New HIPAA Landscape for Business Associates: Tracing the specific effects of ARRA on HIPAA Security Compliance

June 16, 2009

Confusion over recent changes to the HIPAA Security Rule is similar to the turmoil from healthcare administrators after the publication of the final rule several years ago. It took years for people to figure out their roles and requirements under then-new rules. Yet after the issuance of changes under the American Recovery and Reinvestment Act (ARRA) of 2009, it’s still surprising to hear executives and security professionals making broad and firm pronouncements about things that just ain’t so.

“The Recovery Act doesn’t change HIPAA, it just pushes electronic records.”
“Business Associates have to comply just as they did before.”
“Enforcement is only for Covered Entities; BAs just follow the contract.”

Dead wrong, all of these.

In an attempt to understand these issues, a recent HIPAA/ARRA seminar attendee posed a simple question about the law reference for the definition of Business Associate, and expressed special interest in the expansion of coverage regarding “organizations that transmit protected health information or require routine access to [Protected Health Information (PHI)].” This question presents an opportunity to discuss foundational references, and cut through the confusion by considering three basic questions:

  1. What exactly are a “Covered Entity” and “Business Associate”?
  2. What were the original requirements for Business Associates?
  3. What exactly did the Recovery Act change for Business Associate compliance?

 

What exactly are a “Covered Entity”
and “Business Associate”?

 

HIPAA “Covered Entities” are generally healthcare providers, payers (insurance companies), or other organizations that directly handle Protected Health Information (PHI). “Business Associates” are entities that provide one or more services to Covered Entities, where those services involve PHI.

The legal designation of Covered Entity and Business Associate are not specifically defined within the HIPAA Security Rule, but within the larger context of the Administrative Simplification framework estalished earlier with the HIPAA Privacy Rule. The entire framework is contained within 45 CFR Parts 160, 162, and 164 (link provides a copy of the regulation with updates incorporated). The definition of “covered entity” is contained in 45 CFR Part 160.103:

—– REGULATORY TEXT: from 45 CFR Part 160.103 —–

Covered entity means:

(1) A health plan.

(2) A health care clearinghouse.

(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.

—– END TEXT —–

The definition of “business associate” is also contained in 45 CFR Part 160.103:

—– REGULATORY TEXT: from 45 CFR Part 160.103 —–

Business associate:

(1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who:

(i) On behalf of such covered entity or of an organized health care arrangement (as defined in §164.501 of this subchapter) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:

(A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or

(B) Any other function or activity regulated by this subchapter; or

(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(2) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement.

(3) A covered entity may be a business associate of another covered entity.

—– END TEXT —–

 

What were the original requirements
for Business Associates?

 

The HIPAA Security “Final Rule” is contained primarily in Subpart C of Part 164, 45 CFR Parts 160, 162, and 164. The major requirements for Business Associates appear in two places in Part 164, subsections 308 and 314.

The discussion regarding HIPAA compliance in the context of Business Associates in 164.308 is commonly interpreted as meaning Business Associates are only required to give “satisfactory assurance” regarding the existence and effectiveness of security controls to Covered Entities using their services. The text also says the security controls must “appropriately safeguard the information,” which often has been interpreted to mean that a Business Associate must provide and maintain only those security controls that relate directly to the service provided. In other words, it has commonly been interpreted to mean that Business Associates should implement HIPAA required or addressable technical and physical controls to protect PHI in their care, but not implement the full complement of administrative controls.

—– REGULATORY TEXT: from 45 CFR Part 164.308 (p.8378) —–

(b)(1) Standard: Business associate contracts and other arrangements. A covered entity, in accordance with § 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) that the business associate will appropriately safeguard the information.

—– END TEXT —–

The other major mention of Business Associates in the HIPAA Security Rule does little to clarify the matter noted above. In 164.314, Business Associates are required to implement “reasonable and appropriate” safeguards for PHI data received. “Reasonable and appropriate” is commonly interpreted to mean extending security controls on behalf of the Covered Entity, but rarely to mean every administrative, physical, and technical safeguard noted in the Final Rule.

For example, a billing service receiving electronic PHI may encrypt the data in transit and at rest, as well as requiring strong access controls in accordance with HIPAA, based on the rationale that HIPAA defines “appropriate” controls. However, many such organizations have considered administrative safeguards such as workforce security (164.308(a)(3)), contingency planning (164.308(a)(7)) or broader technical controls across the enterprise, as out of scope or beyond “reasonable” for a business service.

—– REGULATORY TEXT: from 45 CFR Part 164.314 (p.8379) —–

(a)(2) Implementation specifications (Required).

(i) Business associate contracts. The contract between a covered entity and a business associate must provide that the business associate will—

(A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates receives, maintains, or transmits on behalf of the covered entity as required by this subpart;

(B) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it;

(C) Report to the covered entity any security incident of which it becomes aware;

(D) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.

—– END TEXT —–

 

 

What exactly did the Recovery Act change
for Business Associate compliance?

 

Changes to the HIPAA Security Rule in the ARRA are found in “TITLE XIII—HEALTH INFORMATION TECHNOLOGY Subtitle D—Privacy.” Changes pertinent to Business Associate compliance are noted in two main places:

<!–[if !supportLists]–>■ Sec. 13401. Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions.<!–[endif]–>

<!–[if !supportLists]–>■ Sec. 13404. Application of privacy provisions and penalties to business associates of covered entities.<!–[endif]–>

These changes simply and forcefully cut through evasive and dissembling discussions about partial compliance by Business Associates. Section 13401 clearly states that the HIPAA Security Rule in its full form (45 CFR Parts 164.308/10/12/14/16) applies to Business Associates, and that guidance will be issued annually for Business Associates and others regarding technical controls. Pointedly, it is no longer at the discretion of Business Associates to determine what constitutes “reasonable and appropriate” security controls.

—– REG. TEXT: Title XIII Subtitle D Sec. 13401 (42 USC 17931) —–

SEC. 13401. APPLICATION OF SECURITY PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED ENTITIES; ANNUAL GUIDANCE ON SECURITY PROVISIONS.

(a) APPLICATION OF SECURITY PROVISIONS.—Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.

(b) APPLICATION OF CIVIL AND CRIMINAL PENALTIES.—In the case of a business associate that violates any security provision specified in subsection (a), sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d–5, 1320d–6) shall apply to the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provision.

(c) ANNUAL GUIDANCE.—For the first year beginning after the date of the enactment of this Act and annually thereafter, the Secretary of Health and Human Services shall, after consultation with stakeholders, annually issue guidance on the most effective and appropriate technical safeguards for use in carrying out the sections referred to in subsection (a) and the security standards in subpart C of part 164 of title 45, Code of Federal Regulations, including the use of standards developed under section 3002(b)(2)(B)(vi) of the Public Health Service Act, as added by section 13101 of this Act, as such provisions are in effect as of the date before the enactment of this Act.

—– END TEXT —–

In addition to the full range of controls required by the HIPAA Security Final Rule, the ARRA ensures that Business Associates don’t miss out on privacy and enforcement changes that apply to Covered Entities. Specifically, all new compliance requirements regarding privacy safeguards now directly apply to Business Associates.

Despite the nearly-identical titles of this second section and the one above, this one gives more guidance on current and future changes, as well as guidance on Business Associate Agreements (contracts). The upshot is that those contracts still serve as evidence of compliance safeguards for Covered Entities (a new form of “satisfactory assurance”), but they no longer define the limit of a Business Associate’s responsibility regarding compliance with the HIPAA Security Rule.

—– REG. TEXT: Title XIII Subtitle D Sec. 13404 (42 USC 17934) —–

SEC. 13404. APPLICATION OF PRIVACY PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED ENTITIES.

(a) APPLICATION OF CONTRACT REQUIREMENTS.—In the case of a business associate of a covered entity that obtains or creates protected health information pursuant to a written contract (or other written arrangement) described in section 164.502(e)(2) of title 45, Code of Federal Regulations, with such covered entity, the business associate may use and disclose such protected health information only if such use or disclosure, respectively, is in compliance with each applicable requirement of section 164.504(e) of such title. The additional requirements of this subtitle that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.

(b) APPLICATION OF KNOWLEDGE ELEMENTS ASSOCIATED WITH CONTRACTS.—Section 164.504(e)(1)(ii) of title 45, Code of Federal Regulations, shall apply to a business associate described in subsection (a), with respect to compliance with such subsection, in the same manner that such section applies to a covered entity, with respect to compliance with the standards in sections 164.502(e) and 164.504(e) of such title, except that in applying such section 164.504(e)(1)(ii) each reference to the business associate, with respect to a contract, shall be treated as a reference to the covered entity involved in such contract.

(c) APPLICATION OF CIVIL AND CRIMINAL PENALTIES.—In the case of a business associate that violates any provision of subsection (a) or (b), the provisions of sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d–5, 1320d–6) shall apply to the business associate with respect to such violation in the same manner as such provisions apply to a person who violates a provision of part C of title XI of such Act.

—– END TEXT —–

The risk-shifting sands of HIPAA have changed again, creating business opportunity for some and hardship for others. Smaller and single-service businesses that fit the definition of a HIPAA Business Associate may not be able to bear the overhead of a robust security program and wither, while others may specialize or diversify and grow. However, when considering these costs and problems, it’s important to recognize recent achievements and the generally improving level of health privacy for individuals.

Disclaimer:

Disclaimer: This discussion and its references are not legal advice. Consult qualified counsel for any legal issues that concern you, your organization, or questions of compliance.

More reading:

Excellent reference from HHS.GOV with recent updates:
Unofficial Version of HIPAA Administrative Simplification Regulation Text
Recent HIPAA/ARRA webinar hosted by Neohapsis and Consciere:
The HIPAA Countdown Has Begun: How the Stimulus Bill Affects Healthcare IT
Well-informed blog focused on current health information and HIPAA legal issues:
Information Law Theory and Practice
Community discussion focused on healthcare IT business and compliance issues:
Health Information Trust Alliance

 

Posted by Jon Espenschied | Filed Under Blog 

Comments

Got something to say?

You must be logged in to post a comment.