The Final Rule holds business associates directly liable for violations previously only applicable to covered entities.
by Christina Anderson, Thomas Anthony, Chad Eckhardt, Charles Johnson
This is part four of our four-part series focusing on the HIPAA Final Rule’s impact on business associates and those doing business with business associates.
Like Proposed Rule, the Final Rule expands the definition of business associate to include subcontractors of business associates that use or disclose PHI on behalf of business associates. Thus, a subcontractor that takes on part of a business associate’s responsibilities involving the use or disclosure of PHI is subject to HIPAA provisions governing business associates now as well.
The regulations provide that it is the responsibility of the business associate, not the covered entity, to obtain assurances that a subcontractor will comply with the applicable HIPAA provisions.
Accordingly, a business associate that retains a subcontractor that is also considered a business associate under the Final Rule must enter into a business associate agreement with the subcontractor. The requirement to enter business associate agreements with subcontractors continues down the line so long as PHI is used or disclosed by the respective subcontractor. This extension is designed to prevent potential lapses in PHI protections where a subcontractor has no direct relationship with a covered entity.
Other entities falling into the Final Rule’s definition of business associate include patient safety organizations (PSOs), health information organizations, e-prescribing gateways, persons that facilitate data transmission on a routine basis and vendors of personal health records.
The Final Rule also clarifies that persons or entities that maintain PHI on behalf of covered entities are business associates, opposed to mere conduits, even where the PHI is not actually viewed or accessed by the entity. Like the inclusion of subcontractors within the definition of business associate, this definition change is significant as it extends liability and increases the need for parties to enter into business associate agreements.
Increased Business Associate Liability
As required by the HITECH Act, the Final Rule applies the Security Rule as well as the majority of the Privacy Rule to business associates in the same way the Rules apply to covered entities. As a result, many companies previously not regulated by HIPAA will come under the U.S. Department of Health and Human Services’ enforcement authority and face direct liability for uses and disclosures of PHI not in accord with their business associate agreements or the Privacy Rule.
Of course, these changes have many important implications for business associates. For example, business associates must make reasonable efforts to limit PHI to the minimum necessary when using, disclosing, or requesting PHI. Business associates must also provide an accounting of PHI disclosures, notify a covered entity of an unsecured breach of PHI, and enter agreements with subcontractors as required by the Rules. A business associate is directly liable for failing to take these steps.
Notably, a business associate is also directly liable for failing to disclose PHI when required by the Secretary to aid in the Secretary’s investigation of the business associate’s compliance with HIPAA Rules. Under the Final Rule, individuals may now file complaints to the Secretary alleging a business associate’s violation of HIPAA’s administrative simplification provisions. The business associate is required to cooperate with the Secretary in its investigation of such complaints.
Finally, a business associate must develop appropriate policies and procedures to satisfy a covered entity’s obligation to provide an individual with an electronic copy of his or her health information. A covered entity’s obligation to provide electronic PHI to individuals is a new requirement, which will likely require special consideration and careful planning when developing a business
associate agreement outlining each entity’s responsibilities.
Both covered entities and business associates should also note changes under the Privacy Rule concerning decedent health information. While there was previously no limit on the length of time decedent PHI needed to be protected, the Final Rule provides that decedent PHI must be protected for 50 years after the decedent’s death. However, under the Final Rule, covered entities may disclose PHI to individuals close to a decedent unless the covered entity knows this disclosure is against the decedent’s wishes.
Business Associate Agreements
Given the time and effort required to revise business associate agreements, the Final Rule provides a transition period for some entities with agreements already in place that were HIPAA compliant before issuance of the Final Rule.
Entities entering into and operating under such business associate agreements before January 25, 2013 are deemed to comply with the Final Rule for up to 12 months after the compliance date of the Final Rule, unless the agreement is modified or renewed between March 26, 2013 and September 23, 2013. This limited deemed compliance period ends the earlier of September 22, 2014 or the date the agreement is modified or renewed on or after September 23, 2013. Contracts not in effect before January 25, 2013, however,
must be amended to comply with the Final Rule by September 23, 2013.
In drafting business associate agreements, covered entities and business associates should also be aware that the Final Rule limits the defenses to entity was not vicariously liable for acts of its business associates that were agents of the covered entity if a valid business associate agreement was in place. Under the Final Rule, this exception is removed, and a parallel provision added that holds business associates liable for the acts of its agents, including workforce members and subcontractors, acting within the scope of the agency.
The Preamble of the Final Rule provides that business associates and covered entities may be held liable for the acts of their agents when delegating HIPAA obligations to another party or when preserving authority to provide interim instructions over certain tasks. Accordingly, careful consideration must be given to how covered entities and Business associates delegate HIPAA obligations in light of increased exposure to liability.
Enforcement Provisions
The Enforcement Provisions of the HITECH Act garnished much attention because they increased the civil penalties that may be imposed and made business associates directly liable for non-compliance. The following table shows the penalties imposed by the HITECH Act for HIPAA violations implemented in the Interim Final Rule and retained in the Final Rule.
The fines listed here are for violations of a single HIPAA provision, not an entire incident; however, the total penalty that may
be imposed under any one level may not exceed $1,500,000 during a calendar year.
Despite the increased penalties, the Final Rule mandates that the Secretary conduct a formal investigation of a complaint if the preliminary investigation indicates a possible violation due to willful neglect by a covered entity or business associate. Willful
neglect amounts to “a conscious, intentional failure or reckless indifference” to comply with a particular HIPAA provision.
Subject to Penalties
The provisions regarding enforcement were made effective under the HITECH Act on February 18, 2009. Although both the Interim Final Rule and the Final Rule allow for grace periods, grace periods do not apply to the Enforcement Provisions because no specifications or standards need to be implemented by the covered entity or business associate. Thus, covered entities and business associates are currently subject to the civil monetary penalty ranges retained by the Final Rule and outlined above for penalties occurring on or after February 18, 2009.
Given the increased penalties and the significant modifications to the business associate scheme, covered entities and business associates should carefully review,and develop as needed, their policies and practices in light of the Final Rule in order to ensure compliance.
Christina Anderson is an associate at Frost Brown Todd LLC in Columbus, Ohio. Thomas Anthony is a member at Frost Brown Todd LLC in Cincinnati, Ohio. Chad Eckhardt is an associate at Frost Brown Todd LCC in Cincinnati, Ohio. Charles Johnson is a member at Frost Brown Todd LLC in Charleston, W.V.
Latest posts by chelsea (see all)
- UK, Norton announce new partnership - May 27, 2014
- UofL Physicians to hold designer eyewear trunk show - May 27, 2014
- KentuckyOne Health appoints director of healthy lifestyle centers - May 27, 2014