Ongoing Confusion for HIPAA Business Associates
It is clear that the Health Information Technology for Economic and Clinical Health (HITECH) Act era creates substantial new legal obligations for entities that operate as "business associates" under the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. What is far less clear is what exactly these new obligations are, and when they take effect. This confusion itself further complicates HIPAA contracting today for business associates, the covered entities they serve and any downstream contractors of the business associates. Business associates need to pay careful attention to these issues even today, both to ensure appropriate behavior now and to prepare for substantial new compliance obligations that are coming soon.
Since the beginning of HIPAA time, the HIPAA rules have applied directly only to "covered entities"-typically, health plans (such as health insurers and self-insured employee benefit plans) and health care providers (doctors, hospitals, pharmacies, etc). Service providers to these covered entities-called "business associates"-did not have direct compliance obligations. Because the Department of Health and Human Services (HHS) had no direct jurisdiction over "business associates," but wished to safeguard certain information they would possess, HHS imposed an obligation on the covered entities to implement specific contracts with these vendors that would create contractual privacy and security obligations for these vendors. The failure to execute such contracts would mean that the covered entity violated the HIPAA rules. A business associate's failure to meet a contractual privacy standard would be a breach of that contract-but would not subject the business associate to federal enforcement exposure because the business associate was not regulated under the HIPAA rules. While the resulting contracting process was both tedious and burdensome, tens of thousands of entities became business associates under these rules.
The HITECH law altered this core relationship. By law, Congress imposed new obligations on business associates, to comply with specific HIPAA provisions directly under law, not just through contractual arrangements. While this legislation does not turn a business associate into a covered entity, it does create-for the first time-direct accountability for these business associates, with potential civil and criminal liability for a failure to meet applicable requirements. At the same time that Congress made business associates subject to direct enforcement, it also increased the range of penalties that could be imposed for HIPAA violations, creating a HIPAA double whammy for these service providers.
The Good News for Business Associates
The HITECH law appeared to impose these new HIPAA obligations one year after it was passed, meaning February 17, 2010. Business associates have prepared to meet this new compliance obligation, both by developing HIPAA-compliant policies and procedures and through renegotiation of tens of thousands of business associate contracts. HHS issued no guidance on these business associate contracts, leaving each covered entity and business associate on its own to determine what appropriate language should be.
In a Notice of Proposed Rulemaking (NPRM) published on July 14, 2010, several months after this apparent statutory deadline, HHS finally stepped in to make clear its position that, despite the wording of the HITECH law, these new obligations for business associates would not be enforced until a final HITECH regulation was published and a subsequent seven-month compliance period had run its course. (The proposed rule is available at http://edocket.access.gpo.gov/2010/pdf/2010-16718.pdf.)
So, the good news for business associates is that HHS is of the view that business associates are not yet subject to direct HIPAA enforcement, and will not be subject to this enforcement until at least seven months after publication of this final rule (which is expected sometime in 2011, perhaps by the end of the first quarter). This means that until this post-finalization compliance deadline is reached (in late 2011 at the earliest), business associates do not yet have an obligation to meet the full range of requirements imposed by the HITECH law. Also, until the rule is finalized, business associates cannot even be sure exactly what those obligations will be.
The Bad News
While this good news is important, there also is significant bad news. First, while it seems clear that HHS will not enforce the HIPAA rules against business associates until the final HITECH rule is published and the compliance period has run, there is no certainty that the state attorneys general (who were granted enforcement authority over HIPAA in the HITECH law) will take the same approach. So, any business associate who "ignores" HIPAA in this interim period is at risk.
Second, it is clear that the HIPAA security breach notification rule does apply directly to business associates today, even without the broader set of HIPAA obligations, because the breach notification regulation already is in effect. Because HHS acted more quickly to develop the breach notification rule (although only as an "interim final regulation"), business associates do have a current legal obligation to notify covered entities of certain security breaches, even though they do not yet have a legal obligation to do much of anything else under HIPAA. While the final details of this breach notification rule are still under evaluation, business associates across the country are addressing security breach risk-assessment issues today. (For a discussion of the current status of the breach notification rule, see Nahra, "The Mystery of the HIPAA Breach Notice Rule," Privacy In Focus [September, 2010]). These current breach notification obligations (coupled with a wide range of applicable state breach laws) should encourage business associates to move forward with improved security practices across their operations.
Third, because current HIPAA rules still require business associate contracts, business associates (and their contracting partners) face ongoing confusion about how to properly implement new business associate contracts. Because there is no final rule, it is not determined what changes-if any-will need to be made to an appropriate existing business associate contract once the rule is finalized. However, until that time, covered entities and business associates still need to implement business associate contracts, amid the ongoing uncertainty and foreseeable need to renegotiate these agreements yet again once the rule is finalized. While recognizing the need to enter into contracts, business associates should be careful not to unwittingly take on obligations beyond those imposed by HIPAA today.
Fourth, HHS also complicated the downstream contracting process for business associates in the proposed rule, by creating a new obligation to impose full business associate legal obligations on their subcontractors at all levels. While many commentators on the proposed rule objected to this expansion, no final decision has been made. Therefore, again, business associates must enter into contracts now that may need to be renegotiated in a few months. It is clear that appropriate contracts with subcontractors are required now; the open issue is, ultimately, what (if any) legal obligation will be imposed on these subcontractors, and what contract changes will be needed to effectuate these requirements.
What Do Business Associates Need to
Be Doing Now?
While there are significant open issues about both timing and the substance of new compliance obligations, business associates should be moving aggressively today to understand their obligations and prepare for these significant changes.
What are the major areas that will deserve attention?
The HIPAA Privacy Rule
The HITECH statutory provisions are somewhat confusing in regards to how the Privacy Rule will be applied to business associates. It is clear that not all portions of the Privacy Rule will be applied to business associates. As a general matter, HITECH indicates that business associates must, by law, now follow the provisions of the business associate contract that are mandated by the Privacy Rule. The NPRM adopted this approach without expanding any regulatory requirements beyond the elements of a business associate contract. For business associates-who presumably have been following these contractual provisions for the past several years-there should be no significant new obligations, but the risks associated with failure to meet these obligations have grown. All business associates should take this opportunity to re-evaluate their policies and procedures for meeting these requirements.
The HIPAA Security Rule
The HIPAA Security Rule presents significantly more challenges-and requires action today. Currently, under a business associate contract, a business associate has only limited Security Rule obligations, primarily to "[i]mplement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity." This translates-for most business associates-into an obligation to maintain reasonable and appropriate security practices. However, now that business associates must comply with the overall HIPAA Security Rule-absent a fundamental and unexpected change in the approach laid out by HHS in the NPRM-a substantially different compliance approach will be required. For many business associates, moving from "reasonable and appropriate" security standards to "HIPAA compliant" security standards may necessitate a very substantial effort.
This change-which was incorporated into the proposed rule and is expected to be adopted in the final rule-will be the most substantial overall HIPAA challenge for business associates. And unlike the Privacy Rule requirements that can be adopted quickly (and that should already be in effect), the Security Rule requires meaningful change that will not be easy to make quickly. Therefore, it is important for business associates-even with at least a seven-month compliance deadline built in-to begin to understand their security obligations, evaluate compliance gaps between current operations and HIPAA requirements, and develop both a mitigation plan and an approach to designing and implementing appropriate and extensive HIPAA-mandated security policies and procedures. (For a more extensive discussion of HIPAA security obligations, please see Nahra, "Focusing on Effective HIPAA Security," Privacy In Focus (July 2010).)
This work should begin today. For some companies, this effort will mainly involve documentation-understanding the requirements of the HIPAA Security Rule and converting current security policies and procedures into HIPAA-compliant documents. For other companies, particularly those without well-developed information security programs, the required efforts may be much more substantial. It will be critical to involve personnel beyond the information technology (IT) department in these efforts-the Security Rule requires a variety of steps beyond the usual expertise of IT departments (including some involving personnel policies, training and other areas).
Contracting Issues-with Covered Entities
Beyond the need to prepare for the HIPAA Security Rule, business associates' biggest challenge will be to manage the process of contracting with covered entities. This task will involve both timing and substantive issues. Companies who are business associates will want to promptly identify a strategy for this process, to assess the volume of expected contracting and the substance of what their business associate contracts should address. Moreover, companies should anticipate a wide range of new demands from health care customers related to these rules, primarily related to breach notification and any resulting costs.
HITECH did not fundamentally change the definition of a "business associate." Therefore, while many business associates are trying to avoid HIPAA obligations by arguing that they do not meet the definition of a business associate, even where they have executed business associate contracts in the past, this effort will face an uphill battle. Moreover, while under current law a business associate only has contractual obligations (and therefore may have no HIPAA obligations if there is no business associate contract), under HITECH, a business associate will have obligations under law, and, therefore, will have HIPAA obligations even if there is no business associate contract.
Nonetheless, we can anticipate significant doubt and uncertainty about what a business associate contract should contain, both today and in the future. Business associates should pay close attention to the "required" elements of a business associate contract, which will change somewhat, though not too dramatically, but also should carefully evaluate any proposal that they assume new or greater obligations than are required by the law. Business associates will need an overall approach to managing these issues-particularly if the company has a large number of health care clients-and a feasible means for handling individual negotiations with health care customers.
Contracting Issues-with Subcontractors
Business associates also need to evaluate how to manage the process for establishing contracts with their subcontractors. The most significant development in the NPRM involves HIPAA subcontractors-entities that are "downstream" from business associates (where the business associates contract directly with covered entities). Essentially, HHS has proposed that all subcontractors be treated the same as "first tier" business associates. If this approach is incorporated into the final rule, subcontractors will have the same legal compliance obligations as first-tier business associates. Many subcontractors-particularly those who do not view themselves as part of the health care industry-likely will resist these new obligations, will not understand why they are required and may not be capable immediately of meeting the substantive obligations. However, the NPRM makes clear that it is the business associate's obligation to ensure that a contract is in place with the subcontractor (paralleling the obligation traditionally placed on covered entities). Moreover, because the full scope of these obligations remains uncertain, business associates need to develop an approach for subcontractors that will implement required contracts today, with sufficient flexibility to make changes in the short term when the rule is finalized.
The next few months present significant challenges and opportunities for HIPAA business associates. We know that the HITECH rules-when they are finalized-will impose significant new obligations on business associates. We do not yet know the full details of these requirements, but the primary elements of the outline are clear and will not change. Moreover, because some of these changes-mainly Security Rule compliance-will take time, it is important to begin this evaluation now. In addition, business associates should be prepared today to enter into appropriate business associate contracts with covered-entity clients and with their own subcontractors that implement today's requirements and anticipate in a reasonable manner what the future will hold. These steps must be taken today, with an eye toward the future, when compliance will be required and enforcement is expected to be more substantial.