A Q&A with Barbara Bennett
When they were released this past January, the final HITECH regulations amending the HIPAA Security, Privacy, Breach and Enforcement Rules updated those regulations with expansion of the scope of the rules, increased patient protections and more stringent government oversight, including application of the rules to contractors and subcontractors. So what does this mean for healthcare organizations and the service providers that work with them? I asked Barbara Bennett, partner at Hogan Lovells, LLP in Washington, DC to explain the finer points of the final rules.
Can you summarize the key requirements of the HITECH final rules amending HIPAA? What has changed?
- The biggest changes are the application of much of the HIPAA privacy rule and virtually all of the security rule to “business associates,” with almost all third party contractors and subcontractors that access or maintain protected health information (PHI) now being considered business associates.
- The second major change is the change in the HIPAA breach rule, which used to have a “risk of harm” standard incorporated into the definition of a data breach that required notice to affected individuals or regulators. Under that standard, an incident was not considered a breach unless the incident posed a significant risk of harm to the affected individuals. The final rule now provides that any unauthorized use or disclosure of PHI is presumed to be a reportable data breach unless the covered entity or business associate demonstrates that there is a low probability that the information has been compromised based on a risk assessment that considers certain factors.
- Changes to the HIPAA marketing rule include further restrictions on use of PHI for marketing. In the proposed rule there had been an exception for providers to use PHI for subsidized communications and HHS took that exception away so that all subsidized promotional communications require an individual authorization unless they concern a drug or biologic currently prescribed.
- There are some other, less monumental changes that include the right for an individual to restrict the sending of certain PHI to that individual’s health plan, the ability to get authorizations for research to do more than one study per authorization, and more stringent enforcement penalties.
In looking at the business associates component, how does this change impact healthcare organizations and their vendors?
There is potential for tremendous impact. The bottom line is that a lot of companies out there know they’re business associates and have the wherewithal to implement compliance, but many organizations do not.
In the past, business associates and their subcontractors who provided services to covered entities only had contractual liability, but they now have direct liability. “Business associates” are defined by virtue of their role and not by any agreement with the covered entity. For instance, the rule makes clear that cloud and other storage providers are business associates, whether or not they have a business associate agreement. If you maintain PHI, it does not matter whether you review or access it. You are still responsible and subject to the HIPAA rules, including the breach rule. It’s a big liability to assume and a big expense to implement compliance with these requirements.
Others that could be affected include software and hardware vendors that provide doctors and hospitals with access to information through health information exchanges (even if the vendor is not actually storing the information) as well as consulting and law firms that serve hospitals, doctors and health plans and may need PHI to perform their services. It goes deeper, too. Let’s say that these firms rely on a document management company. They, too, would be business associates subject to the rules and associated liability.
Another clarification that was made, however, is that the conduit exception is retained. If you’re a courier or telephone or internet provider that solely helps transmit or transfer the data—and does not maintain it—you may be exempt from the business associate requirements. And financial institutions that are just cashing a check or performing a payment transaction are not considered business associates, either. However, if they are performing a service for the organization such as accounts receivable or a lockbox that involves PHI, then they would become a business associate.
What are the challenges going forward for small entities and business associates?
First of all, these businesses need to understand whether the law applies to them for purposes of their own risk management, which means taking a good look at their customer base. For small entities, compliance costs can be expensive and require a certain amount of technical expertise, especially with the security rule provisions. There are some changes to the requirements for business associate agreements that need to be reviewed to determine if existing agreements need to be amended—there is an extended compliance period in some cases for those agreements—and business associates are now required to have these agreements with their subcontractors.
There’s also a challenge for an organization that deals with a lot of covered entities, such as a data analytics company or IT vendor that works with multiple hospitals, in managing thousands or millions of records for different covered entities. It is very difficult to comply with different contractual requirements with respect to different sets of data and still operate efficiently and effectively. Those companies might want to develop a standard template because they can’t get that granular in terms of differing compliance requirements.
In particular, HHS said in the preamble to the rules that a business associate must comply with the minimum necessary policies and procedures of the covered entity. That appears to me to be nearly impossible. If you have one customer it may simply be a hassle but if you’re a large service provider working with 10,000 covered entities, how can you possibly comply with all of their various minimum necessary policies and procedures? And why would the covered entities want to disclose their internal policies and procedures, which have been drafted for covered entities and not business associates, anyway? But, to add insult to injury, HHS also has indicated that a violation of the minimum necessary standard (i.e., the use or disclosure of more PHI than required for a specific purpose) can itself constitute a data breach.
In general, though, business associates need to get serious about compliance before September 23, 2013, when these requirements will be enforced. That means doing a survey of activities to gauge compliance and then creating a plan to address any issues; determining when the business associate acts as an agent of the covered entity (which carries additional burdens); training workforce members; and assessing relationships with subcontractors, and even educating those subcontractors where necessary. We recommend engaging outside counsel if there is no internal expertise available to understand these regulations and how they are applied to one’s business operations.
We think Ms. Bennett highlighted the key (pressure point) areas of the Final Rule that will cause future legal liability and enforcement actions for both Covered Entities and Business Associates. A complicating issue is how HHS/OCR interpret their own Security Rule regulations, which seems to vary from one investigator to the next. Moreover, many state Attorneys General are paying particular attention to how health information is safeguarded, and the penalties for noncompliance can be harsh. Having a knowledgeable security attorney (or Breach Coach®, as we call it) is essential for organizations in the healthcare industry and the insurance companies that underwrite their data breach liabilities.