HIPAA For Business Associates
Greatly Increased Liability and Compliance Requirements
The HIPAA liabilities and responsibilities of a Business Associate (“BA”) have been increased substantially by the HIPAA Omnibus Rule that became effective on September 23, 2013.
The Expanded Definition Of A BA
A BA is now defined as a person or entity (not a member of a Covered Entity’s workforce) that performs services for a Covered Entity in which the BA creates, receives, maintains or transmits Protected Health Information (“PHI”).
Addition of the word “maintains” is significant and emphasized in guidance published by the U. S. Department of Health and Human Services (“HHS”) about the HIPAA Omnibus Rule. HHS states directly that a data storage company that maintains PHI on behalf of a Covered Entity and has access to the PHI (whether digital or hard copy) is a Business Associate – even if it does not view the information or only does so on a random or infrequent basis.
Narrow “Conduit” Exception to BA Definition
There is only a very narrow “conduit” exception for entities that only have transient possession of PHI for transmission purposes such as the U. S. Postal Service and UPS or their electronic equivalents, such as internet service providers (ISPs). HHS says that the transient nature of possession of PHI is significant – it does not mean “conduits” maintain PHI within the meaning of HIPAA in contrast to data storage providers whose business is to maintain PHI.
Business Associate Subcontractors
A Subcontractor that creates, receives, maintains, or transmits PHI on behalf of a Business Associate is also a BA (to reduce confusion called a “Sub-BA” by Mr. Hales).
Business Associate Agreements
Under HIPAA a Covered Entity has been required to have a Business Associate contract or as it is commonly known, a Business Associate Agreement (“BAA”) with each of its BAs. BA HIPAA responsibility to protect PHI was based only on the BA’s contractual responsibilities with Covered Entity. HIPAA compliant BAAs in effect before January 25, 2013 may be used until September 23, 2014 if not revised earlier.
However, BA compliance with the Omnibus Rule becomes mandatory on September 23, 2013. Therefore it is in the best interest of Covered Entities to review and revise their BAAs to comply with HIPAA requirements in effect as of September 23, 2013 regardless of whether they have a BAA that is effective because it is “grandfathered” through September 23, 2014.
BAAs with Sub-BAs
A BA must have a BAA with each Sub-BA that creates, receives, maintains, or transmits PHI on behalf of the BA.
NOTE: A Covered Entity is only required to have a BAA with its BA – not with each of its BA’s Subcontractors. It is the responsibility of the BA to have BAAs with its Sub-BAs.
Due Diligence Regarding a BA or Sub-BA
Covered Entities dealing with BAs should perform a due diligence investigation of the BA’s HIPAA compliance before determining whether to continue using a BA or before engaging a BA. BAs dealing with Sub-BAs should perform the same type of due diligence investigation before determining whether to continue using a Sub-BA or before engaging a Sub-BA.
New Specifically Defined BAs
Specific types of entities added to the definition of a BA as of September 23, 2013 are:
- Patient Safety Organizations;
- A Health Information Organization (“HIO”), E-prescribing Gateway, or other person or entity that provides data transmission services with respect to PHI to a Covered Entity and that requires access on a routine basis to such PHI;
- A person or entity that offers a personal health record to one or more individuals on behalf of a Covered Entity.
BA’s Direct HIPAA Liability
BAs, including Sub-BAs, are subject to enforcement of HIPAA Privacy and Security law by HHS and by State Attorneys General. Previously BA HIPAA responsibilities and liabilities concerning PHI was based only on the BA’s contractual responsibilities with the Covered Entity. Under the Omnibus Rule, BAs are subject to the HIPAA Security and Enforcement Rules and parts of the HIPAA Privacy and Breach Notification Rules. Business Associates are liable for:
- impermissible uses and disclosures of PHI;
- failure to provide breach notification to a Covered Entity;
- failure to provide access to PHI to the individual or Covered Entity;
- failure to provide an accounting of disclosures;
- failure to disclose to HHS as required;
- failure to comply with the entire HIPAA Security Rule; and
- CMPs for HIPAA violations.
Specific HIPAA Privacy Rule Requirements that Apply to BAs
- A BA is not permitted to use or disclose PHI in a manner that would violate the Privacy Rule if done by the Covered Entity including, expressly, the Minimum Necessary Standard.
- A BA may not use or disclose PHI except as permitted or required by the Privacy Rule or the Enforcement Rule.
- A BA may use or disclose PHI only as permitted or required by the BAA.
- A BA must provide an electronic copy of PHI to an individual or the Covered Entity as necessary to satisfy the Covered Entity’s obligations to comply with an individual’s request for an electronic copy of PHI.