HIPAA 2013-New World for Business Associates-Of Biblical Proportions?
Maybe you are familiar with the bible story of when Cain slew Abel and God asks Cain, “Where is your
brother?” and Cain responds, “Am I my brother’s keeper?” If we’ve read the story, we know things weren’t too great for Cain after that! He is held responsible for his brother, as he should have been, but initially tried to say it wasn’t his problem. Like Cain, business associates under HIPAA 2013 cannot deny responsibility for data within their control.
You may zone out on me before you get to the end of this blog post, so the crux is that business associates, by definition, are now (and have been for a while) separately and directly liable for violations of the Security Rule and for violations of the Privacy Rule for impermissible uses and disclosures pursuant to their business associate contracts.
Many haven’t wanted to think about it!
To learn more, please continue reading! I promise to try and keep it interesting!
Get to Know Business Associates
In mafia movies a “business associate“ might be the muscular wall of a man who collects overdue loan payments.
In other, more realistic worlds, a business associate would be someone with whom one worked-either as a co-worker or perhaps a colleague in another company.
In the HIPAA world, the term has a very distinctive and detailed definition.
What (Or Who)Is A Business
Associate Under HIPAA?
The HIPAA Rules define ‘business associate’’ generally to mean a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information. Examples of business associates include:
- Claims processors, administrators or practice managers.
- Accountants, legal advisors, consultants, or data aggrators.
- Accrediting services.
- Patient safety organizations
In short, if the person or organization is providing services to a covered entity and the provision of the service involves the disclosure of individually identifiable health information from such covered entity that person or entity is considered a business associate. Before the HITECH Act, the Security Rule did not directly apply to business associates.
Business Associate Changes Under HITECH
Life changed for business associates under the HITECH Act. Under HITECH, the Security Rule’s administrative, physical, and technical safeguards requirements as well as the Rule’s policies and procedures and documentation requirements HHS made business associates primarily liable for violations of the security rule. Therefore, under HITECH, business associates are civilly and criminally liable for violations of these provisions. HHS believes that many business associates have not appreciated, fully understood or implemented necessary compliance practices.
HIPAA 2013-Businesses Associates & Subcontractors
The final rule applies the business associate provisions of the HIPAA Rules to subcontractors and thus, provides in the definition of ‘business associate’’ that a business associate includes a ‘‘subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.’’
HHS also updated the definition of a subcontractor to reflect that ‘‘a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.’’ So, a subcontractor is a person to whom a business associate has delegated a function, activity, or service the business associate has agreed to perform for a covered entity or business associate. A subcontractor is then a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information.
There will be increased costs to many business associates to bring their subcontracts into compliance with business associate agreement requirements; and costs to a portion of business associates to achieve full compliance with the Security Rule.
Drop Dead Dates for Business Associates
The final rule is effective on March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule come into compliance with most of the final rule’s provisions. This translates into September 23, 2013. However, HHS has built another year of cushion for covered entities to update their business associate agreements. So the new documents must be fully executed no later than September 23, 2014.
In the span of time between September 23, 2013 and September 23, 2014, covered entities must ensure that they obtain satisfactory assurances from their business associates that the requirements are being met. Furthermore, business associates must also receive satisfactory assurances from their subcontractors no matter how far down the chain the information flows. Again, organizations must be COMPLIANT by September 23, 2013 and have another year to execute new business associate agreements.
That brings us to September 23, 2014 to have the updated agreements executed.
Please do not wait until September 1, 2014 to consider this!
What do Business Associates Need to Know?
Business associates are now directly liable under the HIPAA Rules for the following:
- impermissible uses and disclosures,
- for a failure to provide breach notification to the covered entity
- for a failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee (whichever is specified in the agreement)
- for a failure to disclose protected health information where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules
- for a failure to provide an accounting of disclosures
- for a failure to comply with the requirements of the Security Rule.
- Business associates remain contractually liable for other requirements of the business associate agreement.
- Business associates will also have to comply with new requirements for notification of breaches. (coming in a future post!)
- Business associates need to evaluate their subcontractors!
Hopefully now you understand why I started this post with reference to the biblical story of Cain. Although these changes may not be of biblical proportions, they do represent increased levels of responsibility for any entity handling identifiable health information!
Do you have questions about what you’ve read?
Don’t consider this post legal advice!
Contact me @ email@example.com or here.
I am friendly and do not bite!
Read the rule for yourself here! I recommend it, especially if you have trouble sleeping!