Business Associate Agreements Under the New HIPAA Regulations

On January 25, 2013, the U.S. Department of Health and Human Services (HHS) released the final omnibus rule which expands the provisions to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This final rule sets forth reforms to the Privacy and Security Rules under HIPAA. These reforms impact the requirements that a "covered entity"¹ must include in a business associate agreement.

Under HIPAA's Privacy Rule, if a covered entity engages with a "business associate"² in providing its health care activities, the general rule is that the covered entity is required to obtain specific assurances from the business associate that it has the appropriate safeguards in place to protect health information that it receives or creates.³ These assurances need to be in writing either by a contract or through another written agreement between the covered entity and the business associate. However, the new provisions expand the definition of a business associate to also include a subcontractor performing services on behalf of the business associate. 

A subcontractor is defined as one that "creates, receives, maintains, or transmits protected health information on behalf of another business associate".⁴   In addition to broadening the definition of who is defined as a business associate, the new regulations now require a business associate (contractor) providing services on behalf of a covered entity to also enter into agreements with its subcontractors, which must include the same assurances that the health information a subcontractor receives and/or creates is secure. That said, the new provisions do not require the covered entity to enter into the written agreement directly with the subcontractor; rather it is the requirement of the business associate to obtain written assurances from its contractors (the subcontractor) and so forth within the contract chain.⁵

In addition, the new regulations also modify the specific requirements that must be included in a business associate agreement. To assist covered entities and business associates in complying with the new regulations, the HHS published a revised sample business associate agreement on its website. As part of the HHA's publication, it also outlined the provisions that must be included in a modified business associate agreement, which include the following:  

1. Establish the permitted and required uses and disclosures of protected health information by the business associate;
2. Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
3. Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;
4. Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;
5. Require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity's obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings;
6. To the extent the business associate is to carry out a covered entity's obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation;
7. Require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity's compliance with the HIPAA Privacy Rule;
8. At termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity;
9. Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and
10. Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.  Contracts between business associates and business associates that are subcontractors are subject to these same requirements.⁶

As set forth in the final omnibus rule, covered entities and business associates are required be compliant with the new regulations by September 23, 2013. However, the final rule also recognizes concerns about the administrative resources and expense needed to implement the new provisions. The rule provides for a transition period for covered entities and business associates to modify their existing business agreements. The transition period allows certain existing contracts to operate up to one year beyond the compliance date, with all written modifications completed on or before September 22, 2014.⁷

Although the new rules provide a transition period to amend existing contracts, a business associate is still required to follow the new Privacy Rules, as of the required compliance date of September 23, 2013, when it uses and/or discloses protected heath care information on behalf of a covered entity.  Thus, it is critical for a business associate, along with its subcontractors, to ensure that it has the proper procedures currently in place to safeguard protected information in order to meet the requirements under the new provisions. Weltman will continue to monitor effects on the changes to the HIPAA regulations and the impact to the long-term health industry.

¹ A "covered entity" under HIPAA refers to three specific groups: (1) health plans, (2) health care clearinghouses, and (3) a health care provider that transmits any health care information in electronic form. 45 CFR 160.103.
² http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html
³ A "business associate" is defined as a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html.
⁴ "Sample Business Associate Agreement Provisions", http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.
⁵ See final omnibus rule for "Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules", http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
⁶ "Sample Business Associate Agreement Provisions,  http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.
⁷ See final omnibus rule for "Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules", http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf