In January 2013, the US Department of Health and Human Services (HHS) issued lengthy “omnibus” final regulations and modified the HIPAA/HITECH privacy, security, enforcement, and breach notification rules. Now, the challenge for health information management professionals is to meet the upcoming September 23, 2013 compliance deadline.
One of the most troublesome last-minute compliance tasks is updating business associate relationships. The HIPAA Final Omnibus Rule imposes security obligations directly on business associates, along with some privacy obligations. Moreover, the Omnibus Rule’s change in the definition of “business associate” creates new compliance obligations.
Under the Omnibus Rule, the “business associate” concept now includes vendors that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity. HHS makes it clear in its explanation of the Omnibus Rule that vendors that maintain PHI over time are covered, even if they don’t gain regular access to the PHI, or even if they disclaim the right to access it. For instance, cloud computing storage providers are “business associates” if they store covered entity or business associate customers storing PHI, even if they say they don’t access customer information.
The Omnibus Rule also creates new categories of business associates. These new categories include businesses performing patient safety activities, health information organizations, e-prescribing gateways, data transmission services requiring PHI access on a routine basis, and personal health record providers for covered entities.
Perhaps the greatest impact of the new definition of business associate stems from the inclusion of subcontractors. Under the Omnibus Rule, subcontractors of business associates performing business associate functions are themselves business associates. As a result, the Omnibus Rule requires a chain of compliance starting at the HIPAA-covered entity, through the business associate, and ending with the lowest-tier subcontractor. The new rules require changes to business associate contracts and changes to data security breach notification triggers and procedures.
New business associate contracts with downstream business associates must:
- Impose data security requirements and applicable privacy requirements on the downstream vendor
- Assert the upstream entity’s right to terminate the downstream vendor for security or privacy violations
- Flow down data breach notification requirements
- Require the downstream vendor to include these terms in agreements with their subcontractors
Many covered entities and business associates have been in the process of redoing their business associate agreements and changing general vendor agreements to business associate agreements. The September 23 deadline is approaching. However, a business associate agreement that complied with old law and was in force before January 25, 2013—and was not renewed or modified from March 26, 2013 on—need not be redone until the the agreement’s expiration or September 23, 2014, whichever comes first. Thus, there is additional time to redo “grandfathered” agreements.
In this process of redoing business associate agreements, the top issue has been negotiating changes to agreements with vendors that provide general services for both healthcare businesses and other businesses. The cloud storage vendor mentioned above is a prime example. Many of these vendors don’t think of themselves as in the health field. Many are surprised to learn (usually from their health field customers) that they might be covered by the Omnibus Rule, and many vendors are pushing back to say that they aren’t business associates.
So how should HIPAA-covered entities and business associates comply with the Omnibus Rule and at the same time maintain good relationships with their vendors? Covered entities and business associates will likely need to go through a delicate process of negotiation. Negotiations may involve educating the vendor about the Omnibus Rule and why the vendor falls within the definition of “business associate.” Many vendors are seeing the light and are willing to sign business associate agreements; others are not.
When a vendor is simply unwilling to sign an agreement acknowledging business associate status, the covered entity or business associate customer will need to decide whether it is worth keeping the vendor relationship. One possible compromise is to impose all of the applicable requirements of the Omnibus Rule in a self-contained agreement without acknowledging business associate status or even using the business associate label. It is unclear how HHS would look at such an agreement, so this approach is untested. Nevertheless, many vendors will agree to this approach, and it will allow a customer to keep a critical vendor while having documented compliance with the substance of the Omnibus Rule.
In sum, now is the time to redo vendor agreements to comply with the Omnibus Rule. It may take patience and time to work with some vendors. Nonetheless, health entities will likely be able to both comply and maintain good relationships with their vendors.
Stephen Wu (firstname.lastname@example.org) is a partner with the Silicon Valley law firm Cooke Kobrick & Wu LLP and advises clients on privacy, information security, data breach response, computer investigations, privacy, and records management.