One of the most significant changes made by the HITECH Act pertains to the role of business associates under HIPAA. A “business associate” is defined as any person or organization who, on behalf of a covered entity (such as an ambulance provider), creates, receives, maintains or transmits protected health information (PHI). Business associates include, but are not limited to, billing companies and electronic health record vendors, plus accounting, legal, actuarial and other administrative services providers who require access to PHI.
Up until now, covered entities generally have not faced liability under HIPAA for the misconduct or negligence of their business associates, so long as the covered entity had no reason to know the business associate would violate HIPAA. As of the Compliance Date, however, this will dramatically change.
Under the HITECH Act, covered entities will be liable, in accordance with the federal law governing agency, for civil or monetary penalties resulting from a violation caused by an act or omission of their business associates or other agents occurring within the scope of that agency relationship. This means that an ambulance provider can be held fully liable for the violation of its business associate even though the provider had no reason to know of the business associate’s violation.
For example, if an ambulance provider’s billing company loses an unencrypted laptop with the Social Security numbers or other data regarding thousands of patients, the covered entity can be held fully-liable for that violation. Since fines for similar HIPAA violations have in some cases exceeded one million dollars, the exposure is substantial.
Notably, not all business associates will be deemed to be agents of their covered entities. In the preamble to the Final Rule, OCR indicates that in determining whether a business associate is, in fact, an agent of its covered entity, a number of factors which the federal courts have found significant in defining an agency relationship must be considered.
The most important factor is whether the covered entity has the right to control the business associate’s conduct in the course the business associate performing a service for, or on behalf of, the covered entity. According to OCR, the authority of a covered entity to give detailed instructions or directions to the business associate in connection with the performance of its duties for the covered entity is the primary factor distinguishing an agency relationship from a non-agency relationship. In contrast, if the covered entity’s sole recourse, in the event it is dissatisfied with its business associate’s performance, is to terminate the relationship, then the relationship is probably not an agency. Such an analysis will be fact-specific, and should take into account the terms of the agreement between the parties as well as the totality of their relationship.
In light of this issue, ambulance providers should draft their business associate agreements, and the underlying service agreements, so that they do not inadvertently establish an agency relationship unless it is important that the covered entity have the right to direct the details of the business associate’s work.
The HITECH Act also imposes substantial new obligations on business associates corresponding to most of the duties imposed on covered entities. These new duties include, but are not limited to, a requirement that the business associate fully complies with the HIPAA security rule. Under the security rule, business associates will be required to implement certain administrative, technical and physical safeguards to protect the PHI under their control. This requires business associates to conduct a risk analysis or gap assessment to determine whether they meet the standards in the HIPAA security rule. Business associates must also comply with most of the requirements of the HIPAA privacy rule.
The HITECH Act further makes significant changes in the exposure business associates face for violations of HIPAA. Up to now, business associates have had liability for violations of HIPAA only under their business associate agreements with their covered entities. In other words, they could be terminated or sued for breach of contract by their covered entities, but they could not be prosecuted or fined by the government. In contrast, under the HITECH Act, as of the Compliance Date, business associates will be subject to fines and penalties to the same extent as covered entities for violations of HIPAA.
Another important new obligation of business associates is that they must ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate must agree to the same restrictions and conditions that apply to the business associate with respect to PHI. This will require that business associates enter into written agreements with their subcontractors setting forth the same terms and conditions that are imposed upon the business associate in their business associate agreement with their covered entities. The subcontractors will be deemed to be business associates for purposes of HIPAA, and, like first-tier business associates, will be subject to penalties and fines if found to be noncompliant.
The HITECH Act requires that covered entities and their business associates, as well as first-tier business associates and their subcontractors, enter into business associate agreements–or amend their existing agreements–to comply with the new obligations imposed upon them under the HITECH Act. In recognition of the complexities of revising numerous business associate agreements, OCR is providing additional time for some covered entities and business associates to come into compliance. Depending upon when the parties’ original business associate agreement was entered into, the parties will have up to a full additional year (i.e., until September 2014) to enter into new or revised business associate agreements incorporating the new requirements of the HITECH Act.
In revising business associate agreements to comply with the HITECH Act’s new requirements, providers might also want to discuss additional issues. In particular, covered entities might want to address in detail the liabilities and responsibilities of their business associates in the event they are responsible for a breach of unsecured PHI. Notification requirements for such breaches under HIPAA is another area that was dramatically changed by the HITECH Act in a manner that will likely result in more frequent reports.
Finally, in revising their business associate agreements, ambulance providers and other covered entities should be aware that OCR has posted sample business associate agreement provisions on its website (www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html). In addition to incorporating the mandatory elements required under the HITECH Act, the OCR template makes certain additional recommendations which should be considered.
