In 2013, the Department of Health and Human Services (“HHS”) issued its Omnibus Final Rule, which required health care entities such as providers, plans, or clearing houses to make specific updates to their contracts with business associates. [1] Some of these updates included provisions that would extend a covered entity’s civil and criminal liabilities to business associates and subcontractors for noncompliance with the Health Insurance Portability and Accountability Act’s (“HIPAA”) security and privacy requirements. [2] To comply with these changes, providers, business associates, and any downstream subcontractors that handle Protected Health Information (“PHI”) must ensure that their contracts are compliant under the new standards. [3]
In order to comply with the Final Rule, a Business Associate Agreement (“BAA”) must include provisions that impose security and privacy requirements on the downstream subcontractor; assert the business associate’s right to terminate the downstream subcontractor for security violations; require the notification of upstream business associate regarding downstream data breaches; and require subcontractors to include these terms in subsequent downstream agreements. [4]
Although many business associate contracts needed to be updated by September of 2013, the HHS extended the deadline for compliance of grandfathered agreements that began before the issuance of the Final Rule to September 22, 2014. [5] If a healthcare provider, such as a pharmacy or hospital, had a HIPAA-compliant BAA in place before January 25, 2013 that was not renewed or modified, it would be compliant only until September 22, 2014. [6]
These requirements have important implications for pharmacies and hospitals due to the vast amount of PHI that is disseminated between providers via e-prescribing and Electronic Medical Record (“EMR”) functionalities. Now that the September 22, 2014 deadline has passed, all BAAs between providers, their software vendors, and all subcontractors must be updated to reflect the provisions of the Final Rule. The HHS Office of Civil Rights (“OCR”) will begin conducting HIPAA audits to ensure that all covered entities, business associates, and subcontractors are operating under compliant agreements. [7] Moving forward, hospitals, pharmacies, and all other covered entities should conduct internal periodic risk analyses. Despite the expense of these analyses, completing them in advance of a HIPAA audit will certainly reduce the risk of a costly non-compliance settlement.
Brian King is a current student at DePaul University College of Law in Chicago. Dr. King holds a PharmD from Purdue University and is a practicing pharmacist in the Chicago area. He will complete his law degree and certificate in health law in 2017.
References:
[1] Ned Milenkovich, HIPAA business associate agreements: Update deadline approaches, Drug Topics, (Sept. 3, 2014), http://drugtopics.modernmedicine.com /drug-topics/news/hipaa-business-associate-agreements-update-deadline-approaches
[2] Modifications to HIPAA under HITECH, 78 Fed. Reg. 5565 (Jan. 25, 2013) (to be codified at 45 C.F.R. pt. 164)
[3] Milenkovich, supra.
[4] Stephen Wu, Deadline Ahead: Last-Minute HIPAA Business Associate Compliance, Journal of AHIMA, (Sept. 11, 2013), http://journal.ahima.org/2013/09/11/deadline-ahead-last-minute-hipaa-business-associate-compliance/.; Christopher Lockman, Deadline Approaches for Business Associate Agreement Compliance Updates, Benefits Law Update Blog, (Aug. 7, 2014, 4:51 PM), http://www.employeebenefitsupdate.com.
[5] Milenkovich, supra.
[6] Christopher Lockman, Deadline Approaches for Business Associate Agreement Compliance Updates, Benefits Law Update Blog, (Aug. 7, 2014, 4:51 PM), http://www.employeebenefitsupdate.com.
[7] Michael Epshteyn, As Business Associate Agreements Amendment Deadline Approaches, OCR Discusses Upcoming HIPAA Audits, Chronicle of Data Protection, (Sept. 18, 2014), http://www.hldataprotection.com/2014/09/articles/health-privacy-hipaa/ocr-discusses-upcoming-hipaa-audits/.