Even though health care providers and physicians have been required to have Business Associate Agreements (“BAAs”) since the enactment of the HIPAA, the Department of Health and Human Services (“HHS”) Final Rule, which implements the HITECH Act, changes the business associate (“BA”) relationship. New requirements for these agreements have been issued, which means that all existing BA agreements must be reviewed for compliance. The Final Rule has created not just new responsibilities, but also new liabilities for BAs that provide services to covered health care entities. Importantly, this new liability for BAs means that physicians and covered entities have opportunities to shift the risks of breach to the BA in these agreements or at a minimum to seek indemnification for the costs of mitigating a breach, caused by a BA.
In June, the HHS Office of Civil Rights (“OCR”) released its Annual Report to Congress on Breaches of Unsecured Protected Information (“Breach Report”). The Breach Report shows that although business associates were the culpable party for 118 out of the 458 breaches (or 26 percent) covered during the Breach Reports 2011–2012 reporting period, the individuals affected by the business associates’ acts numbered over 8.7 million individuals or 59.3 percent of the total number of individuals affected by breaches reported in 2011 and 2012. Prior to the Final Rule, the health care provider, rather than the business associate, was the party that was fined and carried the expense of mitigation. While physicians and covered entities still carry the burden of notification, business associates may also be investigated and penalized for breaches. Based on statistics like these, it is more important than ever that physicians know who their business associates are, have the appropriate agreements in place, and know how those businesses will address breaches when they occur.
Expanded Definition of Business Associates
In 2009, as part of HITECH, Congress defined a BA as “persons or entities that provide a service for or on behalf of a covered entity other than the provision of healthcare.” The Final Rule, however, revises the definition so that a BA is now a person or entity that creates, receives, maintains, or transmits PHI in fulfilling certain functions or activities for a covered entity. The Final Rule specifically includes health information organizations, e-prescribing gateways, data transmission providers as well as those that have “routine access” to PHI as BAs. In addition, a new category of BAs was added to the definition that specifically identifies lawyers, accountants, and consultants, among others.
The Final Rule also provides that a BA’s subcontractors that create, receive, maintain, or transmit PHI on behalf of a BA qualify as a BA themselves. In other words, these downstream contactors must comply with the same applicable HIPAA provisions as BAs and provide assurance that they, too, will protect PHI by executing a BAA with their BAs. Data transmission providers, collection services, experts, consultants, auditors, accountants, lawyers, and even data storage or document shredding companies are now considered BAs if they use or have access to PHI. The Final Rule clarifies that a person or entity becomes a BA by definition, not by the presence of a contract.
Business Associates’ Increased Liability
Along with extending the definition of a BA, the Final Rule makes parts of the HIPAA Security Rule and Privacy Rule apply directly to BAs. Previously, BAs were only contractually liable for breaches involving violations of their BA agreements with the covered entity; now, the BA is potentially liable for civil and criminal penalties for any non-compliance with HIPAA regulations. Under the Final Rule, BAs are directly liable for:
Implementing the administrative, technical, and physical safeguards required by the HIPAA Security Rule and maintaining all required documentation;
Complying with the BA agreement and disclosing PHI only as permitted;
Making reasonable efforts to limit disclosure of PHI to the minimum necessary standard;
Maintaining an accounting of all disclosures;
Executing a BA agreement with any subcontractor that creates, receives, maintains, or transmits PHI on the BA’s behalf;
Disclosing PHI to the covered entity, individual, or individual’s designee as necessary to satisfy a covered entity’s obligations to respond to an individual’s request PHI;
Notifying the Covered Entity of any unauthorized disclosure of PHI or breach;
Taking reasonable steps to cure any breach including a breach of a subcontractor; and
Providing PHI to HHS to demonstrate compliance during investigations.
Reviewing and Revising Agreements
It is becoming increasingly evident that businesses outside the health care industry remain largely uninformed about new HIPAA-related responsibilities and have not undertaken efforts to comply. Some companies not only lack the knowledge about these obligations, but also the operational capabilities and financial resources to implement compliant policies and procedures. This means that having thorough business associate agreements is even more important so that a BA’s duties to have effective HIPAA and HITECH procedures in place and to maintain physical security of protected health information are fully set forth. A thorough business associate agreement is a contract and carries the potential for seeking damages for a breach caused by a business associate. The Final Rule expands the responsibilities of business associates, but also increases the need for strong business associate agreements that clarify those requirements setting forth the expectations of the covered entity.
The Final Rule does recognize that BAs vary greatly in size and resources and creates the ability to tailor compliance. As a result, complying with HIPAA may vary from one BA to another; there is not a one-size-fits-all plan for BAs to implement under the Security Rule. Safeguards, policies, and procedures can be tailored to address the size, complexity, and capabilities of business associates. Even so, the risks must be identified and addressed in a reasonable manner so that alternative solutions may be implemented. Despite its flexibility, certain aspects of the Final Rule are mandatory. For example, companies must be capable of tracking and accounting for PHI disclosures. Business associates must also be able to interpret the “minimum necessary” standard for every disclosure. Such ambiguous (and highly-technical) terms may be especially difficult to understand for businesses with limited understanding of HIPAA, making it even more important for physicians to take the time to ensure that a BA’s duties and responsibilities are comprehensively set forth in the contract. While the general compliance deadline with the Final Rule was September 23, 2013, covered entities, BAs, and subcontractors can continue to operate under existing BA contracts until September 23, 2014 when current BAAs must be amended for compliance.
Physicians should keep in mind that boilerplate BAAs are rarely, if ever, sufficient. Although standard BAAs may offer a useful starting point for defining the covered entity/BA relationship (or the business associate/subcontractor relationship, if the agreement is used for this purpose), they generally lack the detail and specificity that most parties find necessary to protect their rights. There are many terms that can be drafted into a BAA to specify parties’ rights and responsibilities beyond what is required by the Final Rule. For example, many covered entities prefer to include notification procedures in the event a breach is discovered. The HITECH Act requires business associates to notify covered entities of a breach of personal health information within 60 days of discovery. However, covered entities may want a much shorter notification period, such as 14 days, to protect relationships with patients and to allow for quicker remedial action. And, importantly, business associate agreements can also provide for the business associate’s indemnification of the health care provider for things like the cost of notification and penalties.
Being able to identify who are business associates under the expanded definitions is extremely important as not having an agreement is a violation of HIPAA and can subject a provider to fines. Physicians and all health care providers should review their vendor and service provider lists to identify all business associates and execute compliant agreements that not only cover required terms, but that also include terms that will protect them if a breach occurs and fines or penalties are assessed as a result of a BA’s actions/inactions. Given the high costs of mitigating the impact of breaches and increasingly high fines, strong agreements are important.
Lisa English Hinkle is a member of McBrayer, McGinnis, Leslie & Kirkland, PLLC. Ms. Hinkle concentrates her practice area in health care law and is located in the firm’s Lexington office. She can be reached at firstname.lastname@example.org or at (859) 231-8780.
This article is intended as a summary of federal and state law and does not constitute legal advice.