The Health Care Insurance Portability and Accountability Act of 1996 (HIPAA) has been a defining feature of the health care landscape for nearly twenty years. Key pieces of HIPAA are its Privacy and Security Rules, which set standards for how “covered entities” (health care providers, health care clearinghouses and health plans) and their “business associates” must protect patient health care information. 45 CFR § 160.103 (definition of business associates).
In a world of news-breaking data breaches, we are all aware that the rapid technology advances of the last two decades have placed heavy demands on any entity that stores, transmits or receives patient records and other sensitive information. This includes not only health care providers, but also law firms involved in personal injury and medical malpractice litigation—and, in some cases, the businesses those law firms contract with for support services.
Business Associate Agreement Requirements
None of this is big news: HIPAA has long required Business Associate Agreements (BAA), contracts between covered entities and their business associates. A BAA must:
(1) establish the permitted and required uses and disclosures of protected health information by the business associate;
(2) provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
(3) require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;
(4) require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;
(5) require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity's obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings;
(6) to the extent the business associate is to carry out a covered entity's obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation;
(7) require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity's compliance with the HIPAA Privacy Rule;
(8) at termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity;
(9) require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and
(10) authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.
Id. at § 164.504(e)(2).
For the most part, business associates and their subcontractors already maintain security practices that either comply with HIPAA or require only modest improvements to come into compliance.
That said, an omnibus final rule issued by the United States Department of Health and Human Services (HHS), Office for Civil Rights (OCR) in January 2013 strengthened breach notification requirements and stepped up enforcement measures and civil penalties. As a result, business associates may be directly liable for, among other things, (1) impermissible uses and disclosures of protected health information; (2) failure to provide breach notification to the covered entity; and (3) failure to comply with the requirements of the HIPAA Security Rule.
With the final rule, HHS expanded its direct regulatory authority to business associates and their subcontractors. This allows HHS to audit business associates' HIPAA compliance and conduct enforcement actions against business associates found to be non-compliant. It is a significant change for business associates, and both covered entities and business associates may be targets of HIPAA audits in 2014 and beyond. Although the audit program has been under-funded for the last several years, it was designated as a priority by the Department of Health and Human Services in 2014. Accordingly, we can expect to see an increase in federal audit activity.
The last deadline for compliance with the provisions of the final rule is just weeks away. The final rule required covered entities and their business associates to review and update their BAAs by September 23, 2013, but extended this deadline to September 22, 2014, if (1) the BAA complied with HIPAA rules as they existed before January 25, 2013, and (2) the BAA is not renewed or modified prior to September 23, 2014. See id. at § 164.532(e).
What does this mean for law firms that handle protected health information? First, covered entities are moving to shore up their BAAs. As a result, law firms and other businesses who serve health care organizations and insurers should be prepared for their clients to ask them to sign updated BAAs. Visit the HHS website to review a sample BAA:
Second, business associates are required both to disclose any health information breaches they are aware of, and to report HIPAA violations of covered entities, if apparent. According to the final rule, an impermissible use or disclosure of protected health information constitutes a breach unless the business associate can demonstrate there is a “low probability” that the information has been compromised. See 78 Fed. Reg. at 5642 for factors to be used in breach risk assessment.
Third, law firms are required to have their own BAAs with subcontractors that use or receive protected health information on their behalf. Such subcontractors may include document shredding or copying service providers. It is incumbent on the law firm to monitor its BAAs with subcontractors and remain cognizant of the fact that all requirements of the law firm's BAAs with covered entities cascade downstream to the law firm's subcontractors. To the extent any business relationship involves access to protected health information, contracts between business associates and subcontractors are subject to the same requirements as contracts between covered entities and business associates. Id. at §§ 164.314(a)(2)(iii) and .504(e)(5).
The HHS Office of Civil Rights offers additional helpful information about HIPAA compliance at http://www.hhs.gov/ocr/privacy.
This news update is designed to provide general, educational information on pertinent legal topics, and the statements therein do not constitute legal advice. This news update is not intended to create an attorney-client relationship between you and Corneille Law Group, LLC. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.