On Jan. 25, 2013, the Department of Health and Human Services (HHS) published the “Final Rule” modifying the regulations under the Health Insurance Portability and Accountability Act (HIPAA). The Final Rule, which took effect on March 26, 2013, modified the standards previously set forth in the Privacy Rule, the Security Rule and the Enforcement Standards, and implemented statutory amendments under the Health Information Technology for Economic and Clinical Health (HITECH) Act by modifying the interim Breach Notification Rule. This article examines the Final Rule’s impact on business associates, such as certain third party administrators, consultants and accountants, and offers practical steps for compliance with the Final Rule by the Sept. 23, 2013, deadline.
The financial and operational impact on business associates will be significant because the Final Rule allows, for the first time, HHS Office for Civil Rights (OCR) to regulate business associates. OCR may now directly impose civil monetary penalties (CMPs) on business associates for non-compliance with HIPAA and its underlying regulations. CMPs can range from $100 to $50,000 per violation, with a cap of $1.5 million per year for multiple violations of identical HIPAA provisions in a calendar year. In addition, the business associate and certain employees, such as directors, employees or officers, may be subject to criminal penalties, including financial penalties and imprisonment. The Final Rule also expands the definition of “business associate” to capture additional individuals and entities that have access to protected health information (PHI). Unlike traditional covered entities, these new business associates are often smaller operations without an existing HIPAA-compliant infrastructure.
With such a short timeframe for compliance before the Final Rule goes into effect, each individual or entity whose functions or activities involve creating, receiving, maintaining or transmitting PHI must determine whether it is now a business associate under HIPAA. It is each organization’s responsibility to evaluate its access to PHI and the services it performs in order to determine whether it is a business associate in any of its relationships with covered entities or other business associates.
The following are practical steps for compliance, both for new business associates captured by the expanded definition in the Final Rule, and for business associates seeking to ensure that their infrastructure— including their operational practices, policies and procedures, and business associate agreements— is HIPAA-compliant.
- Business associates should ensure that their operational practices are HIPAA-compliant. Business associates should ensure they have complied with all applicable operational HIPAA requirements, such as appointing a security officer responsible for developing and implementing policies and procedures required under the Security Rule. In addition, business associates should review their technical systems to ensure that they can support the changes required for HIPAA compliance.
- Business associates should revise their practices, policies and procedures regarding the investigation and notification of breaches of PHI. At a minimum, business associates must revise their investigation and notification practices, as well as their breach notification policies and procedures, to reflect the revised data breach standard implemented under the Final Rule. In addition, business associates should consider how they will train their workforce on the new breach notification requirements.
- Business associates should revise their policies and procedures. Importantly, business associates should conduct a (or update its) HIPAA security risk analysis, in accordance with 45 C.F.R. 164.308(a)(1) of the Security Rule, to assess and address any identified gaps in their policies and procedures, as well as in their operational practices and controls.
- Business associates should revise their current business associate agreements to reflect the changes imposed by the Final Rule. The HHS OCR website has a helpful tool containing sample business associate agreement provisions. Business associates should also revise their business agreements with subcontractors to require subcontractors to agree to the same restrictions and conditions that apply to the business associate with respect to PHI created, maintained or transmitted. Business associates should also consider whether to include provisions in subcontractor agreements that would provide additional protection. For example, business associates may require subcontractors to maintain insurance or indemnify the business associate for damages.
Implementing the required provisions under the Final Rule may present both operational and fiscal challenges for business associates, particularly for those currently without existing HIPAA policies and procedures, refined business associate agreements, and an internal computerized system that meets the requirements of the Security Rule.