HIPAA Series Part II: Effect on Business Associates

Last month’s Part I installment provided an in-depth discussion of the historical underpinnings and foundation of the current HIPAA regulation.1   This month’s Part II installment will focus on the latest amendment to the HIPAA legislation, which significantly alters previously published requirements affecting business associates and their subcontractors. Specifically, the January 25, 2013 edition of the Federal Register published four final rules that affect business associates under HIPAA: (1) the definition of business associate; (2) the liability of business associates and subcontractors; and, (3) the level at which agreements between business associates and “covered entities” are scrutinized.  The final rule, which goes into effect on March 26, 2013, requires all covered entities and business associates to comply with the new regulations as of September 23, 2013.

Under previous HIPAA regulations, a business associate was generally defined as “…a person who performs functions or activities on behalf of, or certain services for, a covered entity that involves the use or disclosure of protected health information [PHI].”2  In the January 25, 2013 final rule, this definition was expanded to include a person who “creates, receives, maintains, or transmits PHI on behalf of a covered entity” [emphasis added], and includes any individual or entity providing patient safety activities, data transmission of PHI to a covered entity on a routine basis; or vendors of personal health records. 3  It has been estimated that approximately half a million business associates will fall under the new definition,4 though the Office of Civil Rights (OCR) has yet to issue clarification regarding “the types of entities that do and do not fall within the definition of business associate.”5

The Final Rule goes on to clarify the definition of subcontractor as an example of a “downstream entity” that “work[s] at the direction of or on behalf of a business associate and handle[s] PHI…”, and further specifies that any such downstream entity would also be obligated to comply with HIPAA provisions and liabilities as a primary business associate, “even if the entity does not actually view the [PHI].”6  This updated definition would include entities such as document storage companies, e.g., a cloud provider contracted by a legal firm to store medical malpractice records, which previously have not been covered under HIPAA.7   In addition, covered entities and business associates are further required to obtain and maintain business associate agreements with each other, as well as with any subcontractors or downstream entities, to ensure that all relevant entities are in compliance with HIPAA regulations regarding PHI.8 Toward this end, the U.S. Department of Health and Human Services (HHS) has provided specific guidance and sample language of business associate agreements on its website.9

Additional changes were made regarding the penalties associated with HIPAA violations.  Under the Final Rule, business associates are now (in addition to covered entities) directly liable for breaches in HIPAA, i.e., the impermissible use or disclosure of PHI, unless it can demonstrate a low probability that the PHI has been compromised, through a risk assessment.10  This differs from previous regulation that determined penalties based on the “…nature and extent of the violation… [and] of the resulting harm[Emphasis added] as a result of noncompliance.11  The rule calibrates fines for breaches of the regulation based on three tiers of culpability, namely: (1) “reasonable cause”; (2) “reasonable diligence”; and, (3) “willful neglect”, associated with fines up to $50,000, not to exceed $1.5 million annually, as well as criminal liabilities.12 

The latest amendment to the HIPAA regulation markedly differs from several requirements set forth in previous regulatory guidance regarding the protection of PHI.  The alteration of definitions for business associates and subcontractors greatly expands the reach of these regulations to entities not previously impacted by HIPAA, e.g., data management companies.  Additionally, the extension of liability to business associates and the relatively short time frame for implementation, i.e., the “prior to September 23, 2013 deadline”, may prove difficult for many entities newly obligated to comply with the recently published regulations.   As relevant covered entities and business associates await further guidance and clarification from HHS regarding the final rules, it is recommended that these entities review all business associate and subcontractor relationships and agreements for compliance with the new regulations, as well as internal policies and personnel education regarding appropriate management of PHI.13


“HIPAA Series Part I: History and Overview of HIPAA Legislation,” Health Capital Topics Newsletter, Vol. 6, No. 2, February 2013

“Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule” Federal Register, US Government, Vol. 78, No. 17, January 25, 2013, p. 5570.

Ibid, p. 5570-5572

“BAs are now Under Great Pressure”, by Theresa define and Francie Fernald eds., Report on Patient Privacy, Volume 13, No. 2, ,February 2013, p. 9.

Ibid, US Government, January 25, 2013, p. 5571.

Ibid, US Government, January 25, 2013,  p. 5572-5573.

Ibid, Fernald, p. 9-10.

Ibid, Fernald, p. 10.

“Business Associate Contracts: Sample Business Associate Agreement Provisions”, U.S. Department of Health & Human Services, January 25, 2013, http://www.hhs.gov/ocr/privacy/ hipaa/understanding/coveredentities/contractprov.html(Accessed March 12, 2013)

Ibid, US Government, January 25, 2013, p. 5641.

Ibid, US Government, January 25, 2013, p. 5641-5642; “HIPAA Administrative Simplification: Enforcement”, Federal Register, Vol. 74, No. 209, October 30, 2009, p. 56128

Ibid, US Government, January 25, 2013, p. 5582-5583.

“Final HIPAA/HITECH Privacy and Security Rules: ‘Covered Entity’ and ‘Business Associate’ Issues for Employers”, by Schiff Hardin LLP, The National Law Review,  March 10, 2013, p. 3, available at http://www.natlawreview.com/article/final-hipaahitech-privacy-and-security-rules-covered-entity-and-business-associate-i

Healthcare Valuation Banner Advisor's Guide to Healthcare Banner Accountable Care Organizations Banner