Under the recently enacted Health Information Technology for Economic and Clinical Health (HITECH) Act, and implementing regulations, the definition of the HIPAA term "Business Associate" has been expanded. A "Business Associate" now includes any third party that "creates, receives, maintains or transmits" protected health information (PHI) in the course of providing services. Notably, for those vendors who provide data maintenance or transmission services, actual access to PHI may not be required. The mere opportunity for access may be enough.
As a result, it is critical that a significant re-evaluation be undertaken by: (i) Providers or Health Plans ("Covered Entities") with respect to their relationships with parties they have directly engaged to provide services; and (ii) Business Associates with respect to their relationships with third parties with whom they subcontract to perform services on behalf of a Covered Entity. Each must identify Business Associates in light of the new test and for each such relationship, put in place a proper Business Associate Agreement. If this is not properly done, a Provider, Health Plan, or Business Associate may find itself subject to expenses or penalties it never saw coming.
Although most may be aware that the failure to put in place a compliant Business Associate Agreement in such a relationship would itself violate HIPAA's privacy requirements, it may not be as well known that two HIPAA developments could create significant additional exposure here as well. First, under the Breach Notification Rule, each disclosure of PHI to a third party without a required Business Associate Agreement may constitute a reportable breach. Where a reportable breach occurs, a responsible party must ensure that timely reporting in compliance with requirements is completed which may involve providing notice to individuals whose PHI is involved and to CMS and the media (depending upon the number of individuals involved). This can be very expensive and involve governmental regulators in the process. Alternatively, if it was subsequently determined by audit or otherwise that required reporting had not been undertaken in these circumstances, significant fines or penalties could be imposed on responsible parties.
To illustrate how this might easily occur, assume that a Provider contracts with a vendor for server maintenance and hosting which will require that the vendor "maintain" PHI but no Business Associate Agreement is put in place. In this case, each time the vendor accesses the server to perform maintenance or hosting services, a reportable breach potentially occurs creating the risks identified.
Second, Covered Entities and Business Associates may now be held liable for the acts of their Business Associates under expanded circumstances. If, therefore, a Provider or Business Associate has failed to put in place a Business Associate Agreement properly protecting its interests in the event of a breach or other misconduct by a Business Associate, that Provider or Business Associate may be held responsible or liable for such acts but not have any contractual remedy against the party at fault.
We urge you, therefore, not to wait, but instead to immediately re-evaluate your vendor and third party relationships to ensure that you are not subject to hidden risks.