Long-awaited omnibus regulations (Omnibus Rule) adopted earlier this year by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) made significant modifications impacting “business associates” to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules (collectively, the HIPAA Rules). Most notably, the Omnibus Rule greatly expands the scope of who is considered a business associate and imposes direct liability on business associates under the Enforcement Rule for violations of the HIPAA Rules. Covered entities and business associates must comply with the changes made by the Omnibus Rule by September 23, 2013.
Who Is a Business Associate?
Since inception, the HIPAA Rules defined a business associate as a person or entity creating, receiving or transmitting protected health information (PHI) on behalf of a covered entity. The Omnibus Rule expands that definition, beginning on September 23, 2013, to include entities that “maintain” PHI on behalf of covered entities, such as data storage farms, cloud servers and similar entities that store electronic PHI, even if they do not access or use the PHI.
In addition, the business associate definition now expressly includes (1) persons offering personal health records to one or more individuals on behalf of a covered entity and (2) health information organizations, e-prescribing gateways and other entities that (a) provide data transmission services for PHI to a covered entity and (b) require access on a routine basis to such PHI. The Omnibus Rule does not define what the phrase “access on a routine basis” means, but HHS has noted it will be construed on a case-specific basis and is intended to apply to any entity that requires access to perform services for a covered entity.
NOTE: In this context, the Omnibus Rule continues the “conduit exception,” which excludes from the business associate definition transmission services that are mere conduits, such as the U.S. Postal Service and Internet services providers (ISPs). This exception applies even if the ISP or other transmission service has “occasional, random access” to PHI when reviewing whether the data transmitted over its network is arriving at its intended destination. This exception, however, as indicated above does not apply to entities that “maintain” PHI on behalf of a covered entity.
The Omnibus Rule also expressly includes in the definition of business associate any “subcontractors” who create, receive, maintain or transmit PHI on behalf of a business associate. This definition applies down the entire chain of subcontractors, all of whom will need to take steps to understand whether they are providing services on behalf of a business associate.
The Omnibus Rule also imposes direct civil liability under the Enforcement Rule for business associates. This means HHS now has regulatory authority to impose financial penalties on business associates that use or disclose PHI in an impermissible manner or otherwise violate certain provisions of the HIPAA Rules. The Enforcement Rule imposes a tiered structure for civil penalties based on the offender’s culpability, with civil penalties ranging from $100 per violation for offenders that were unaware they violated the provision to $50,000 for willful neglect that was not corrected.
Penalties may be increased for each violation of a requirement under the HIPAA Rules when multiple violations of the same requirement occur in the same year. Maximum penalties for multiple violations of the same requirement in a single year range from $25,000 for offenders that were unaware of their violation to $1,500,000 for willful neglect that was not corrected. Individuals who knowingly violate the HIPAA Rules also may be subject to criminal penalties.
The change in the business associate definition, particularly with the inclusion of subcontractors and entities that simply maintain PHI for covered entities, substantially expands coverage of the HIPAA Rules to entities not previously covered. It is essential that businesses with any connection to PHI – no matter how remote – understand whether they are considered a business associate under the new definition, and, if so, that they take steps to comply with their HIPAA obligations.