Authored by Lisa English Hinkle
While Covered Entities, which are health care providers, health plans, and clearinghouses, have long been subject to HIPAA, the Department of Health and Human Services ("HHS") Final Rule implementing HITECH Act has created not just new responsibilities, but also new liabilities, for non-health care providers - so-called "business associates" ("BAs") - that provide services to covered health care entities.
Business Associate? But, I'm not in health care!
HIPAA is not just for health care providers. In January 2013, the long-awaited Final Rule implementing provisions of HITECH Act was published. The Final Rule contains significant new obligations and requirements for BAs and their subcontractors. Compliance with the Final Rule was required by September 23, 2013 (with some exceptions), but it is becoming increasingly evident that businesses outside the health care industry remain largely uninformed about their newest HIPAA-related responsibilities and have not undertaken efforts to comply.
Covered Entities routinely handle and transmit personal health information ("PHI") and share PHI with other businesses after a BA agreement is created. The BA agreement establishes the relationship and requires the BA to comply with HIPAA through the contract's terms and conditions. In 2009, as part of HITECH, Congress specifically defined "Business Associate" as "persons or entities that provide a service for or on behalf of a Covered Entity other than the provision of healthcare." The Final Rule revises the definition so that a BA is now a person or entity that creates, receives, maintains, or transmits PHI in fulfilling certain functions or activities for a Covered
Entity. The Final Rule specifically includes in the BA definition health information organizations, e-prescribing gateways, and data transmission providers. In addition, a new category of BAs was added to the definition that specifically identifies lawyers, accountants and consultants, among others.
Further, the Final Rule provides that a BA's subcontractors that create, receive, maintain or transmit PHI on behalf of a BA qualify as a BA themselves. For example, if a BA hires another business to store or copy its documents, the hired entity will also be a BA if the documents contain PHI.
In short, HIPAA covers businesses that are not health care providers. The Final Rule makes clear that a person or entity becomes a BA by definition, not by the presence of a contract.
I'm a BA, What Should I Know?
Along with extending the definition of a BA, the Final Rule makes parts of the HIPAA Security Rule (i.e., HIPAA's regulations establishing security standards for electronic PHI) and Privacy Rule (i.e., HIPAA's regulations relating to the privacy of PHI) apply directly to BAs. Previously, BAs were only contractually liable for breaches of BA agreements with the Covered Entity; now, the BA is potentially liable for civil and criminal penalties for non-compliance with HIPAA regulations.
The Security Rule
Under the Security Rule, BAs must institute safeguards to protect the confidentiality, integrity, and availability of electronic PHI. Pursuant to those requirements, BAs must adopt certain security measures, including specific administrative, physical, and technical safeguards. HIPAA-compliant policies and procedures must be written and implemented. A PHI risk analysis must be conducted and documented.
The Security Rule recognizes that BAs vary greatly in size and resources. There is not a one-size-fits-all plan to implement under the Security Rule, but rather safeguards, policies, and procedures can be tailored to address the size, complexity, and capabilities of businesses.
The Privacy Rule
If a BA has previously entered in a BA agreement with a Covered Entity, the BA must continue to limit uses or disclosures of PHI to the terms and conditions specified in the agreement. In addition, BAs must now:
- Implement the administrative, technical, and physical safeguards required by the Security Rule and maintain all required documentation;
- Comply with the BA agreement and disclose PHI only as permitted;
- Make reasonable efforts to limit disclosure of PHI to the minimum necessary standard;
- Maintain an accounting of all disclosures;
- Execute a BA agreement with subject subcontractors.
- Disclose PHI to the Covered Entity, individual or individual's designee as necessary to satisfy a Covered Entity's obligations to respond to an individual's request PHI;
- Notify the Covered Entity of any unauthorized disclosure of PHI or breach;
- Take reasonable steps to cure any breach; and
- Provide PHI to HHS during investigations.
I'm a BA, What Should I Do?
The net effect of the Final Rule is that a Covered Entity must have a written agreement with its BAs that comports with the applicable provisions of HIPAA and HITECH, and BAs must have written agreements with their subcontractors. If existing agreements are already in place, those should be reviewed immediately to determine compliance; amendments and/or new agreements may be required. While the general compliance deadline was September 23, 2013, Covered Entities, BAs, and subcontractors can continue to operate under existing compliant BA contracts until September 23, 2014, at which time, current BA agreements must be amended for compliance.
It is extremely important that BA agreements be tailored to the specific needs of Covered Entities and BAs (or BAs and subcontractors). Sample agreements with boilerplate language lack the detail and specificity that most parties find necessary. For example, many Covered Entities prefer to include notification procedures in the event of a breach. BA agreements may also include indemnification agreements that may mitigate the costs of addressing a breach as well as indemnify against civil monetary penalties issued by OCR. As with any contract, terms should be negotiated, discussed thoroughly, and documented.
BA Penalties? What are the risks of not complying?
HITECH and the Final Rule create independent BA liability. Civil monetary penalties can be issued for breaches of the rules even when an unauthorized disclosure has not occurred. Violations can result in up to a $50,000 fine per incident. Certain types of breaches carry criminal penalties. With mobile devices, email, thumb drives, text messaging, cloud computing and the many social media venues, BAs must have robust compliance plans in place to mitigate and avoid potential penalties.
Lisa English Hinkle is a Member of McBrayer, McGinnis, Leslie & Kirkland, PLLC. Ms. Hinkle concentrates her practice area in health care law and is located in the firm's Lexington office. She can be reached at email@example.com or at (859) 231-8780.
This article is intended as a summary of federal and state law and does not constitute legal advice.
 Health Information and Portability Act
 Health Information Technology for Economic and Clinical Health