HITECH Business Associate Rule Tool Section 3: Background and Concepts – Updated January 25

On January 17 the U.S. Department of Health and Human Services (DHHS) published the unofficial version of the HITECH Omnibus Rule, or to call it by its proper name, “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.” This is the biggest expansion and revision of HIPAA and its rules dealing with Protected Health Information (PHI) to date.

The Omnibus Rule was officially published on January 25 and is available on the official website., with an effective date of March 26 and a “Compliance Date” of September 23, 2013. The Compliance Date is the date on which Covered Entities and Business Associates will be required to be in compliance with the new rules, with the exception of new Business Associate Contract requirements for those which have existing Business Associate Contracts which are “deemed compliant.” This will be reviewed in Section 7.

While the Omnibus Rule covers a number of subjects (as its name indicates), its most significant and widely applicable change to HIPAA is a greatly expanded regulatory authority over organizations which work with Protected Health Information (“PHI”) directly or indirectly on behalf of Covered Entities – HIPAA’s Business Associates, but under a greatly expanded definition of that term.

Business Associates and Subcontractors under HIPAA before HITECH.

The reason for this change in Business Associate status is that HITECH changed HIPAA’s somewhat peculiar jurisdictional structure. HIPAA itself was limited in application to health care providers, health plans and health care clearinghouses – HIPAA’s Covered Entities – because HIPAA was really only secondarily about privacy and security. Since HIPAA didn’t reach other kinds of entities which Covered Entities needed to use for legitimate purposes, which needed to be able to use and disclose PHI for those purposes, the HIPAA regulations created the category of “Business Associate.”

Since HIPAA couldn’t reach Business Associates directly, it reached them indirectly by requiring Covered Entities to have Business Associate Contracts with Business Associates before allowing their Business Associates to create, receive or transmit PHI for any activity, function or service they perform for or on behalf of the Covered Entity. Business Associate Contracts must meet specified regulatory requirements which pass along key Covered Entity obligations to their Business Associates. Covered Entities were required to terminate their Business Associate Contracts for uncured contract violations, and could be penalized for failing to have Business Associate Contracts when required, or failing to take action if they found out their Business Associate was in violation.

Of course, many Business Associates in their own turn need or want to use still other organizations to provide services or perform activities involving PHI, so the Business Associate can fulfill its own obligations to a Covered Entity, as shown in the following examples:

  • A health information organization (“HIO”) which manages health information exchange (“HIE”) services for a community of health care providers might contract with a cloud services provider to host its record locator service. Since HIE is an activity which involves PHI the health care providers are Covered Entities, and the HIO is a Business Associate.
  • A security consulting firm which is providing breach response services to a health insurance carrier might contract with an electronic evidence processing firm to assist in forensics and retention of digital evidence for possible use in litigation. If the breach involves PHI the health insurance carrier is a Covered Entity, and the security consulting firm is a Business Associate.

Under HIPAA before HITECH, in these examples the cloud services provider and the electronic evidence processing firm are both “Subcontractors.” Of course, Subcontractors were also not subject to HIPAA jurisdiction, a situation the HIPAA regulations managed by requiring Business Associate Contracts to include a provision allowing the Business Associate to use Subcontractors only if the Business Associate in turn had a contract which passed along some (but not all) of the Business Associate Contract obligations.

Neither Business Associates nor Subcontractors were subject to regulatory investigation or penalties under HIPAA before HITECH, and for many organizations this has led to some confused or lax practices, especially among Subcontractors – many of which may not even realize they have significant obligations. HITECH has now changed all this.

Business Associates and Subcontractors under HITECH.

HITECH stands for the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which became law on February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009 (“ARRA”).

As with HIPAA, the primary purpose of HITECH wasn’t really to be a privacy and security law. Rather, the central concern in HITECH was providing incentives for and facilitating the implementation of electronic health records (“EHRs”). As with HIPAA, however, the privacy and security aspects of HITECH are likely to wind up being the most significant for many organizations.

HITECH created new privacy requirements for both Covered Entities and Business Associates, including restrictions on disclosures by providers to health plans, changes to the minimum necessary standard, accounting requirements for disclosures made through electronic health records, and restrictions on marketing and fundraising.  HITECH also established mandatory breach notification requirements and enhanced civil and criminal penalties. The most dramatic change, however, was the extension of jurisdiction beyond Covered Entities to Business Associates.

Not all HIPAA and HITECH requirements which apply to Covered Entities apply to Business Associates, but the Security Rule, breach notification requirements and a number of privacy requirements do. There are now teeth in these requirements, too, as Business Associates are now subject to regulatory investigations and to civil – and criminal – penalties for failure to comply. Since HITECH did not get rid of the Business Associate Contract requirement they may in fact face “double jeopardy” for compliance failures, and be exposed not only to regulatory but contractual penalties.

The Omnibus Rule also took the logic of HITECH a perhaps unexpected step further, and amended the definition of Business Associate to include Subcontractors – and required Subcontractors-as-Business Associates to in turn have Business Associate Contracts with their Subcontractors; who in turn, of course, are Business Associates required to have Business Associate Contracts with their Subcontractors, and so on down a contractual chain as far as activities involving PHI on behalf of a Covered Entity are subcontracted.

A Business Associate under the Omnibus Rule is therefore any organization which “creates, receives, maintains, or transmits” PHI for purposes of a service or activity performed for or on behalf of, or provided to a Covered Entity, directly or indirectly. The scope of the uses and disclosures of PHI the Business Associate may make is established in its Business Associate Contract, and a “downstream” Business Associate Contract must be at least as restrictive, and may be more restrictive, than the “upstream” contract from which it depends.

Of course, Business Associates have their own legitimate business or operational needs to have third parties perform services which are for the use or benefit of the Business Associate only, but which involve access to, use or disclosure of PHI the Business Associate has under a Business Associate Contract. For example, a third party administrator (“TPA”) which is the Business Associate of a Taft-Hartley health benefits plan might need to retain a law firm to help it determine its potential exposure in a security breach involving plan PHI.

The HIPAA rules before HITECH recognized this, and provided that a Business Associate Contract could permit the Business Associate to disclose PHI to a third party for the Business Associate’s own purposes if it has assurances the third party will keep the PHI confidential and report any breach of confidentiality to the Business Associate. This provision was retained, and third parties providing services to Business Associates for the Business Associates’ own purposes are not considered Subcontractors (i.e., are not themselves Business Associates). There is no regulatory definition for such third parties, who will be called “Business Associate Services Providers” for convenience.

© 2013 John R. Christiansen

One Response to HITECH Business Associate Rule Tool Section 3: Background and Concepts – Updated January 25