BNA INSIGHTS: New HIPAA Regulations: What Liability Risks Loom Under the Expanded Business Associate and Breach Notification Provisions?
By Nancy L. Perkins, Arnold & Porter LLP.
In its new omnibus final rule governing health data privacy, security, and enforcement published Jan. 25, the Department of Health and Human Services has unilaterally broadened the scope of potential liability under the Health Insurance Portability and Accountability Act of 1996 to a vastly greater range of persons and entities than those Congress apparently contemplated. Confirming its view of its own authority under HIPAA, HHS adopted the expanded definition of “business associate” under HIPAA that it suggested in a proposed rule in 2010: going forward, subcontractors of covered entities’ business associates will be business associates themselves.
At the same time, HHS tightened the standards for notification of breaches of the security of health information that it prescribed in an interim final rule in 2009. No longer may HIPAA covered entities and business associates determine that breach notifications are unwarranted because a data security incident appears to pose no significant risk of harm to individuals whose health information was involved. Instead, notifications are uniformly required unless, following an investigation, it can be determined that there is a “low probability” of any compromise to the security of individually identifiable health information.
These two moves—even setting aside the numerous other compliance requirements associated with the final rule—substantially raise the stakes for a wide variety of entities that may have access to medical information, particularly in light of the heightened civil and criminal penalties for data protection violations authorized by the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. Under the HITECH Act, violations of the HIPAA Privacy Rule or Security Rule are punishable by penalties as much as $50,000 for each violation (up to $1.5 million within a single year). In addition, state attorneys general may sue for injunctive relief, statutory damages, and attorneys’ fees, with damages potentially running as high as $100 per violation or $25,000 for all violations of an identical requirement or prohibition during a single calendar year.
Clearly, the new final rule merits close attention and counsels in favor of proactive—and timely—compliance planning. The final rule takes effect March 26 and compliance with most of its provisions is required by Sept. 23.
Background on the HITECH Act and the HIPAA Privacy and Security Rules
In the HITECH Act, Congress prescribed a number of changes to the HIPAA Privacy and Security Rules, which collectively serve to protect the privacy and security of “protected health information” (PHI). As originally adopted by HHS, consistent with HIPAA, the Privacy and Security Rules directly applied only to HIPAA “covered entities,” which are (1) health plans, (2) health care clearinghouses, and (3) health care providers who perform certain transactions involving health information in electronic form. The original rules affected, but did not directly apply, to business associates of those covered entities (such as billing and claims administrators, accountants, attorneys, and data management companies), by requiring that a business associate may receive an individual’s PHI from a covered entity only if the covered entity obtains satisfactory assurances from the business associate that it will protect the PHI in a manner consistent with the covered entity’s obligations under the Privacy Rule. Such satisfactory assurances are to be provided in a business associate agreement (BAA) between the parties that contains specific commitments.
What Has HHS Now Done With the “Business Associate” Definition?
Despite receiving many objections, HHS adopted in the final rule its proposed expansion of the HIPAA rules’ definition of business associate to include subcontractors of HIPAA business associates. HHS acknowledged that the proposed expansion was viewed by many as “not the intent of Congress and beyond the statutory authority of the Department,” and that commenters believed “creating direct liability for subcontractors will discourage such entities from operating and participating in the health care industry.” But HHS disagreed, noting that the HITECH Act “does not bar the Department from modifying definitions of terms in the HIPAA Rules to which the Act refers,” and opining that the statute “expressly contemplates that modifications to the terms may be necessary to carry out the provisions of the Act or for other purposes.”
According to HHS, its expanded business associate definition is necessary to prevent the lapse in protection for PHI once a subcontractor is enlisted to assist a primary business associate. Thus, under the final rule, “covered entities must ensure that they obtain satisfactory assurances required by the [HIPAA] Rules from their business associates, and business associates must do the same with regard to subcontractors, and so on, no matter how far ‘down the chain’ the information flows.” And, as HHS further explained, the factors that determine whether a first-tier contractor is a business associate also govern the determination of whether a subcontractor is a business associate.
Who IS and Who Is NOT a Business Associate?
HHS received a number of comments objecting to the proposed expanded definition of business associate on the ground that it was confusing and ambiguous. As these comments emphasized, the ability to determine which entities are covered by the definition is critical, particularly in light of the enhanced penalties authorized by the HITECH Act. In response, HHS provided some further clarification and guidance on the scope of the new business associate definition. However, ambiguities remain…Tweet this!