HIPAA Omnibus Final Rule Has Important Changes For Business Associates And Covered Entities

On January 25, 2013, the Office for Civil Rights, Department of Health and Human Services (HHS) published its long-awaited Omnibus Final Rule (Final Rule) implementing provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act enacted by Congress in 2009. HITECH significantly modified requirements under the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Not surprisingly, the Final Rule contains many important changes for "covered entities," such as health care providers, health plans, and health care clearinghouses, which had already been subject to HIPAA's requirements. However, the Final Rule also addresses significant new obligations for certain entities that do business with covered entities - so-called "business associates" - and their subcontractors. We address some of the most notable new requirements for business associates, subcontractors and covered entities below. Definition of "Business Associate" The Final Rule revises the definition of "business associate." Under the Final Rule, a "business associate" is generally a person or entity that creates, receives, maintains, or transmits protected health information (PHI) in fulfilling certain functions or activities for a HIPAA-covered entity. Health information that is created or received by a covered entity, identifies an individual, and relates to that individual's physical or mental health condition, treatment, or payment for health care is considered PHI when it is transmitted by or maintained in any form of medium, including electronic media. Notably, the new definition clarifies that "business associates" include entities that "maintain" PHI for a covered entity, such as a data storage company. The Final Rule also clarifies the definition of a "business associate" by expressly including health information organizations, e-prescribing gateways, and other persons that provide data transmission services with respect to PHI and require "routine access" to PHI. Additionally, as further explained below, the new definition of "business associate" provides that certain subcontractors of business associates are also "business associates." Due to the significance of the new rules and the imposition of direct liability on business associates under HIPAA (see below), entities which are unsure of whether they qualify as a business associate should clarify with legal counsel. Requirements for Business Associates The Final Rule implements provisions in HITECH that significantly expand the accountability of business associates under HIPAA. Under current HIPAA regulations (those in place prior to the effective date of the new rules), covered entities must enter into contracts with their business associates (business associate agreements) which require, among other responsibilities, the business associate to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI. Additionally, under current regulations, business associate agreements must require a business associate to use appropriate safeguards to prevent the use or disclosure of PHI. With the passage of HITECH and the publication of the Final Rule, parts of the HIPAA Security Rule (i.e., HIPAA's regulations relating to security standards for electronic PHI) and Privacy Rule (i.e., HIPAA's regulations relating to the privacy of PHI) will apply directly to business associates, making them potentially liable for civil and criminal penalties for any non-compliance with the HIPAA regulations, rather than just a breach of contract. 1. The Final Rule applies the Security Rule directly to Business Associates The Final Rule implements HITECH's requirements for business associates to directly comply with parts of the Security Rule. For example, under the Final Rule, the Security Rule requires business associates to ensure the confidentiality, integrity and availability of electronic PHI that the business associate creates, receives, maintains or transmits, and also to protect against reasonably anticipated threats or hazards to the security or integrity of electronic PHI. The Final Rule also directly requires a business associate to adopt certain security measures to implement the standards and implementation specifications under the Security Rule, including specific administrative safeguards, physical safeguards and technical safeguards. Business associates must also conduct a risk analysis and assess the risks and vulnerabilities of electronic PHI. In summary, business...