New HIPAA Laws Will Affect Thousands of Companies

Thousands of Subcontractors May Soon Have to Comply with HIPAA

Perhaps the biggest surprise in the U.S. Department of Health and Human Resources July 14, 2010 proposed rule was a concept that went beyond language contained in the HITECH Act; specifically the appearance of the term subcontractors in the list of organizations that would have to comply with the same privacy and security regulations as business associates.

This will have a huge impact because it means that there are many, many people who have to comply with the HIPAA rules who didn’t have to before, says Kristen Rosati, a partner with Coppersmith Schermer & Brockelman PLC in Phoenix. It really vastly expands the universe of organizations that have to comply with these regulations.

Suddenly You’re a Subcontractor

These subcontractors are one tier further down on the chain of those who handle protected health information. Subcontractors are akin to business associates of business associates. They do for BAs what BAs do for CEs.

Whether it is necessary to include them in the HIPAA regulations can be debated, and it remains to be seen whether they make it into the final rule. But for now, the concept is giving BAs and HIPAA experts a huge headache. They expect that the concept is here to stay and recommend the creation of compliance strategies to address this issue now.

Desire to Avoid a Lapse

As the rulemaking explains, we propose to add language to the definition “business associate” to provide that subcontractors of a covered entity — that is, those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce — are also business associates to the extent that they require access to protected health information.

Perhaps recognizing the magnitude of this expansion, HHS says these proposed modifications are similar in structure and effect to the privacy rule’s initial extension of privacy protections from CEs to BAs through contract requirements to protect downstream protected health information.

HHS believes it must extend requirements to subcontractors to keep with Congress intent and hold business associates fully accountable. The proposed provisions avoid having privacy and security protections for protected health information lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity in the rulemaking states. Allowing such a lapse in privacy and security protections may allow business associates to avoid liability imposed upon them by relevant portions of the HITECH Act.

HHS also says that even if the business associate, perhaps because it isn’t aware of this new provision, fails to execute a BAA, the government would consider that the definition would apply to an agent or other person who acts on behalf of the BA. This means that, under the proposed regulation, both the BA and its subcontractor are still required to comply whether contracted to each other or not.

Determine Who is a Subcontractor

Tanya Forsheit, a founding partner of the Information LawGroup, based in Los Angeles, says CEs need to contact their BAs and find out which entities might qualify as subcontractors. If you are a CE, you should be doing due diligence to find out who your BAs are sharing data with, she says. And subcontractors will have to figure out if they are doing work for a BA, that would put them under HIPAA according to the proposed rulemaking.

As CEs should be doing with BAs, BAs may also choose to scrutinize the list of subcontractors to determine if they appear to be a good risk, or whether they pose an unnecessary risk. While the HITECH Act holds BAs directly liable for fines, penalties and other enforcement actions, and the proposed rules now do the same for subcontractors, it is still the CE that might have to notify patients, the media and OCR if there is a breach. It is the CE’s reputation that will be on the line if something goes wrong.

Asked who could be a subcontractor, Forsheit says the list is almost endless. It could even be an ISP or a cloud vendor, she says.

If so, this might prove problematic, Forsheit says. Generally, a lot of cloud vendors have really pushed back when CEs and other data owners wanted them to accept liability for any privacy and security compliance obligations of the data owners, she says. The July 14 rulemaking gives the example of a document shredding company hired by a BA, such as a third-party administrator, as one possible subcontractor.

Rosati says that the new obligations are likely to come as a shock. There are going to be a lot of companies that are not aware of their compliance obligations, he says. One of my concerns is making sure there is adequate education about this.

Once a BA (and a CE, if interested) has vetted a subcontractor, the BA must sign an agreement with the subcontractor, which would still technically be a BAA.

Agreement Must Contain Specifics

Forsheit notes that these agreements between BAs and subcontractors will need to spell out the subcontractors obligations to the BA, in much the same way the BA is obligated to the CE.

For example, the agreement with the subcontractor should require the subcontractor to notify the BA when there is a breach, and to do so within a specified period of time.

The BAA may ask for such notice to occur as soon as possible, Forsheit says. In her practice, she has seen BAAs that specify as little as a few hours or a few days, with a verbal notice to be made first, followed by a written report within a few days.

She cautions that the reporting time frame should also be calculated to comply with any state notification requirements, which can be shorter than 60 days.

In addition, the BAA should spell out who notifies patients, OCR and the media in the event of a breach that exceeds 500 affected individuals.

The proposed rulemaking makes it clear that the CE itself does not have to have a relationship with the subcontractor. [T]his proposed modification would not require the covered entity to have a contract with the subcontractor; rather, the obligation would remain on each business associate to obtain satisfactory assurances in the form of a written contract or other arrangement that a subcontractor will appropriately safeguard protected health information, HHS says.

Finally, the agreement with the subcontractor will need to address indemnification issues and costs associated with breaches, such as the offering of credit monitoring for affected individuals, so that, in the event of a breach, it is clear what the BA expects of its subcontractor.

Objections Should Be Raised with HHS

The BA’s agreement with the subcontractor may be instructive for the subcontractor in and of itself, Rosati says, as it will help explain the subcontractor duties. Her fear, she says, is that a subcontractor might sign an agreement without knowing that signing this triggers HIPAA compliance responsibilities.

Rosati feels strongly that affected organizations should comment on the proposed rulemaking, including the issue of including the subcontractors. In her mind, there is some question as to whether HHS has the legal authority to undertake such an expansion of organizations that must comply with HIPAA.

She suggests that CEs and BAs (and subcontractors) send comments to HHS on areas where HHS may have gone too far, she says. Identify areas where there are potential operational problems that will be difficult to implement or will cause substantial expense, Rosati adds.

{*certain content contained in this article courtesy of AIS, (c) 2010}