- One significant impact of the HIPAA omnibus final rule is how dramatically it changes the concept of business associates. Prior to the final rule, business associates were limited to contractors working with covered entities who had access to protected health information. However, as soon as the new rule takes effect in a few month, contractors and subcontractors hired by a covered entity will bear new responsibility as well as the potential for penalties should they violate the HIPAA omnibus rule.
We caught up with Andrew Gantt, a partner at Cooley LLP, who specializes in electronic health and data privacy issues, to discuss what effect the ruling by the Office of Civil Rights (OCR) and the Department of Health & Human Services (HHS) will have on independent contractors and the liability stemming from their new role as business associates.
What do you make of the OCR and HHS’s final ruling for business associates?
It was in the proposed rule, but the whole idea that business associates include all downstream subcontractors is preserved, and that dramatically increased the original scope of HIPAA. They define a business associate to include any subcontractor ad infinitum. The import is that anybody who essentially handles protected health information to provide a service for a covered entity or any downstream contractor of that covered entity is actually subject to HIPAA. The interesting aspect of that is that it not only subjects them to all regulatory requirements, if you will, but they can come after those business associates or subcontractors for penalties. The problem with that construct is that many people wouldn’t really be on notice that they would be subject to HIPAA who are not otherwise in the healthcare industry.
How has the scope of HIPAA changed as a result of the final ruling?
It’s very far-reaching and safe to assume that the universe of business associates and subcontractors is much larger potentially than the universe of covered entities. The scope of HIPAA now is dramatically increased by virtue of this to cover a whole host of entities when originally covered entities were considered to be subject to HIPAA. Particular with the increased penalties and enforcement weapons, it’s a totally different risk profile for people now dealing with health information than previously.
What concerns you most about this understanding of business associates?
My concern is that if they are not required to sign a business associate agreement for some reason, which they should be, but if they’re not I suspect that they’ll be many entities that aren’t aware that they are in fact subject to HIPAA and up the compliance. As long as you’re either directly or indirectly an independent contractor and you require access to protect health information to provide a service then you’d be subject to HIPAA. Keep in mind now that that’s both contractual and legal, so if you sign a business associate agreement you have contractual liability between a business associate and covered entity or a subcontractor and a business associate but you also have direct liability to the government now so that even if you never signed one of those business associate agreements, the government can view you as a business associate and come after you.
Are there any other unintended consequences of the ruling?
The other thing to keep in mind is that some of these folks don’t have the capability to comply with business associate obligations. You got to be able to modify records, provide access to particular records, provide accounting of disclosures potentially, and other things they may not actually operationally be able to do. That may require if they want to become HIPAA-compliant, then they may have to change their operations to enable that functionality that doesn’t currently exist. The bottom line is the business issue that any covered entity is likely to want somebody to be a business associate, so there’s a business decision to make even if they don’t think they’re technically subject to HIPAA
How are business associate agreements likely to change to accommodate the final rule?
The HIPAA rules prescribe certain language to be included in business associate agreements, but there are things I think will change by virtue of the fact that enforcement is more likely now and the penalties are much more significant; for example, indemnification provisions. They’re not required by HIPAA, but the question is should a business associate agree to an indemnity provision that is requested by a covered entity, and certainly I represent entities on both sides of that, but certainly I see it being teed up at least much more frequently now because the practical reality is that if something bad happens, the fallout can be much more significant from a public relations and financial perspectives. I’m seeing indemnity provisions negotiated more strenuously than in the past.
Are there areas where the OCR and HHS have not gone far enough with the ruling?
It’s still presumes that the covered entity and the payers are still the source and rightful locus, if you will, of the data. And when that changes so that the bulk of the data is no longer within a healthcare facility — for example, it’s actually outside in the cloud or on people’s cell phones or all over the place — this model really need to be revisited. It’s unfortunate that we’re 17 years out of when HIPAA was passed that they didn’t work harder to address that specifically.