By Dean P. Nicastro, Esq.
The new HIPAA regulatory amendments make business associates directly liable for various requirements in the HIPAA Privacy and Security Rules. In particular, the amendment to the general applicability provision at 45 C.F.R. §160.102(b) states: “Where provided, the standards, requirements, and implementation specifications [of HIPAA privacy and security] apply to a business associate.” Similar language has been added for both the Security Rule and the Privacy Rule (including particularly with respect to the protected health information (PHI) of a covered entity) at 45 C.F.R. §164.104(b) and 45 C.F.R. §164.500(c). In effect, this means that business associates must implement administrative, physical and technical safeguards, and implement and document reasonable and appropriate policies and procedures, to protect PHI and electronic PHI under both the Security Rule and the Privacy Rule.
The amendments go on to expand the definition of a “business associate.” The term now includes Health Information Organizations, E-prescribing Gateways, personal health record providers, and, most significantly, subcontractors of a business associate that create, receive, maintain or transmit PHI on behalf of the latter. A definition of “subcontractor” has also been inserted: "a person to whom a business associate delegates a function, activity or service.” HIPAA obligations thus now reach downstream entities that access or handle PHI of the main covered entity.
Additionally, the amendments add business associates to the HIPAA Enforcement Rule, in order to implement the imposition of liability for civil money penalties (CMPs) upon business associates for various HIPAA violations.
The new rules for business associate compliance become effective on March 26, 2013, and must be complied with by September 23, 2013. Existing business associate agreements that were compliant with pre-existing regulations are deemed compliant with the new rules until the earlier of September 22, 2014 or the date the agreement is renewed or modified on/after September 23, 2013.
HIPAA Enforcement Rule.
The HIPAA regulatory amendments also strengthen HIPAA enforcement:
- Private Complaints - HHS will investigate complaints about non-compliance filed by private persons when preliminary review of facts indicates possible violation due to willful neglect
- Compliance Reviews - HHS will conduct a compliance review when preliminary review of facts indicates possible violation due to willful neglect
- resolution of such investigations or compliance reviews can result in the imposition of CMPs or a determination of no violation
- HHS may, for criminal or civil law enforcement activities, share PHI obtained in an investigation or compliance review with other legally-permitted governmental agencies (including state attorneys general)
- Covered entities liable for violations by their business associates, and vice versa
- governed by federal common law of agency
- Increased tiered CMP penalty structure for violations, that takes into account whether the covered entity or business associate would have known of the violation, whether the violation was due to willful neglect or reasonable cause, and was corrected within 30 days
- HHS will determine CMP amounts, considering mitigating or aggravating factors
- nature and extent of violation (number of affected individuals, time period)
- nature and extent of harm (physical, financial, reputation, patient’s ability to obtain health care)
- prior compliance/violations
- financial condition
- other matters as justice may require
Covered entities and their business associates should be moving forward now that these final rules have been issued to review and update their business associate agreement templates and compliance policies accordingly.
Please contact the health law attorneys at Pierce & Mandell for additional information on this subject.