HIPAA Final Rule: Modified Rule for Business Associates and Subcontractors

February 6, 2013.  Today, we cover the business associate Administrative Safeguard (b) of the Security Rule, as modified by the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.

HIPAA did not directly regulate business associates of covered entities.  The HITECH Act’s 13401 statutorily changed that:  The Security Rule’s administrative, physical, and technical safeguard requirements, and policies and procedures and documentation requirements were made applicable to business associates “in the same manner” as they applied to covered entities, and business associates became civilly and criminally liable for violations of these provisions.”  [78 Federal Register 5589]  The Final Rule published on January 25, 2013, modified and extended federal regulatory enforcement, with “direct liability for compliance with the Security Rule to business associates” instead of just having covered entities relying on “satisfactory assurances” in a business associate agreement, where a covered entity’s recourse, in the absence of an indemnification provision, was terminating the agreement.

The Final Rule notes that “the Security Rule currently requires a covered entity to establish a business associate agreement that requires business associates to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that they create, receive, maintain, or transmit on behalf of the covered entity as required by the Security Rule; and to ensure that any agent, including subcontractor, to whom they provide such information agrees to implement reasonable and appropriate safeguards to protect it.”  [78 Federal Register 5589]  The Final Rule defines subcontractor as “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.”  [78 Federal Register 5689].

In the Final Rule, “a covered entity is not required to enter into a business associate agreement with a subcontractor; rather, this is the obligation of the business associate that has engaged subcontractor to perform a function or service that involves the use or disclosure of protected health information.” [78 Federal Register 5590]  “To ensure appropriate and strong security protections for electronic protected health information, subcontractors are required to comply with the Security Rule to the same extent as business associates with a direct relationship with a covered entity.”  With respect to notification of a discovered breach, a subcontractor would notify the business associate, who would in turn notify the covered entity for carrying out further notifications, as applicable.

The Final Rule provides new language pertaining to the relationship between the covered entity and business associate, and between the business associate and a subcontractor under the modified Security Rule Administrative Safeguards:

(b)(1) Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with
§ 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.

(2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with § 164.314(a), that the subcontractor will appropriately safeguard the information.

(3) Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a).

On January 25, 2013, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) launched a Business Associate Contract Web site with Sample Business Associate Agreement Provisions that provides guidance to covered entities on preparing an appropriate business associate agreement with required provisions.

Tomorrow, we present the Final Rule modified definition of Business Associate.

Leave a Reply

Your email address will not be published. Required fields are marked *