Healthcare organizations will want to pay close attention to the recently-released HIPAA omnibus rule and how it amended the HIPAA Security Rule. In this final HIPAA rule, the Department of Health and Human Services (HHS) responded to comments based on proposed changes and explained its final Security Rule provisions.
It’s not hard for a healthcare provider to get confused between HIPAA Privacy and Security rule specifications. More specifically, business associate agreement language had previously been vague. In creating this final rule, according to HHS, it tried to fix that by stating that business associates are, by definition, separately and directly liable for violations of the Security Rule and for violations of the Privacy Rule for impermissible uses and disclosures pursuant to their business associate contracts.
HHS agreed with commenters on the HIPAA omnibus rule that hybrid entities, not including business associate functions within the health care component of a hybrid entity, could avoid direct liability and compliance obligations for the business associate component. So the final rule requires that the healthcare component of a hybrid entity include all business associate functions within the entity.
Before the HITECH Act, the Security Rule did not directly apply to business associates of covered entities. However, section 13401 of the HITECH Act provides that the Security Rule’s administrative, physical, and technical safeguards requirements in §164.308, 164.310, and 164.312, as well as the Rule’s policies and procedures and documentation requirements in § 164.316, apply to business associates in the same manner as these requirements apply to covered entities, and that business associates are civilly and criminally liable for violations of these provisions.
To implement section 13401 of the HITECH Act, we proposed to insert references in Subpart C to “business associate” following references to “covered entity,” as appropriate, to make clear that these provisions of the Security Rule also apply to business associates. In addition, we proposed additional changes to §§ 164.306, 164.308, 164.312, 164.314, and 164.316 of the Security Rule, as discussed below.
Some commenters argued that the time, implementation expense, transaction cost, and liability cost burdens on business associates and subcontractors to comply with the Security Rule, especially small and mid-size entities, would be significant. Other commenters supported the direct application of the Security Rule to business associates and subcontractors.
HHS adopted the modifications to the Security Rule as proposed to implement the HITECH Act’s provisions extending direct liability for compliance with the Security Rule to business associates. In response to the concerns raised regarding the costs of compliance, we note that the Security Rule currently requires a covered entity to establish a business associate agreement that requires business associates to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that they create, receive, maintain, or transmit on behalf of the covered entity as required by the Security Rule; and to ensure that any agent, including a subcontractor, to whom they provide such information agrees to implement reasonable and appropriate safeguards to protect it. See § 164.314(a). Consequently, business associates and subcontractors should already have in place security practices that either comply with the Security Rule, or that require only modest improvements to come into compliance with the Security Rule requirements.
The requirements of the Security Rule were designed to be technology neutral and scalable to all different sizes of covered entities and business associates. Covered entities and business associates have the flexibility to choose security measures appropriate for their size, resources, and the nature of the security risks they face, enabling them to reasonably implement any given Security Rule standard. In deciding which security measures to use, a covered entity or business associate should take into account its size, capabilities, the costs of the specific security measures, and the operational impact. Thus, the costs of implementing the Security Rule for large, midsized, or small business associates will be proportional to their size and resources.
The final rule adopts the proposed modifications to § 164.308. Section 164.308(b) expressly provides that a covered entity is not required to enter into a business associate agreement with a business associate that is a subcontractor; rather, this is the 100 obligation of the business associate that has engaged the subcontractor to perform a function or service that involves the use or disclosure of protected health information.
Business associate organizational requirements
Organizational requirements can be tricky for healthcare organizations. While Section 13401 of the HITECH Act doesn’t include §164.314 among the provisions for which business associates are directly liable, it states that §164.308 of the Security Rule applies to business associates “in the same manner” that the provision applies to covered entities. Section 164.308(b) requires a covered entity’s business associate agreements to conform to the requirements of § 164.314. Accordingly, in order for § 164.308(b) to apply to business associates in the same manner as it applies to covered entities, we proposed to revise § 164.314 to reflect that it is also applicable to agreements between business associates and subcontractors that create, receive, maintain, or transmit electronic protected health information.
We also proposed a number of modifications to streamline the requirements of §164.314. First, since a business associate for purposes of the Security Rule is also always a business associate for purposes of the Privacy Rule, we proposed to remove contract provisions that were merely duplicative of parallel provisions in the Privacy Rule’s business associate contract provisions at § 164.504.
Second, we proposed conforming modifications to the remaining contract requirements in § 164.314(a)(2)(i) to provide that such contracts must require a business associate to comply with the Security Rule, to ensure any subcontractors enter into a contract or other arrangement to protect the security of electronic protected health information; and with respect to the reporting of security incidents by business associates to covered entities, to report to the covered entity breaches of unsecured protected health information as required by § 164.410 of the breach notification rules.
Third, we proposed to add a provision at § 164.314(a)(2)(iii) that provides that the requirements of this section for contracts or other arrangements between a covered entity and business associate would apply in the same manner to contracts or other arrangements between business associates and subcontractors required by the proposed requirements of § 164.308(b)(4).
Finally, we proposed to remove the reference to subcontractors in § 164.314(b)(2)(iii) regarding 102 amendment of group health plan documents as a condition of disclosure of protected health information to a plan sponsor, as unnecessary and to avoid confusion with the use of the term subcontractor when referring to subcontractors that are business associates.
HHS did not receive substantive public comment on these proposed changes, but the final rule adopts the modifications as proposed.