Traditionally, the obligations of a business associate to comply with the Privacy and Security Rules promulgated under the Health Insurance Portability and Accountability Act (“HIPAA”) were the result of contractual obligations contained in an agreement between the business associate and a covered entity (health plans, health care clearing house, and health care provider who transmits health information electronically). This agreement is typically referred to as a business associate agreement. Prior to September 23, 2013, the Office of Civil Rights, the agency responsible for enforcing HIPAA, had authority to impose sanctions on only the covered entity for failing to comply with the Privacy and Security Rules. This led many covered entities to draft business associate agreements with clauses allowing them to seek indemnification against the business associate for any sanctions incurred by the covered entity due to a failure of the business associate to protect patient information.
However, effective September 2013, the Omnibus Rule made the most sweeping changes to the Privacy and Security Rules since they were first implemented. Most notably, business associates became subject to direct liability for violations of both the Privacy Rule and Security Rule. Business associates need to be aware that they are now subject to civil and criminal penalties for violations of HIPAA. These civil penalties can range from $1,000 up to $1,500,000. Criminal penalties include fines ranging from $50,000 up to $250,000 and imprisonment up to 10 years.
Additionally, the Secretary of the Department of Health and Human Services may conduct compliance reviews to determine whether a business associate is complying with the applicable administrative simplification provisions. Furthermore, all complaints filed with the Office of Civil Rights receive a preliminary review and inquiry. However, if a preliminary review of the facts indicates a possible violation due to willful neglect, the Secretary will conduct a compliance review.
So, what did the Omnibus Rule change with respect to business associates? First, the term “Business Associate” has been expanded to include: (i) health information organizations, E-prescribing gateway, or other entities that provides data transmission services to a Covered Entity and that requires access to PHI on a routine basis; (ii) a person or entity that offers a personal health record to one or more individuals on behalf of a covered entity; and (iii) a subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate.
The Omnibus Rule also changed the definition of a business associate to include a person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Specifically, the word “maintains” was added to the definition. Such change should not be overlooked because this modification was intended to make a distinction between entities that merely provide courier services (such as the U.S. Postal Service, United Parcel Service, or their electronic equivalents – internet service providers) and those entities that actually maintain PHI either in digital or hard copy. Therefore, data storage providers and document storage providers are now considered business associates regardless of whether or not PHI is actually viewed by the entity.
In Part II we will explore how the Omnibus Rule expanded the compliance obligations of the business associate. For now, if you are a company that provides services to a covered entity/health care provider and you create, receive, maintain, or transmit PHI, you are a business associate. You are now directly liable for violations of the Privacy and Security Rule. If you are a covered entity, be aware that you may need to enter into additional business associate agreements based on the expanded definition of business associate.
« Back to news