Over the past several years, the Health Insurance Portability and Accountability Act of 1996 (HIPAA)¹ has been one of the most significant mediums by which federal law governs how healthcare providers, health plans and healthcare clearinghouses (“Covered Entities”) use and disclose individually identifiable health information (known as “protected health information” or “PHI”). In 2009, the Health Information and Technology for Economic and Clinical Health Act (HITECH), a component of the American Recovery and Reinvestment Act of 2009,² reconfigured key components of HIPAA, such that the original law has acquired several new features.

HITECH requires HIPAA to undergo extensive remodeling in several of its primary regulations: 1) revised Privacy Rule³ and Security Rule⁴ provisions; 2) revised Enforcement Rule Provisions⁵; and 3) an added Breach Notification rule.⁶ Although HITECH drew a general sketch for how these features will apply to Covered Entities and those persons or businesses performing services on their behalf (“Business Associates”), the Department of Health and Human Services (DHHS) is scheduled to further structure and define these new aspects of HIPAA. DHHS has yet to publish its final rule, but a proposed rule published in July 2010 provides a few hints as to what we can expect in the final HIPAA regulations.

1. Compliance Date. DHHS recognized that compliance with the HITECH statutory provisions would be difficult until after the final rule establishes the revised HIPAA regulations. As a solution, DHHS has proposed that Covered Entities and Business Associates will have 180 days after the effective date of the final HIPAA rule to bring their business practices in compliance. Further, DHHS has proposed that all future changes to HIPAA will follow this pattern — compliance necessary 180 days after the effective date of any final rule.

2. Expansion of the Definition of Business Associate. The Proposed Rule includes several additions to the definition of Business Associate. These additions include certain Patient Safety Organizations, Health Information Organizations, E-Prescribing Gateways and any subcontractors of otherwise defined Business Associates. Of these, the addition of Business Associates’ subcontractors presents a marked change. Under the Proposed Rule, Business Associates have the burden to ensure appropriate business associates agreements are in place with any person or entity acting on behalf of the Business Associate with respect to the Covered Entity’s PHI, other than in a capacity as a member of the Business Associate’s workforce. DHHS has explained that this definition encompasses any “agent” of a Business Associate, whether or not that agent has entered into a business associate agreement with the Business Associate.

3. Liability for Agents. Under the current HIPAA regulations, a Covered Entity may be liable for the acts or omissions of its agents; however, no liability will attach where there is a proper business associate contract in place, and the Covered Entity did not know of a pattern of the agent’s violation of the agreement or the HIPAA regulations. The Proposed Rule essentially deletes this exception and renders the Covered Entity liable for the actions of its agents, including workforce members or subcontractors, who act within the scope of their agency and violate HIPAA by failing to perform an obligation on the Covered Entity’s behalf. Furthermore, the Proposed Rule adds a provision that includes Business Associates’ liability for their agents as well and in the same manner as liability extends for Covered Entities on behalf of their agents.

4. Transition Provision for Business Associates Agreements. DHHS stated in the Proposed Rule that it recognizes that Covered Entities may be unduly burdened by the obligation to renegotiate their business associates agreements in time to bring these in line with HITECH and the impending HIPAA revisions, especially those agreements that are not scheduled to expire or renew until after the compliance period for the new HIPAA regulations has lapsed. For this reason, DHHS has proposed that all existing business associates agreements between Covered Entities and Business Associates and between Business Associates and their subcontractors may remain in place for a period up to one year after the compliance date of the final rule, so long as the existing contract complies with HIPAA and is not renewed or modified until after the compliance date. However, DHHS also specifically stated that this transition provision only applies to amending current business associates agreements — it does not apply to the obligation for all business associates to actually be in compliance as of the compliance date.

The Proposed Rule makes several other significant changes to HIPAA, including expansion of many of the Security Rule’s provisions to Business Associates (and their subcontractors), and several key changes to the Privacy Rule such as new regulations governing ways in which Covered Entities may use PHI in their marketing, fundraising, and research; the rights of individuals with respect to their PHI; and the ways in which Covered Entities provide notice to individuals about uses and disclosures of PHI.

When DHHS publishes the final rule, we will provide an in-depth analysis of the HIPAA revisions, along with a discussion of the practical effect for Covered Entities and Business Associates and what these groups can do to be prepared for the final compliance date.

---

[1] 45 CFR Parts 160, 162, and 164.

[2] Pub. L. 111-5 (Feb. 17, 2009).

[3] 45 CFR § 160, 164, Subparts A and E. The Privacy Rule deals with privacy standards for all protected electronic health information.

[4] 45 CFR § 160, 164, Subparts A and C. The Security Rule deals with the security standards for electronic pro­tected health information.

[5] 45 CFR § 160, Subparts C, D, and E.

[6] 45 CFR § 164, Subpart D. Certain changes are expected to have the greatest impact.

Finis