New HIPAA Regulations Webinar Series: Business Associate Obligations Presented by Stephanie Cason & Anthony R. Miles Stoel Rives Health Care Group 1 HIPAA Regulations Webinar Series – February 13 Wednesday, February 13, Business Associate Obligations 2013 Agenda • Legal background and update • BA or not BA? That is the question – Who is a business associate? – Who is NOT a business associate? • • • • Compliance obligations Consequences of non-compliance Contracting considerations Compliance checklist 2 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations Background • Original HIPAA Statute applied directly only to Covered Entities • HHS lacked authority to regulate or directly enforce HIPAA’s p protections on Individually y Identifiable Health Information in the hands of vendors to Covered Entities disclosed • “Business Associate (“BA”) concept created by HHS to force flow-down of Privacy Rule protections to vendors 3 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations 1 Update • The Health Information Technology in Economic & Clinical Health (“HITECH”) Act, Title XIII of the American Recovery and Reinvestment Act of 2009, P.L. 111-5 (2/17/2009) changed this landscape: • Modifies HIPAA making g BAs directly y responsible p for compliance p with certain parts of HIPAA • Subjects BAs to direct enforcement for noncompliance • Changes enforcement structure from complaint-driven to independent agency responsibility • Includes nondiscretionary penalties 4 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations Update (cont.) • Regulatory Developments • August 2009: Interim Final Breach Notification Rule (74 FR 42750) • October 2009: Interim Final Enforcement Rule (74 FR 52613) • July 2010: Proposed Omnibus Rule (76 FR 31425) • January 25, 2013: Final Omnibus Rule issued (78 FR 5566) • March 26, 2013: Effective Date for Omnibus Rule • September 23, 2013: Compliance Date for Omnibus Rule • September 23, 2014: End of deemed compliance period for BA agreements not amended or renewed before Compliance Date. 5 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations Who is a business associate? • Omnibus Rule significantly expands definition of BA • Changed the first prong of BA definition – From: F ““uses or di discloses l iindividually di id ll identifiable health information” – To: “creates, receives, maintains, or transmits PHI” 6 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations 2 Who is a business associate? • Second prong of BA definition remains mostly the same – BA is someone who provides certain identified services involving disclosure of PHI (previous definition used IIHI) 7 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations Who is a business associate? • Adds specifically included entities: – Providers of data transmission services that requires routine access to PHI • Health Information Organization • E-prescribing Gateway – Entity that offers personal health records on behalf of covered entity – Subcontractor 8 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations Who is a business associate? • Subcontractors – Directly regulates subcontractors with PHI – Includes anyone to whom a BA delegates a function activity function, activity, or services and who is not a member of the BA’s or covered entity’s workforce – Flows all the way down the chain 9 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations 3 Who is NOT a business associate? • Omnibus Rule excludes (under specified circumstances): – Health care providers – Plan sponsors – Government agencies – Covered entities participating in OHCA – External researchers – IRBs – Financial institutions – Contractors treated as members of the Workforce 10 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations Special Consideration • Conduits not BAs – Conduit = transportation but no access other than on infrequent basis to support transportation • U.S. Postal Service • FedEx • Internet Service Provider – Limited to transmission services (whether paper or electronic) – May Store PHI temporarily, but must only have transient (not persistent) opportunity to access same 11 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations Special Consideration • Conduit does NOT include entity that maintains PHI on behalf of a CE • Applies regardless of whether entity maintaining PHI actually accesses views it – Affects document storage companies • Iron Mountain • American Data Guard – Implications for electronic archiving and cloud service providers 12 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations 4 Special Consideration • Business Associate status arises as a matter of law – Not dependent on whether parties have entered into appropriate agreement – BA independently subject to requirements, enforcement and penalties – Absence of agreement = instance of noncompliance for both BA and CE 13 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations Covered Entity Responsibilities • Ensure appropriate contracts in place with Business Associates – BA Agreement for first level BA – Data Use Agreement (limited data set) • Disclose or allow BA to create, receive, maintain or transmit PHI only in accordance with underlying services agreement or as otherwise permitted 14 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations BA Compliance Obligations • BAs independently responsible for compliance with: – Security Rule – Breach Notification Rule (especially 45 CFR §164.410) – Certain aspects of the Privacy Rule • Only where provided in the standards themselves – Contracting with Covered Entities and Subcontractors 15 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations 5 BA Compliance Obligations • Limit uses and disclosures – Pursuant to HIPAA (e.g., Minimum Necessary) – Pursuant to business associate contracts • Notify breaches of unsecured PHI • Provide copies of designated record set to CE or upstream BA to respond to requests for access – Includes making records available in electronic form • Disclose records to HHS for HIPAA investigation • Provide accounting of disclosures 16 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations BA Compliance Obligations • BA must contractually agree to the following: – Safeguards for PHI – Report impermissible uses and disclosures of PHI beyond just breaches of unsecured PHI, including security incidents – Ensure appropriate agreements with subcontractors – Provide designated record set maintained in hard copy to respond to request for access – Make PHI available for amendment and incorporate amendments – Return or destroy PHI upon termination • New model contract terms issued by HHS 17 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations BA Compliance Obligations • BAs may NOT: – Sell PHI without an authorization – “Sale” includes indirect remuneration – Excludes disclosures for • • • • Public health Research Treatment and payment Activities a BA takes on behalf of a covered entity, 18 if made to or by another BA HIPAA Regulations Webinar Series – February 13 Business Associate Obligations 6 Consequences of Noncompliance • Independently subject to audit and enforcement action by HHS-OCR • Statutory penalties apply even if did not know and by reasonable diligence would not have known • Contract termination • Challenges in obtaining business from Covered Entities 19 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations Contracting Considerations • Most provisions still scripted in regulations: – New model contract provisions: – http://www.hhs.gov/ocr/privacy/hipaa/understanding/c overedentities/contractprov.html • Long-standing drafting issues remain: – Definition of PHI should be limited to information received from or created, maintained, used, disclosed or transmitted for or on behalf of Covered Entity – Provide notice of mundane “Security Incidents” in 20 document HIPAA Regulations Webinar Series – February 13 Business Associate Obligations Contracting Considerations • New issues for negotiation – Indemnity • Breach and notification costs • Penalties • Downstream noncompliance – Responsibility for Minimum Necessary determinations • Determine based on nature of services • De-identification raises special issues • Additional guidance forthcoming per HITECH § 13405(b) – Data access and disclosure accounting 21 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations 7 Compliance Checklist Covered Entities should: Identify BA agreements to be renewed/amended before 9/23/13 Prepare form of amendment for existing BAAs to include new required provisions Update Existing BAA form to include new required provisions Evaluate whether other vendor relationships now require BAAs Review definition of marketing and “sale of PHI” and evaluate whether any existing BAA service agreements require amendment Revise BAA policies, procedures and training to address new requirements 22 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations Compliance Checklist Business Associates should: Revise form BAA to include new provisions Prepare amendment for existing BAAs Inventory vendor and subcontractor relationships to ensure all have BAAs Revise/Develop policies and procedures for compliance with Security Rule and applicable Breach Notification and Privacy Rule requirements Update and provide revised training 23 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations Resources • Final Omnibus Rule – https://www.federalregister.gov/articles/2013/01/25/20 13-01073/modifications-to-the-hipaa-privacy-securityenforcement-and-breach-notification-rules-under-the • New N model d l BA contract provisions: i i – http://www.hhs.gov/ocr/privacy/hipaa/understanding/c overedentities/contractprov.html • HHS-OCR HIPAA FAQ Responses – http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html 24 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations 8 Questions? Stephanie Cason Associate STOEL RIVES LLP 900 SW 5th Avenue Avenue, Suite 2600 Portland, OR 97204 Direct 503.294.9868 sacason@stoel.com Anthony R. Miles Partner STOEL RIVES LLP 600 University Street, Suite 3600 Seattle, WA 98101 Direct: (206) 386-7577 armiles@stoel.com 25 HIPAA Regulations Webinar Series – February 13 Business Associate Obligations 9