HITECH Act Significantly Impacts the World of Business Associates
This is the second in a series of three HITECH alerts.
This Wolff & Samson Health Law Alert is the second in a three-part series regarding the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act” or “HITECH”), which significantly broadens the scope of existing health information privacy and security requirements. The first HITECH alert ("Becoming 'HITECH' -- The Evolving State of Health Information Privacy and Security") addressed certain provisions of HITECH that create new and revise or expand existing privacy requirements with respect to protected health information (“PHI”) under the regulations implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) (the “HITECH HIPAA Amendments”). The following alert reviews the provisions of HITECH that affect business associates and business associate agreements (“BAAs”).
Covered Entities Must Have BAAs with PHI Data Transmission Vendors
Covered entities must enter into BAAs with vendors who provide services for the data transmission of PHI and require access on a routine basis to such PHI. Such vendors specifically include: (i) Health Information Exchange Organizations; (ii) Regional Health Information Organizations; (iii) E-prescribing Gateway, and (iv) vendors that contract with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record.
The HITECH Act Imposes Direct HIPAA Privacy and Security Compliance Obligations and Liabilities on Business Associates
Under current HIPAA rules, business associates have a contractual responsibility to comply with HIPAA in accordance with their BAAs with covered entities. Pursuant to HITECH, business associates will now have a statutory obligation to comply with certain HIPAA security and privacy standards and will be subject to civil and criminal liability in the event of a violation. Thus, in addition to their contractual obligations to covered entities, business associates will now be directly responsible for HIPAA compliance. Effective February 17, 2010, business associates must comply with the following:
- HIPAA Security Standards – Business associates must establish administrative, physical and technical safeguards under the HIPAA security standards. This will require, in part, the implementation of policies and procedures to:
- prevent, detect, contain and correct security violations;
- limit physical access to electronic information systems and the facility or facilities in which they are housed; and
- limit access to electronic information systems that maintain electronic PHI to only those who have been granted access rights, which may require the implementation of encryption and decryption mechanisms.
Business associates will also need to conduct and document risk analyses and risk management measures. While the HIPAA security standards have been in place for several years, the HITECH Act directs the Secretary of the Department of Health and Human Services (the “Secretary”) to issue guidance, sometime in 2010 and annually thereafter, concerning the most effective and appropriate technology for implementing the HIPAA security standards for both covered entities and business associates.
- HIPAA Privacy Rule – Business associates must comply with the HIPAA privacy rule to the extent it is embodied in the terms currently required for BAAs under HIPAA (i.e., business associates are now statutorily obligated to comply with the provisions of their BAAs). Business associates may also have reporting obligations if they learn of a pattern of activity or practice of a covered entity that constitutes a material breach or violation of the BAA.
- HITECH Amendments – Business associates must comply with the HITECH HIPAA Amendments, which were summarized in the first HITECH alert of this series, and the HITECH Breach Notification Standards, which will be addressed in the upcoming third HITECH alert of this series.
In order to comply with these requirements, business associates will need to review their current compliance procedures applicable to their BAAs, determine where compliance infrastructure is required, and implement the appropriate policies, procedures and training programs. This will initially require an assessment of (i) how many BAAs the business associate has and with whom, (ii) the extent of the activities a business associate conducts on behalf of covered entities, (iii) how the business associate handles and processes PHI (e.g., where is PHI stored and who has access), and (iv) possible risk areas so that the potential for breaches can be minimized or eliminated. Business associates should also consider amending their BAAs, as addressed below.
Covered Entities and Business Associates Should Consider Amending Their BAAs
Pursuant to HITECH, effective February 17, 2010, the new security and privacy standards “shall be incorporated into the business associate agreement between the business associate and covered entity.” It is unclear at this time whether actual amendment of existing BAAs is required or whether the new privacy and security provisions are deemed to have been automatically incorporated into BAAs by operation of law.
It is anticipated that governmental guidance will soon be issued to address this question. However, regardless of whether an amendment to BAAs is legally mandated under HITECH, covered entities and business associates should consider amending their BAAs and drafting new forms for BAAs due to the potential effects HITECH will have on the dynamics of the business relationship between covered entities and business associates. For example, under the HITECH Breach Notification Standards (which will be addressed in the upcoming third HITECH Alert), covered entities and business associates each have notification obligations when unsecured PHI is breached and compliance with these Standards will require communication and coordination between the parties. We recommend that business associates and covered entities delineate in their BAAs their respective legal obligations and agree to certain communication terms to ensure their obligations will be satisfied in the event of a breach. For instance, the parties may want to specifically address in their BAAs whether the business associate must notify the covered entity of a potential breach and the procedure to be used in order to perform a risk assessment to determine whether or not a “breach” under the HITECH Breach Notification Standards has, in fact, occurred. In addition, business associates should consider whether to specifically limit their access to PHI in their BAAs to minimize the potential for HIPAA violations and avoid unnecessary liability.
As we await further guidance and regulations from the Secretary to fully implement the HITECH Act, in light of the present uncertainty, it is best for covered entities and business associates to also agree to ongoing periodic assessments of their BAAs to facilitate compliance as the law evolves.
¦ ¦ ¦
For more information, please contact:
David M. Hyman ¦ Member of the Firm ¦ (973) 530-2009 ¦ firstname.lastname@example.org
Daniel A. Schwartz ¦ Member of the Firm ¦ (973) 530-2005 ¦ email@example.com
Nicole DiMaria ¦ Counsel ¦ (973) 530-2111 ¦ firstname.lastname@example.org