Business Associates & HITECH

Deep Dive

Joseph R. McClure, Esq. Legal Counsel, Siemens Medical Solutions USA, Inc.

WEDI Privacy & Security Co-Chair

October 4, 2013

Agenda

Business Associates & HITECH Deep Dive

● Who is a Business Associate ?

● Business Associate Decision Tree

● Specific Business Associate Examples/Issues

● Subcontractor Flow-Down Obligations and Implications

● Business Associates and the Privacy Rule

● Covered Entity Obligations with Respect to Business Associates

● BA Agreements and Transition Period Under the Final Rule

● Additional Resources

Who is a Business Associate?

● Final Rule: An entity that “…creates, receives, maintains, or

transmits [PHI] for a function or activity regulated by [HIPAA]…” on

behalf of a CE

● Final Rule expanded the definition of BAs to include:

● Health Information Organizations

● E-prescribing Gateways

● PHR providers on behalf of a CE

● Patient Safety Organizations

● Data Transmission Service Provider with routine access to PHI

● Subcontractors that create, receive, maintain, or transmit PHI

on behalf of BAs

● Subcontractor means a person whom a BA delegates a function,

activity, or service, other than in the capacity of a member of the

workforce of such BA

BA Decision Tree

4. Is the PHI being disclosed to a government agency pursuant to an official investigation (e.g., CMS, OCR, OSHA, FDA, Health Department, etc.)?

No

No

No

No

Yes

Business Associate Agreement is NOT needed.

Yes

Yes

Yes

Yes

No

2. Is the PHI being disclosed to a healthcare provider for treatment purposes (e.g., primary/referring physician, contract physicians or specialists, contract nursing staff, contract rehab staff, ambulance, home health, dentist, etc.)?

1. Is Protected Health Information (PHI) being disclosed to a person or entity other than in the capacity as a member of the covered entity’s workforce?

3. Is the PHI being disclosed to a health plan for payment purposes, or to a health plan sponsor with respect to disclosures by a group health plan?

(Continued on the next slide)

5. Is the PHI being disclosed to another covered entity that is part of an organized healthcare arrangement in which the originating covered entity participates?

BA Decision Tree (cont’d)

8. Will the other person or entity be able to access PHI on a routine basis, AND/OR is there a possibility that the PHI in the person or entity’s custody or control could be compromised (e.g., data storage vendor, document shredding company, or other, etc.)?

No

No

Business Associate Agreement IS needed. Entities specifically included under HITECH: - Health Information Organizations - E-prescribing Gateways - Data transmission vendors with routine access to PHI - Personal Health Record vendors that offer a PHR to individuals on behalf of a covered entity - Subcontractors that create, receive, maintain, or transmit PHI for or on behalf of a business associate

Yes

Yes

Yes

6. Does the other person or entity create, receive, maintain or transmit PHI for a function or activity regulated by HIPAA, including: claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefits management, practice management, and repricing?

7. Does the other person or entity provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services where the provision of such services involves disclosure of PHI to the person or entity?

Business Associate Agreement is NOT needed.

No

(Continued from the previous slide)

BA Decision Tree (cont’d)

● The BA Decision Tree closely follows the definition of “business

associate” at 45 CFR § 160.103.

● The tool will answer many questions, but just as the definition

itself is open to different interpretations, it may still be necessary

to supplement the analysis with other information .

● Organizations may still need to review additional guidance from

OCR regarding the kinds of organizations that are considered

BAs and when a BA Agreement may be needed.

● See Omnibus Final Rule Preamble Comments, Fed. Reg. Vol.

78, No. 17, pp.5571-75, January 25, 2013:

http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

● See Also Business Associate FAQs on OCR website: http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/index.ht

ml#businessassociate

BA Decision Tree Considerations

Specific BA Examples/Issues

● Conduit Exception (common carriers) – OCR focuses on:

● Transport of information – that may not necessarily be PHI

● Whether disclosure of PHI is intended by CE; and

● Whether the probability of exposure of PHI is low

● Records Storage Vendors

● Even though disclosure of PHI is not generally intended by CE

● OCR focuses on persistent custody and control of the PHI

● Cloud Computing Vendors that store PHI, but may have no ability to

access the PHI – this issue is still under additional review by OCR

● Janitorial/Custodial Service Providers

● Generally, access to PHI is not intended

● Other safeguards should be in place to protect the PHI

● Confidentiality Agreement may be recommended

Subcontractor Flow-Down

Obligations and Issues

● BAs are required to execute fully compliant Business

Associate Agreements (BAA) with Subcontractors in the same

manner that CEs are required to execute BAAs with BAs

● Like the CE, if the BA is aware of a pattern or practice of its

Subcontractors that would be a material breach of the BAA,

then the BA must take reasonable steps to end the violation or

terminate the agreement, if feasible

● The Final Rule removes the obligation to report a material

breach to the Secretary of DHHS if termination of the

agreement is not feasible

● CEs are NOT responsible to execute BAAs with BA’s

Subcontractors – this is a flow-down obligation

Subcontractor Flow-Down

Obligations and Issues (cont’d)

● How far down the “subcontractor chain” does the obligation to flow-

down continue?

● As far as PHI is being used or disclosed for covered purposes

such that a subcontractor would be considered a BA

● Breach Notification Obligations

● BA must notify the CE upon BA’s discovery (without

unreasonable delay and in no event more than 60 days)

● Subcontractor must notify BA upon Subcontractor’s discovery

● If there are multiple levels, this flow-down would continue

● Ultimately, the CE (the highest level of the chain) is

responsible to notify the individuals and OCR

● BUT – if an agency relationship exists between any entities

at any level, discovery of the breach by a lower level entity

may attach to the entity that is the next level up

● How is “breach” defined in the BAA?

Agency Relationship Considerations

● The Final Rule makes clear that a CE is liable for the acts or

omissions of its BA acting within the scope of “agency”

● BAs are likewise liable for the acts or omissions of its

Subcontractor acting within the scope of “agency”

● This means:

● An entity can be penalized for its agent’s violations

● Knowledge/actions of the agent will be imputed to the

principal (e.g., knowledge of a breach or other violation)

● Federal common law of Agency will govern whether an

agency relationship exists between the parties - regardless of

what the contract actually says

Subcontractor Flow-Down

Obligations and Issues (cont’d)

Agency Relationship Considerations (cont’d)

Subcontractor Flow-Down

Obligations and Issues (cont’d)

● Whether an agency relationship exists will depend on the right

or authority of the CE to control the BAs conduct and

performance based on the right to give interim instructions

● Agency Consideration Factors

● The time, place and purpose of the BAs conduct

● Whether the BA engaged in a course of conduct subject to

control by the CE

● Whether the BA’s conduct is commonly done by a BA

● Whether or not the CE reasonably expected that a BA would

engage in the conduct in question

● This will be a fact-specific analysis and in some cases an

agency relationship may exist simply based on the nature of

the relationship between the CE and BA

Business Associates and the

Privacy Rule

Privacy Changes Under Final Rule that Impact BAs

● HITECH does not impose ALL Privacy Rule obligations upon a BA

● BAs are subject to direct enforcement of HIPAA Privacy obligations

and penalties in the same manner as a CE, BUT only to the extent

required under HITECH – not the HIPAA Privacy Rule itself

● Disclosure of PHI must be kept to limited data set or minimum

necessary

● Health Provider must honor a request by an individual to

restrict disclosure of PHI to a Health Plan if the individual pays

for associated service out-of-pocket in full

● Individual has right to a copy of PHI in an electronic format

● Sale of PHI prohibited unless authorized by individual

● Certain marketing communications require authorizations

Covered Entity Obligations with

Respect to Business Associates

● Is the CE required to audit/monitor its BAs?

● According to OCR, a CE is not required to audit or monitor its

BAs – however, if the CE is aware of a pattern or practice of

the BA in violation of the BAA or HIPAA, the CE must take

reasonable steps to cure the breach or end the violation

● The CE is not required to obtain copies of the BA’s agreements

with the BA’s subcontractors

● CE is not obligated to report violations of the BA to the Secretary

● CE may delegate its HIPAA obligations to its BAs

● The BA is directly liable for compliance with its own direct

obligations under HIPAA and contractually liable to CE for any

other privacy obligations it contractually assumes for the CE

● For example, a BA is not directly obligated under HIPAA to

provide a Notice of Privacy Practice – BUT if the contract with

the CE delegates this HIPAA function to the BA, the BA is

contractually liable to CE to do so in compliance with HIPAA

BA Agreements

BA Agreements (BAA)s Required Provisions

● HITECH stated that required

provisions “…shall be incorporated

into the business associate

agreement…”

● Many CEs and BAs amended BAAs

to track to HITECH statutory changes

by statutory compliance date of

2/18/2010

● If existing BAA is already compliant –

a new BAA is not needed

● Final Rule clarified FOUR provisions

required to be in BAAs to be

compliant with HITECH:

Business Associate must:

1. Comply with the HIPAA

Security Rule

2. Report to Covered Entity

any breach of unsecured

PHI

3. Enter into BAAs with

subcontractors imposing

the same obligations that

apply to the Business

Associate

4. Comply with the HIPAA

Privacy Rule to the extent

Business Associate is

carrying out a Covered

Entity’s Privacy Rule

obligations

BA Agreements (cont’d)

Preparing to Amend BA Agreements

● For HIPAA compliant BAAs executed prior to publication of the

Final Rule (1/25/2013) – Entities may have up to 1 additional

year beyond the 9/23/2013 Compliance Date

● BAAs executed PRIOR to 1/25/2013 that are not set to

terminate or renew before 9/23/2013 – These must be compliant

by the earlier of the renewal date or 9/22/2014

● For new BAAs executed AFTER 1/25/2013 or existing BAAs

scheduled to be renewed before 9/23/2013 – The applicable

compliance date is 9/23/2013

● OCR maintains sample BAA provisions on its website at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/co

ntractprov.html (updated 1/25/2013)

Additional Resources

● WEDI BA Decision Tree: http://www.wedi.org/forms/uploadFiles/35FE7000000DC.filename.7.26

_BA-Decision-Tree_V2.pdf

● WEDI Omnibus Final Rule Impact Assessment Tool: http://www.wedi.org/forms/uploadFiles/35FE400000143.filename.7.26

_HITECH_PS_Omnibus_Final_Rule_01-2013.pdf

● OCR Security Rule Guidance: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securi

tyruleguidance.html

● OCR Enforcement Audit Protocol: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

● NIST HIPAA Security Rule Tool Kit: http://scap.nist.gov/hipaa/

Questions?

Thank you for your attention!

● Joseph R. McClure, Esq.

Legal Counsel

Siemens Medical Solutions USA, Inc.

WEDI Privacy & Security Co-Chair

joseph.mcclure@siemens.com