A recently issued government rule may unknowingly create significant liability and legal risk for many technology enterprises. The expanded definition of "business associates" and related interpretations by the Department of Health and Human Services (HHS) suggest that many companies should revisit how they provide services and ask whether they are providing their services to health care providers, health plans, or health care clearing houses (collectively, "covered entities"). HHS seeks to implement the mandates of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) by modifying its regulatory scheme (the "HIPAA Rules") that implements the Health Insurance Portability and Accountability Act of 1996 (HIPAA).1 Two of the most important changes involve "business associates," defined as entities that perform functions or activities on behalf of covered entities or other business associates that involve the use or disclosure of protected health information (PHI). Among many other changes, the omnibus rule:
expanded the definition of "business associate" and
placed the obligation of HIPAA compliance directly on business associates.
Companies Storing PHI May Be Business Associates
Under the new rule, any entity "that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information" is a "business associate."2 HHS considers entities to be business associates when they persistently store PHI; however, entities that act as mere conduits for the transmission of PHI, possessing the PHI for only a brief period of time to facilitate a data transfer, are likely not business associates. Addressing the question of where to draw the line between a business associate and a conduit, in the guidance accompanying the omnibus rule, HHS states that the determination is "based on the nature of the services provided and the extent to which the entity needs access to protected health information to perform the service for the covered entity." In essence, entities that deal with PHI in a transient manner are not business associates, but all other entities are business associates to the extent that they deal with PHI for covered entities or business associates. Many entities historically took the position that because they neither accessed nor maintained PHI in any knowing way, they were not business associates. Instead, they maintained that their activities were incidental to the provision of their services and they should not be treated as business associates under the statute.
Storage Providers May Be Business Associates Even Without Tangible Access or Use of PHI
The newly released rule may give cause for alarm among many technology companies that provide services to health-related businesses. Many such businesses historically have given little thought to whether or not their customers were covered entities under HIPAA. Or, because they did not have access to any PHI, they believed the HIPAA rules did not apply. Under the omnibus rule, however, whether an entity actually accesses the PHI is irrelevant to HHS's determination of whether an entity is a business associate. Per HHS, "An entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information." Further, HHS specifically calls out data storage companies and explains that they are in fact business associates, regardless of whether they ever actually access the PHI that they store.
The significance of "maintaining" data for many companies cannot be understated. The application of HIPAA regulations to entities that store data should strongly encourage many entities to consider re-evaluating their policies and compliance strategies and review their client bases to evaluate risk exposure and liability under the HIPAA Rule.
Storage Providers May Be Business Associates Even Without a Direct Relationship with a Covered Entity
HITECH also contains, and the HIPAA omnibus rule reflects, a mandate that subcontractors of business associates be directly required to comply with all regulations applicable to business associates. HHS explained that this requirement reflects an effort to "avoid having privacy and security protections for protected health information lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity."
This regulation shift directly affects data storage providers to the extent that they store PHI downstream from a covered entity. Cloud providers that simply transmit PHI likely are not business associates, but once a cloud provider stores the PHI in anything other than a transient manner, according to HHS, it may assume the role of a business associate, even if (1) it never accesses the PHI, and (2) it did not receive the PHI directly from a covered entity. Even cloud providers that store PHI far down the chain of service providers from the covered entity may have HIPAA compliance obligations. Given that many providers often lack any specific knowledge or awareness of the type and nature of client data they may maintain, and often do so specifically for privacy and security reasons, the new rule could easily catch many off guard.
Compliance Risks for Data Storage Providers: Direct Liability and Civil and Criminal Penalties
Prior to HITECH, covered entities were directly responsible for compliance with HIPAA regulations, while business associates were contractually obligated to meet regulation requirements via their business associate agreements with covered entities. While covered entities could face government enforcement actions, the risk to business associates was historically limited to private lawsuits from their customers and indemnity obligations in most cases.
The omnibus rule makes business associates directly responsible for compliance with applicable HIPAA regulations. From a practical standpoint, for entities formerly contractually obligated to comply, this change may have no effect. However, for entities such as cloud storage providers and subcontractors that may have no—or incomplete—preexisting compliance obligations, the impact is significant. Moreover, a considerable amount of the compliance risks are now shifted from the shoulders of the covered entity to the entities that it works with—and every entity downstream from the covered entity. As HHS stated in the omnibus rule guidance, "we believe that making subcontractors directly liable for violations of the applicable provisions of the HIPAA Rules will help to alleviate concern on the part of covered entities that protected health information is not adequately protected when provided to subcontractors."
Direct responsibility for, and liability for lack of, HIPAA compliance is especially significant in light of the considerable monetary and criminal penalty provisions mandated by HITECH. Failure to comply can result in sizable fines and even imprisonment.3 For example, the minimum fine is $100 per violation, with a calendar-year cap of $25,000 for identical violations, and the maximum fine can be as high as $50,000 per violation, with a $1.5 million calendar-year cap for identical violations. As another example, any person, including an employee of a covered entity or business associate, that commits certain acts knowingly may be fined up to $250,000 and/or imprisoned for up to 10 years.
Notably, while business associates now have direct compliance responsibility, they also retain contractual responsibility and risk. The omnibus rule kept the preexisting requirement that covered entities and business associates execute specific business associate agreements. So, business associates must still provide contractual assurances that they will comply with HIPAA regulations. Further, contractual obligations and risk flow down the relationship chain, as subcontractors also must execute such agreements with business associates. As HHS stated in the omnibus rule guidance, "covered entities must ensure that they obtain satisfactory assurances required by the Rules from their business associates, and business associates must do the same with regard to subcontractors, and so on, no matter how far 'down the chain' the information flows."
In view of these significant changes to HIPAA regulations and HHS's explicit contemplation of data storage providers as business associates, entities that provide such services should consider a review of their policies and procedures for privacy and data security. In doing so, evaluation of customer profiles and relationships and performance of risk assessments regarding potential storage of PHI may make sense. A challenge under the new regulations is the risk that data storage providers may unknowingly receive PHI from clients, and thereby may become subject to penalties and enforcement actions. As a consequence, some businesses may seek to bring their security measures into compliance without knowing for certain whether the rules apply or they may evaluate ways to expressly exclude entities possessing PHI from their services in efforts to avoid unnecessary liability.
Wilson Sonsini Goodrich & Rosati attorneys regularly assist clients with all aspects of their privacy and information governance needs, including HIPAA compliance evaluations, contractual issues related to health information, security incident responses, and incident avoidance. For additional information, please contact Gerry Stegmaier at firstname.lastname@example.org or (202) 973-8809, Wendy Devine at email@example.com or (858) 350-2321, or Wendell Bartnick at firstname.lastname@example.org or (202) 973-8963.