HHS Adopts a Broad Interpretation of Entities that Qualify as Business Associates under HIPAA in the Omnibus Final Rule

January 24, 2013

This is the second in a series of articles regarding the HIPAA Omnibus Final Rule recently released by HHS. For a comprehensive list of other articles on HIPAA by McGuireWoods, click here.

On Jan. 17, 2013, the Department of Health and Human Services (HHS) released the Omnibus Final Rule pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Nondiscrimination Act of 2008 (GINA). The Final Rule contains a number of modifications and clarifications that are significant for entities that qualify as business associates of covered entities under HIPAA. In the Final Rule, HHS (i) clarifies that data storage providers that maintain PHI on behalf of covered entities or business associates on a long-term basis qualify as business associates under HIPAA; (ii) expands the definition of business associate to include subcontractors of business associates; and (iii) provides specific guidance regarding the dates by which covered entities and business associates must enter into HIPAA-compliant business associate agreements.

HHS’s decision to define a business associate in an expansive manner is significant because, pursuant to the HITECH Act, business associates are directly liable to the federal government for noncompliance with certain provisions of the Privacy Rule and with the Security Rule and are subject to the Breach Notification and Enforcement Rules (collectively, the “HIPAA Rules”). Prior to the HITECH Act, business associates were contractually liable to covered entities pursuant to an executed business associate agreement but did not have direct liability to the federal government under HIPAA and the accompanying regulations. The application of HIPAA to business associates through the HITECH Act and the broad definition of these entities adopted in the Final Rule impose compliance obligations, and the risk of substantial penalties for noncompliance, upon a wide swath of entities supporting the healthcare industry.

Clarifying the Definition of Business Associate

In what it described as a “clarification,” HHS modified one component of the definition of business associate. Specifically, HHS altered the definition to provide, in relevant part, that a business associate is an entity that,

on behalf of [a] covered entity or of an organized health care arrangement (as defined in [45 C.F.R. § 160.103]) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by [the] subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing. (45 C.F.R. § 160.103) (emphasis added).

In the discussion preceding the revised regulation, HHS states that “this change is intended to make the definition more consistent with language at [Section] 164.308(b) of the Security Rule and [Section] 164.502(e) of the Privacy Rule, as well as to clarify that entities that maintain or store protected health information on behalf of a covered entity are business associates, even if they do not actually view the protected health information.” HHS also distinguishes between a mere conduit of PHI, such as the U.S. Postal Service, and an entity engaged in the long-term storage of PHI. According to HHS, the former transmits PHI and holds it on a transient basis, with no real opportunity to access PHI, and, thus, does not constitute a business associate. In contrast, a data storage provider that maintains PHI on behalf of a covered entity or business associate on a more permanent basis has the “opportunity to access” PHI and, thus, qualifies as a business associate under HIPAA. HHS does not distinguish between bulk storage providers of hard copy data, cloud storage providers, and other providers of electronic data storage services, suggesting that its analysis of who qualifies as a business associate applies in the same manner to each of these entities.

Liability of Subcontractors of Business Associates

In addition to reframing the definition of business associate, HHS provided a short list of the types of entities that, by definition, constitute business associates. Among these is a “subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.” (45 C.F.R. § 160.103). Thus, subcontractors of a business associate who use or disclose PHI on behalf of the business associate are now directly subject to HIPAA. In the Final Rule, HHS noted that it included subcontractors in the definition of business associate “to avoid having privacy and security protections for PHI lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity.”

HHS clarifies that disclosures by a business associate to a third-party entity for its own management and administration or legal responsibilities do not create a business associate relationship with the recipient of the PHI because such disclosures are made outside the entity’s role as a business associate. (However, such disclosure must otherwise be made in accordance with Section 164.504 of the Privacy Rule, including the requirement for assurances that the PHI will be appropriately safeguarded.)

In response to concerns from the public that the inclusion of subcontractors in the definition of business associate would require a covered entity to identify and enter into business associate agreements with all downstream contractors of each of its business associates, HHS modified the HIPAA Rules. Specifically, HHS modified the HIPAA Rules to provide that a covered entity is not required to directly contract with downstream subcontractors. (45 C.F.R. § 164.502(e)(1); 45 C.F.R. §164.308(b)(1)). Instead, a business associate who discloses PHI to a subcontractor must enter into a business associate agreement with the subcontractor that provides assurances that the subcontractor will appropriately safeguard the information. (See 45 C.F.R. § 164.308(b)(2).

Liability Attaches upon the Performance of a Business Associate Activity

The discussion preceding the Final Rule notes that the “final rule establishes that a person becomes a business associate by definition, not by the act of contracting with a covered entity or otherwise. Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate and otherwise meets the definition of a business associate.” Thus, an individual or entity that qualifies as a business associate under the HIPAA Rules is liable for compliance with HIPAA regardless of whether a business associate agreement is in effect.

Compliance Dates

The Final Rule requires that covered entities and business associates (and, if applicable, subcontractors) achieve compliance with the HIPAA Rules within 180 days of the effective date of any new or modified standards. (45 C.F.R. § 160.105). The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must be in compliance with the requirements by Sept. 23, 2013.

Notwithstanding this general compliance deadline, in the Final Rule, HHS provides a transition provision that allows a covered entity and a business associate (or a business associate and subcontractor) to continue operating under an existing business associate agreement for up to one year beyond the compliance date of the Final Rule, so long as certain requirements are satisfied. (45 C.F.R. § 164.532(d)). An existing business associate agreement may continue to operate beyond the compliance deadline if (i) the agreement is effective prior to Jan. 25, 2013, and it contains all the elements required by the regulations as of that date; and (ii) the agreement will not be modified or renewed from March 26, 2013 (the Final Rule effective date) until Sept. 23, 2013 (the Final Rule compliance date). (45 C.F.R. § 164.532(e)(1)). An existing business associate agreement that meets such specifications will be deemed compliant until the earlier of the date the agreement is modified or renewed on or after Sept. 23, 2013, or Sept. 22, 2014.