New HIPAA Rules: Impact on Business Associates

As I read the “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” recently released by the Department of Health and Human Services, I struggled to think how to summarize the 563 page PDF document into a meaningful summary for A-LIGN’s clients.  The title alone is a paragraph long.  A large part of the document is minutia that is not relevant for the everyday conversation on how to protect electronic protected health information (“ePHI”) but there are some key points and clarifications that are made which I believe should be understood by our clients.  As a provider of audit, compliance and security services primarily to companies defined as service organizations or service providers, I will focus on two key points that impact service organizations that handle ePHI, applicability and liability.  

When HIPAA first hit the compliance stage in 1996 the primary focus was on organizations defined as covered entities.  It was the responsibility of the covered entity to monitor the HIPAA compliance of organizations with which they shared ePHI.  Fast forward to the HITECH Act in 2009 and the rules for the business associates changed.  No longer did the Security Safeguards in HIPAA apply only to covered entities but now they were extended to business associates that had access to ePHI through the business relationship with the covered entity.  The business associate was responsible for implementing the Safeguards and could also be held liable for the financial penalties if there was a breach of unprotected ePHI.  The updated rule continues that theme of business associate responsibility and financial liability.

Subpart A—General Provisions, Section 160.102—Applicability aims to “make clear” that the provision of HIPAA applies to business associates.  The new rule goes on to define a business associate as “… a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information.”  I found it interesting that the definition of business associate was expanded to include persons who “creates, receives, maintains, or transmits” whether they view it or not.  This is particularly important for managed services providers, colocation facilities and data storage companies that do not view the data they store but still maintain ePHI on their premises or in their systems.  The Applicability section of the new rule reiterates much of the HITECH Act regarding business associates, but is meant to combat the notion in the marketplace that business associates are not responsible for implementing the appropriate Safeguards.

The new rule also clarified the use of subcontractors.  The rule extends the HIPAA Safeguards from the covered entity, to the business associate and on to organizations that provide services to the business associate.  It is clear that the Department of Health and Human Services didn’t want a loophole that would allow business associates to transfer responsibility for ePHI to a third party and thereby remove the HIPAA requirements.  If a person or an organization is involved in “the creation, receipt, maintenance, or transmission of protected health information” they are subject to HIPAA, period.

The new rule spends 30 pages defining the different penalties covered entities and business associates could be subject to for a breach of ePHI.  One of the criticisms of the original HIPAA rule in 1996 is that it didn’t have any teeth to enforce the requirements. That changed in 2009 with the HITECH Act that imposed penalties associated with breaches of ePHI. The new rule clarified the penalties for non-compliance that can be significant as evidenced by Table 2 from the new rule.

Categories of Violations and Respective Penalty Amounts Available
Violation Category –Section 1176(a)(1) Each Violation All Such Violations of an Identical Provision in a Calendar Year
(A) Did Not Know $100 – $50,000 $1,500,000
(B) Reasonable Cause $1,000 – $50,000 $1,500,000
(C)(i) Willful Neglect-Corrected $10,000 – $50,000 $1,500,000
(C)(ii) Willful Neglect-Not Corrected $50,000 $1,500,000

The rule continues the business associate responsibility by stating that the safeguards from HIPAA and HITECH “apply to business associates in the same manner as these requirements apply to covered entities, and that business associates are civilly and criminally liable for violations of these provisions.” The HITECH Act’s provisions extend direct liability for compliance with the Security Rule to business associates.

So what is the impact of the new rule to business associates that have access to ePHI from a covered entity?  In my opinion the message is clear.  Business associates should ensure they have the proper controls in place to comply with HIPAA and HITECH.  I was talking with one of our clients in early 2010 after the HITECH Act came out and they asked if I really thought that meant that they needed to comply with HIPAA.  Based on the direction the Department of Health and Human Services is headed with this new rule, my answer today is the same it was then, absolutely YES!

The new rule is effective on March 26, 2013 with 180 days to implement the new requirements.  If you have any questions regarding the HIPAA and HITECH requirements for your organization contact Gene Geiger at [email protected] or 888-575-7450.