Drinker Biddle’s HIPAA Compliance Update for Employee Benefit Plans April 2013

Business Associate Provisions under HIPAA Omnibus Rule  

Introduction

The HIPAA Omnibus Rule, issued on January 25, 2013, expands the definition of business associate, and subjects business associates to direct liability for compliance failures.  These changes are effective March 26, 2013, and covered entities and business associates have until September 23, 2013 to become compliant.  However, existing business associate agreements may be eligible for a one year transition period before amendments are required.  Health plans, as covered entities, will need to take steps to ensure their business associate relationships and agreements are compliant with the Omnibus Rule.  In particular, health plans should consider whether any current vendors have become business associates in light of the expanded definition, thus requiring execution of a business associate agreement.  Likewise, health plans should review existing business associate agreements, which may need to be revised to comply with requirements of the Omnibus Rule.  Policies and procedures may also require revision. 

Health plan sponsors will want to review and revise, as necessary, the following to comply with the new rules described below:

Compliance Checklist:

• Business Associate Relationships and Agreements
• Policies and Procedures
• Security Assessment and Breach Notification Plan
• Risk Analysis — Security
• Plan Document and SPD
• Notice of Privacy Practices
• Individual Authorization for Use and Disclosure of PHI
• Workforce Training

Who is a Business Associate?

Before the Omnibus Rule, a business associate was defined as a person or entity that creates, receives, or transmits protected health information (PHI) on behalf of a covered entity other than as a member of the covered entity’s workforce, or a person or entity that provides a covered entity with legal, actuarial, accounting, consulting, or similar services.  The Omnibus Rule adds “maintains” to this definition to capture entities such as data storage companies.  Also added to the definition are entities such as health information organizations or e-prescribing gateways that provide data transmission services with respect to PHI to a covered entity, capturing organizations that access PHI on a routine basis. 

Further, the “conduit exception” still applies to exclude certain data transmission services from being considered business associates.  This exception is meant to exclude from liability entities providing mere courier services, such as the U.S. postal service, UPS, and their electronic counterparts.  A conduit may transport information but does not access it other than on a random or infrequent basis. 

In addition, the Omnibus Rule specifically adds “subcontractors” to the business associate definition.  Subcontractors are entities to which a business associate delegates a function, activity, or service, other than as a member of the business associate’s workforce.  There is no limit to the number of subcontractors that may be liable, as a subcontractor might delegate functions to other subcontractors, creating a chain of business associate entities.

A business associate does not include:

• A health care provider with respect to disclosures by a covered entity to the provider regarding an individual’s treatment;
   
• A plan sponsor with respect to disclosures by a group health plan to the plan sponsor (when the plan requirements are met);
   
• A government agency with respect to determining eligibility for a government plan; or
   
• A covered entity (such as a group health plan) participating in an organized health care arrangement (e.g., a group of group health plans of one employer, or a combination of a group health plan and a health insurance issuer or HMO with respect to such group health plan) that creates, receives, maintains, or transmits PHI for certain administrative functions for or on behalf of such organized health care arrangement.

Drinker Biddle Note: Whether Personal Health Record (PHR) vendors are business associates is a fact-specific determination.  A PHR Vendor is subject to HIPAA as a business associate when it offers PHRs to individuals on behalf of covered entities but not when it offers PHRs directly to individuals.  Such vendors are not business associates solely because they enter into a working agreement with a covered entity.  For example, if the agreement between the PHR vendor and covered entity specifies the electronic means in which a PHR vendor will receive PHI from the covered entity pursuant to individual authorization, the PHR vendor is not necessarily offering the PHR on behalf of the covered entity and may not be a business associate.  However, if the agreement requires the PHR vendor to provide and manage personal health record services that the covered entity provides to the covered entity’s patients or enrollees, and the PHR vendor receives access to PHI in order to provide such services, the PHR vendor is a business associate.

For what are Business Associates directly liable? 

Under the new Omnibus Rule, business associates are directly liable for impermissible uses and disclosures of PHI but not for all requirements of the HIPAA Privacy Rule.  Business associates may use or disclose PHI only as permitted or required by their business associate contracts or as required by law.  Generally, a business associate may not use or disclose PHI in a manner that would violate the Privacy Rule if done by the covered entity.  Although business associate agreements (BAAs) are required between covered entities and business associates, liability attaches regardless of whether a contract between the two exists.  Specifically, business associates are directly liable for the following violations:

• Impermissible uses and disclosures of PHI
• Failure to provide breach notification to a covered entity
• Failure to provide access to a copy of electronic PHI to the entity specified in the BAA (i.e., either the covered entity, the individual or the individual’s designee)
• Failure to disclose PHI when required by the Secretary for investigation purposes or to determine the business associate’s compliance with the HIPAA rules
• Failure to enter into BAAs with subcontractors
• Failure to follow the minimum necessary rule
• Failure to comply with requirements of the Security Rule

Business associates are not liable to notify individuals in the event of a breach of unsecured PHI, as the covered entity remains ultimately liable for notification.  However, the covered entity may delegate this obligation to the business associate.

Business associates are directly liable for civil money penalties under the Enforcement Rule for violations of certain HIPAA provisions.  Further, if the business associate acts as an agent of the covered entity, discovery of the breach is imputed to the covered entity and, therefore, health plans may be liable for civil monetary penalties related to the business associate’s act or omission.  Agency is determined by the facts and circumstances of the relationship between the business associate and the covered entity, rather than the existence of a BAA. Direction and oversight from the covered entity suggest agency status.

Business Associate Agreements

Covered entities continue to be obligated to enter into BAAs with business associates, and business associates with subcontractors, to obtain satisfactory assurances the business associate or subcontractor will comply with privacy requirements.  A covered entity need not obtain satisfactory assurances directly from subcontractors.  A BAA between a business associate and a subcontractor may not permit the subcontractor to use or disclose PHI in a manner that would not be permissible if done by the business associate under its contract with the covered entity.

A BAA must include the following newly required statements: that the business associate will comply with the Security Rule with regard to electronic PHI, that the business associate will report breaches of unsecured PHI to covered entities, and that the business associate will ensure subcontractors that create or receive PHI on behalf of the business associate agree in writing to the same restrictions and conditions that apply to the business associate with respect to such information.  Additionally, business associate agreements must include a provision requiring that to the extent a business associate agrees to carry out covered entity obligations, the business associate must comply with the requirements of the Privacy Rule that apply to the covered entity.  All BAA requirements also apply to agreements between business associates and subcontractors.  Note the business associate remains directly liable for its obligations under HIPAA regardless of whether there is a BAA in place.
As noted, the Omnibus Rule adopts a transition rule to ease the burden on covered entities and business associates who will need to update their existing contracts for compliance with the new rules.  To qualify for the transition rule, existing contracts must have previously met the privacy rule requirements before publication of the Omnibus Rule, and been entered into prior to January 25, 2013 (the date of publication of the Omnibus Rule) and not renewed or modified between March 26, 2013 and September 23, 2013.  Such contracts will be deemed compliant until the earlier of (1) the date the contract or arrangement is renewed or modified after September 23, 2013, or (2) September 24, 2013.

Compliance and Enforcement

Covered entities are no longer required to notify the Secretary if termination of a BAA is not feasible following discovery of a pattern or practice by a business associate that violates HIPAA.  However, a covered entity remains liable for HIPAA compliance violations even when tasks are delegated to business associates.  A covered entity may consider including an indemnification clause in a BAA to protect itself.