Healthcare Practice: HITECH Act Raises the Bar For Business Associates
HITECH Act Raises the Bar For Business Associates
It is important for health care providers, health plans, health care clearinghouses and their business associates to review their relationships, policies and procedures to ensure that all parties are in compliance with significant recent changes affecting their obligations under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and related Privacy and Security Rules. This Alert discusses the impact of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) on business associates, including the need to evaluate business associate relationships and amend business associate agreements in light of the changes in the law.
Background on Business Associate Relationships
HIPAA allows covered entities to disclose protected health information (“PHI”) to business associates and allows business associates to create or receive PHI on behalf of the covered entity, so long as certain requirements are satisfied, including the execution of a business associate agreement.
For purposes of HIPAA, a “covered entity” is a health plan, health care clearinghouse (such as a billing service converting paper data into standard claims for submission to a health plan) or health care provider (such as a hospital or physician practice) who transmits health information in electronic form.
In general, a “business associate” is a person (other than a member of the covered entity’s workforce) or entity who, on behalf of a covered entity, performs an activity involving the use or disclosure of PHI, such as the performance of financial, legal, actuarial, accounting, consulting, data aggregation, management, administrative or accreditation services to or for a covered entity. The HITECH Act expanded the definition of business associate to include health information exchanges, regional health information organizations, e-prescribing gateways and other organizations that provide data transmission of PHI to a covered entity, as well as vendors that provide personal health record systems for covered entities.
As a condition for allowing a business associate to create, receive, maintain or transmit PHI on behalf of a covered entity, the covered entity is required to obtain written assurances that the business associate will implement appropriate safeguards to protect the confidentiality and security of the PHI. These written assurances can be included within the underlying contract between the parties (for example, a services agreement) or in a freestanding document, or as an addendum or attachment to the underlying contract. The document (or portions of a larger document) describing safeguards and related requirements that a business associate must follow with regard to confidentiality, security, use and disclosure of the covered entity’s PHI is typically referred to as a “business associate agreement.”
Expansion of HIPAA Standards and Sanctions to Business Associates
On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 (commonly referred to as "ARRA" or the "Stimulus Bill"), which includes the HITECH Act. The HITECH Act provides incentives for the use of electronic health records and expands the obligations of covered entities and business associates to protect the confidentiality and security of PHI. In our June 2009 Alert, we provided an overview of key HIPAA-related changes under the HITECH Act. [Click the link below to view the Alert.]
Prior to the HITECH Act, business associates had contractual obligations under their business associate agreements to maintain the privacy and security of PHI, but were not subject to sanctions for violations under HIPAA. The HITECH Act applies most of the security standards and a number of the privacy standards directly to business associates, requires business associates to comply with the new security breach notification requirements, and subjects business associates to civil and monetary penalties for HIPAA violations. Furthermore, the HITECH Act strengthens HIPAA penalties and enforcement mechanisms, and requires the Secretary of Health and Human Services to perform periodic audits to ensure that covered entities and business associates comply with HIPAA’s Privacy and Security Rules.
Most of the HITECH Act changes will become effective on February 17, 2010, although some (such as the security breach notification requirement discussed below) have already taken effect, and some others will take effect later. Regulations implementing many of the HITECH Act provisions are expected to be published soon, and will take effect on February 17, 2010.
Amendments to Business Associate Agreements
In the past, it has been common for covered entities to request the execution of a business associate agreement, and for the contracting party to execute the agreement, without confirming that a business associate relationship exists or that the agreement sets forth appropriate terms. Moreover, business associates who are not requested by the covered entity to sign a business associate agreement have traditionally had little incentive to point out that a business associate agreement is required. The rules of the game have now changed. If a business associate relationship exists, both the covered entity and the business associate will now potentially be in violation of HIPAA if they fail to enter into a business associate agreement setting forth the required terms.
There is some uncertainty regarding whether the HITECH Act requires existing HIPAA business associate agreements to be amended to reflect the HITECH Act, or whether HITECH Act provisions will automatically be incorporated into business associate agreements. Pending further clarification from the government on this issue, a cautious approach would be to amend existing business associate agreements. Even if it is eventually determined that amendment is not required in order to comply with the HITECH Act, amendments will generally be advisable to clarify each party’s responsibilities and obligations.
Covered entities and business associates should review their business associate agreements and determine appropriate amendments to address the HITECH Act provisions and rules that have been, or will soon be, implemented. Key changes to business associate agreements relate to security breach notification, responses to noncompliance and accounting for disclosures.
Security Breach Notification Requirements
The security breach provisions of the HITECH Act and related regulations require covered entities and business associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHI to provide notification upon discovering a "breach" of unsecured PHI. For purposes of this notification requirement, a "breach" is generally defined as the unauthorized acquisition, access, use or disclosure of unsecured PHI. The HITECH Act and regulations set forth specific requirements mandating the content of the notice, the timeframe for providing the notice and the identity of the parties required to receive such notice. These security breach notification requirements became effective on September 23, 2009.
A business associate who discovers a breach will be required to notify the covered entity without unreasonable delay and in no case later than 60 days after discovery. A breach will be deemed to be discovered on the earlier of the date the breach first becomes known to the business associate or the date the breach would have been known if the business associate had exercised reasonable diligence. It is therefore imperative for business associates to train their personnel to promptly identify and report potential breaches to appropriate compliance personnel for review.
Business associate agreements should be amended to reflect the new breach notification requirements. From the covered entity’s perspective, it is particularly important to obtain the business associate’s agreement to promptly notify the covered entity of any security breach. Other security breach issues to consider addressing in a business associate agreement include the following:
- any obligation of the business associate to secure PHI by satisfying encryption standards (covered entities may wish to obtain this commitment in order to avoid security breach notification obligations that apply only to “unsecured” PHI, although some business associates may be concerned about the costs and potential liabilities that may result from making this commitment);
- deadlines for reporting security breaches to the covered entity;
- description of information to be provided in the report;
- any obligation of the business associate to provide security breach notifications on behalf of the covered entity or to assist in providing such notice; and
- the respective responsibilities of the covered entity and business associate to pay any expenses associated with security breaches and to indemnify each other for security breaches.
For more information on the breach notification requirements under the HITECH Act, please see our October 2009 Alert (http://www.mcdonaldhopkins.com/news.aspx?id=ZnYvLgR-OU--AA4hB1gqSw).
Mutual Obligation to Cure, Terminate or Snitch
If either the covered entity or the business associate becomes aware of a material breach of the other’s obligations under the business associate agreement, the HITECH Act requires the non-breaching party to take reasonable steps to cure the breach. If such steps prove unsuccessful, the non-breaching party is required to terminate the contract (if feasible) or notify the Department of Health and Human Services (“HHS”). Previously, only covered entities (and not business associates) have been subject to this obligation to cure, terminate or snitch. Business associates may now be placed in the uncomfortable position of determining whether to report their covered entity clients to HHS.
Business associate agreements typically reflect the prior one-way street. As such, business associate agreements should be amended to reflect the new two-way obligation to cure, terminate or snitch. In light of this new responsibility, the parties may wish to consider either cutting back on the covered entity’s duties or clarifying those duties. Further, the parties should consider adding specific provisions that describe the steps the non-breaching party will take in the event of a breach of the agreement and how to determine whether termination of the agreement is or is not “feasible.” If the steps to cure the breach are unsuccessful and termination is not feasible, the parties may want to identify in the agreement the procedure for notifying HHS. For example, the parties may want to contractually require the non-breaching party to provide the breaching party with advance written notice of its intent to notify HHS and perhaps provide a copy of that notification.
Accounting for PHI Disclosures
In general, the HIPAA Privacy Rule provides individuals with a right to receive an accounting of the disclosures of their PHI. As such, HIPAA requires the business associate to make information available to the covered entity to enable the covered entity to provide the accounting of the disclosures to the individual.
Now under the HITECH Act, a covered entity must provide an accounting of the disclosures of PHI made by the covered entity and either (i) an accounting of the disclosures made by business associates acting on behalf of the covered entity or (ii) a list of all business associates (and their contact information) acting on behalf of the covered entity.
From a drafting perspective, the covered entity and the business associate may want to state in the business associate agreement whether the covered entity will exercise option (i) or option (ii). Determining which option the covered entity will exercise in advance (via the business associate agreement) will help both the covered entity and the business associate to be prepared in the event an individual requests an accounting of the disclosures of his or her PHI.
What Should Covered Entities and Business Associates Do Now?
The HITECH Act raises the bar for covered entities and business associates. It is now more important than ever to determine whether arrangements between a covered entity and its vendors or other service providers create business associate relationships and, if so, to properly characterize and document the relationship through business associate agreements.
The first step in the process is to review existing and proposed arrangements to determine whether a business associate relationship exists. If so, then a business associate agreement is required, and any existing business associate agreements should be reviewed and updated. Don’t assume that your current business associate agreement is sufficient, as most are not, even if they were appropriate when prepared.
Business associates need to consider whether it will be feasible to satisfy their business associate obligations under HIPAA and the business associate agreements, and whether the possible exposure to civil and criminal sanctions under HIPAA and the HITECH Act are acceptable. If not, the contracting parties may wish to consider whether the relationship could be changed to remove the need to access PHI and thereby avoid business associate status.
Business associate agreements should be avoided if a business associate relationship does not exist. If it is uncertain whether a vendor is a business associate, then consider inserting a provision into the agreement to the effect that the execution of the agreement that includes HIPAA safeguards is not an admission that a business associate relationship exists.
Business associates will need to take appropriate steps to ensure that they can satisfy their duties under business associate agreements and under the HITECH Act, the Privacy Rule and the Security Rule. In particular, business associates will now need to implement administrative, physical and technical safeguards, as well as maintain written policies, procedures and documentation. To the extent that a business associate engages a subcontractor to perform the business associate's PHI related functions, the subcontractor should be required to promptly notify the business associate of any security breaches, and could be required to implement appropriate policies and procedures.
The indemnification obligations of the covered entity and the business associate warrant serious consideration. Business associates may also wish to check on whether errors and omissions or similar coverage may be available for violations of HIPAA, the HITECH Act, or their business associate agreements.
* * *
To find out more about how to comply with HIPAA and the HITECH Act or to amend your business associate agreement, please contact one of our Healthcare Practice attorneys.
Rick L. Hindmand, 312.280.0111 or firstname.lastname@example.org
Rachel H. Solomon, 312.280.0111 or email@example.com
Healthcare Practice Group
McDonald Hopkins has a large and diverse healthcare practice, which is national in scope. The firm represents a wide variety of healthcare providers, facilities, vendors, technology companies and associations. Our diverse experience enables us to give our clients a unique perspective on the issues that may confront them in the rapidly evolving healthcare environment.
Carl J. Grassi, President | 216.348.5400
600 Superior Avenue, East, Suite 2100, Cleveland, Ohio 44114
Chicago | Cleveland | Columbus | Detroit | West Palm Beach