HHS Expands HIPAA Privacy Compliance Requirements

more+
less-
more+
less-

On January 25, 2013, the Department of Health and Human Services (HHS) published its final rule, which implements the regulatory changes imposed on business associates found in the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The final rule expands the privacy compliance requirements found in the Health Insurance Portability and Accountability Act (HIPAA) to business associates who handle protected health information (PHI). And for the first time, rule violations subject them directly to enforcement liability for security breaches. Further, certain subcontractors of business associates are also considered as business associates for purposes of compliance with, and potential liability for, breaches of the privacy and security requirements found in the HITECH Act and under HIPAA.

HIPAA defines a business associate as a person or entity who is not a part of a covered entity’s workforce, but who has access to, or transmits, protected health information as part of the services that are performed on behalf of a covered entity. These include third-party administrators, or technology vendors for covered entities, who provide claims processing and claims or benefit administration, utilization review, data storage, analysis or transmission, legal or financial services, or other technical support services for covered entities in which PHI is utilized, stored or transmitted.

Under the final rule, business associates and their subcontractors must directly comply with HIPAA imposed privacy and security requirements by:

  • Maintaining records necessary to show HIPAA compliance efforts;
  • Entering into their own business associate agreements with their own subcontractors who create or receive PHI as part of their services;
  • Providing compliance reports in order to show that a covered entity or its business associate are in compliance with HIPAA when such reports are requested by HHS;
  • Disclosing electronic PHI to covered entities, the involved individual or that individual’s designee when it is requested;
  • Notifying covered entities about PHI security breaches;
  • Taking reasonable steps to limit the use of PHI;
  • Accounting for disclosures of PHI;
  • Making certain that other HIPAA security requirements are observed.

Both covered entities and business associates are also now liable as principals under the final rule pursuant to federal common law principals of agency for the acts or omissions of their own business associates.  

The consequences to business associates – which now includes subcontractors – who fail to comply with these HITECH Act and HIPAA privacy and security requirements can be quite serious. Civil penalties running from $100 up to $50,000 for each violation can be imposed with a cap of $1,500,000 per annum for these violations. Security breaches involving the PHI of even a relatively limited number of individual patients can lead to significant monetary penalties. Recently, HHS settled with an Idaho hospice for $50,000 when PHI data involving 500 patients was lost due to the theft of a laptop containing such information.

The final rule became effective on March 26, 2013. Covered entities and business associates (and their subcontractors) may continue to perform under their existing business associate agreements in effect as of January 25, 2013 until September 23, 2014, or up to the date in which that agreement is renewed or modified, if that date occurs earlier. For those covered entities and business associates with business associate agreements that were not in final form by January 25, 2013, the compliance deadline to implement the new changes imposed by these requirements is September 23, 2013.