAA regulations were published a decade ago.
The Final Rule became effective on March 26, and compliance is generally required by September 23. HIPAA has previously regulated "covered entities," which include health plans, health care providers, and health care clearinghouses. The Final Rule extends certain HIPAA requirements to "business associates" of those covered entities, as well as to their subcontractors.
A business associate is any individual or organization acting on behalf of a HIPAA–covered entity that creates, receives, maintains, or transmits protected health information (PHI) in connection with a function or activity ­regulated by HIPAA. Business asso­ciates include a wide range of companies, such as billing services, management companies, document storage companies, health care information technology companies, outsourcing vendors, accountants, lawyers, and third-party claims administrators.
Significantly, the Final Rule amends the definition of "business associate" to include all downstream contractors of a business associate that create, receive, maintain, or transmit PHI on behalf of a covered entity. As a result, a business associate must enter into business associate agreements with subcontractors receiving PHI, and those subcontractors will be directly regulated by HIPAA in the same manner as the business asso­ciate. In short, a wide range of businesses, some of which are only ­tangentially related to the health care industry, will be required to comply with the new privacy and security obligations under the Final Rule.
Prior to the Final Rule, business associates were merely subject to the terms of legally mandated business asso­ciate agreements entered into with covered entities. But now such business associates are directly regulated under HIPAA. This means they are subject to newly enhanced criminal and civil sanctions for noncompliance.
These changes to HIPAA were first introduced in 2009 in the HITECH Act, which is part of the American Recovery and Reinvestment Act ("ARRA"). This might lead you to wonder what health care privacy has to do with our recent financial crisis. ARRA’s financial stimulus measures included new incentives for providers to adopt electronic health records (EHRs), which are intended to help control health care costs. Congress decided that if it was going to encourage providers and patients to have confidence in EHRs, they would also need to have greater confidence in the privacy and security measures of the companies providing those innovative products and services. Thus, we have these new business associate rules.
The Final Rule provides that a company that merely "maintains" protected health information without actually accessing the data may be a business associate. This modification is likely to cause many cloud service providers, for example, to be regulated.
The Final Rule requires a business associate to comply with the HIPAA security regulations (the "Security Rule") in the same manner as a covered entity, meaning that the business asso­ciate must:
- Perform a company-wide formal security risk assessment;
- Implement written policies and procedures that address Security Rule standards;
- Appoint a security officer; and
- Conduct security training for workforce members.
In commentary to the Final Rule, the OCR expresses the view that most business associates should already have in place security practices that either comply with the Security Rule or that require only "modest improvements" to come into compliance. This statement appears disingenuous: Developing a Security Rule compliance program can, in fact, be quite a significant undertaking.
A business associate must comply with all aspects of the Security Rule, but is only subject to certain obligations under the HIPAA privacy regulations (the "Privacy Rule"). Most notably, business associates may be directly liable under the Privacy Rule for uses and disclosures of PHI in violation of the required terms of a business associate agreement or the Privacy Rule. (Under the prior regulatory approach, a business associate violating a business associate agreement was only subject to contractual remedies asserted by the covered entity for breach of contract.)
Under the Final Rule, a business associate must also comply with HIPAA’s "minimum necessary" standard, meaning that when business associates use, disclose, or request PHI from a covered entity, they must limit PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary standard is vague and difficult to apply, but business associates must make efforts to address its requirements.
Although it is not required by the Final Rule, it is often advisable for a business associate to implement privacy policies and procedures to ensure that its workforce is handling PHI in accordance with the privacy obligations contained in business associate agreements. For example, if a business associate experiences a security breach involving PHI but does not notify the covered entity of the incident within the mandated time frame under the HIPAA breach notification regulations (the "Breach Notification Rule"), the business associate has violated HIPAA.
The Final Rule also requires that several new provisions be added to business associate agreements to reflect the new obligations. Because business associate agreements are commonplace in the health care industry, with large organizations entering into hundreds or thousands of the contracts, implementing these amendments is not a simple task. Fortunately, the Final Rule creates a transition period for amending business associate agreements: A business associate agreement that is compliant with pre–Final Rule HIPAA requirements need not be amended, if it is not renewed or modified by September 23, 2014. But new business associate agreements entered into after January 25, 2013, must contain the newly required provisions by September 23 of this year.
Business associates should also consider developing a security breach response plan that tracks the requirements of the Breach Notification Rule and applicable state security breach notification laws. A formal breach response provides a road map for quickly assessing and responding to a breach, mitigating potential damage, and managing any public response. The Final Rule amends the definition of "breach" to include an express presumption that an impermissible use or disclosure of PHI is considered a breach unless the covered entity or business associate is able to demonstrate that there is a "low probability" that the PHI has been compromised. Business associates must apply this standard by conducting and documenting a risk ­assessment of a security breach event.
Business associates that violate new legal obligations under the Final Rule will be subject to HIPAA’s newly increased penalty amounts. The Final Rule amends the penalty amounts under HIPAA to provide for a tiered system with four categories of violations reflecting increasing levels of culpability. The fourth and highest tier ("Tier 4") applies to a violation that is due to willful neglect that is not corrected within 30 days of discovery. The penalty for violating Tier 4 is at least $50,000 per violation, not to exceed $1.5 million for all violations of an identical provision per calendar year. However, that $1.5 million cap is not an absolute limit because the OCR has discretion to find violations of multiple provisions of HIPAA in a particular incident, thus multiplying the cap amount.
The Final Rule also modifies various aspects of the Privacy and Security Rules applicable to covered entities, such as (i) sales of PHI; (ii) marketing communications to patients subsidized by third parties; (iii) authorizations obtained from patients to participate in clinical research; (iv) covered entity notices of privacy practices; and (v) fund­-raising by covered entities. However, the Final Rule’s expansion of HIPAA regulations to cover business associates and their subcontractors is likely to have the most far-reaching impact.
In short, if your company provides services, directly or indirectly, to the health care industry and has been asked to sign business associate agreements in the past, then that should serve as a warning sign that you may be subject to the Final Rule’s new privacy and security obligations and will need to be ready for the fast-approaching September 23 compliance date.
Reece Hirsch is a partner in the San Francisco office of Morgan, Lewis & Bockius. He specializes in health care, privacy, and security law.