Any entity that provides data transmission services that include PHI for a covered entity will be a business associate unless it can meet the narrow “mere conduit exception.”
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects health information that can identify patients (protected health information or PHI). New regulations, which became effective on March 26, 2013 but have a delayed compliance date of September 23, 2013 (with some exceptions), significantly modified the HIPAA rules. It is important to understand these revised regulations because your clients, and maybe even you, may now be subject to HIPAA.
Who is Affected?
Under HIPAA, “covered entities,” i.e., health plans, health care clearinghouses, and most health care providers, must comply with HIPAA to protect the privacy of PHI and implement safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (e-PHI). HIPAA allows covered entities to disclose PHI for enumerated purposes without patient authorization, including disclosures to “business associates.” Business associates are generally understood as entities that perform certain functions or activities on behalf of, or certain services for, a covered entity involving the use or disclosure of PHI. The modified rules expand the definition, responsibilities, and liability of business associates and their contractors. Whether a business associate is new to HIPAA or must re-evaluate its current compliance efforts in light of this new exposure, significant compliance costs will likely result.
Expanding the Business Associate Reach
On March 26, 2013, many entities that may be unfamiliar with HIPAA became business associates. Under the modified rules, the term now includes persons that provide data transmission services with respect to PHI to a covered entity if they “require access on a routine basis” to such PHI. The regulations specifically include health information organizations (which oversee and govern the exchange of health-related information among organizations) and e-prescribing gateways as business associates, but the reach is even broader. Any entity that provides data transmission services that include PHI for a covered entity will be a business associate unless it can meet the narrow “mere conduit exception.” This exception, for entities that transport PHI but do not access the information other than on a random or infrequent basis, was intended to exclude only those entities providing “mere courier services” (e.g., the US Postal Service or United Parcel Service) and their electronic equivalents (e.g., internet service providers providing mere data transmission services or telecommunications companies).
Similarly, entities that “maintain” or store PHI for a covered entity are now business associates, even if the entities do not view the PHI or only do so randomly or infrequently, because of their “persistent,” as opposed to “transient,” opportunity to access PHI. As a result, all data and document storage companies maintaining PHI on behalf of covered entities and business associates (in hard copy or electronic) are themselves business associates.
Additionally, all subcontractors of business associates, i.e., those to whom a business associate has delegated a function, activity, or service that the business associate agreed to perform for a covered entity, are now business associates if such work involves the creation, receipt, maintenance, or transmission of PHI. And, subcontractors of subcontractors are business associates. For example, a document destruction company that shreds documents containing PHI for a business associate is a subcontractor to the business associate and, therefore, a business associate itself. Additional changes make patient safety organizations and certain vendors of personal health records business associates.
As a result of these changes, more entities must comply with HIPAA both directly (through the rule’s new expanded liability provisions) and contractually (through what is known as business associate agreements or BAAs). HIPAA requires covered entities to obtain satisfactory assurances in the form of a contract or other arrangement (i.e., the BAA) that its direct business associates will appropriately safeguard the PHI at issue. These contracts must include many requirements set forth in the regulations. Direct business associates of covered entities must now obtain BAAs with their subcontractors, and so on as long as PHI continues to flow to entities down the chain.
In addition, all business associates, whether historically treated as such or newly so under the modified rules (including subcontractors), are now directly liable under certain HIPAA provisions, including for impermissible uses and disclosures of PHI under HIPAA’s Privacy Rule and for failing to comply with HIPAA’s Security Rule (which imposes several requirements to protect e-PHI). They also must disclose PHI as the Secretary requires for investigations and compliance audits, must make reasonable efforts to limit uses or disclosures of, or requests for, PHI to the minimum necessary, and must provide notification of breaches of unsecured PHI to covered entities. The government now can impose significant civil monetary penalties on business associates for violations. Anyone in the PHI chain can be liable in accordance with the federal common law of agency for violations based on the act or omission of any of their agents, including subcontractors, acting within the scope of their agency.
Peter Parvis, Thora Johnson, and Molly Ferraioli are attorneys at Venable who routinely counsel clients on HIPAA privacy matters.