HIMSS: NPRM modifies HIPAA compliance for business associate deals
The contractual obligations in the notice of proposed rulemaking (NPRM) on modifications to the HIPAA privacy, security and enforcement rules under the HITECH Act for business associates and downstream entities are game changers, according to Amy S. Leopard, JD, from Walter and Haverfield, during a webinar sponsored by the Healthcare Information and Management Systems Society (HIMSS).

Under the proposed NPRM, a business associate must obtain satisfactory assurance from subcontractors on privacy and security protections in the form of a business associate agreement, according to Leopard.

During the informational webinar, Leopard along with Lisa A. Gallagher, BSEE, senior director, privacy and security at HIMSS, sought to highlight certain modifications under the NPRM that was published July 14 in the Federal Register.

In terms of changes made to HIPAA due to HITECH, the Act applied HIPAA compliance to business associates, created new and updated privacy statuses and modified enforcement and penalties, according to Gallagher. The NPRM was required by HITECH to implement changes to the Department of Human Health and Services’ (HHS) regulation of HIPAA privacy, security and enforcement rules.

Under HITECH, business associates are now regulated under HHS and cannot use or disclose PHI in violation of the privacy rule and need to meet all security rule standards. In addition to contractual liability, they have a new regulatory consequence in terms of coming under the umbrella of entities regulated by HHS. Like covered entities, the business entities will have a number of new duties if the NPRM passes, mostly pertaining to individual rights including the authorization for sale of PHI and health plan disclosure restriction, Leopard stated.

“Whether or not someone is a business associate will be a very important determination to make,” said Leopard noting that definitions apply even if the covered entity or business associate fails to enter into business associate agreement.

According to Leopard, the NPRM defines a business associate as:
  • Patient safety organizations;
  • Health information organizations, electronic prescribing gateways or a person providing data transmission services with respect to PHI to covered entities and require access on a routine basis to that PHI. Leopard pointed out this definition does not mean mere conduits for the transport of PHI that do not access PHI on other than a random or infrequent basis;
  • Vendors offering PHR to individuals on behalf of a covered entity; and
  • BA subcontractors that create, receive, maintain or transmit PHI on a BA’s behalf.

Leopard expressed the final definition in the proposed NPRM as a “bombshell”; under the NPRM, subcontractors would be subjected to full blown security and privacy provisions. Subcontractors to business associates would not only be under contractual obligations but also subjected to HHS regulatory authority, Leopard stated. “We should expect some jurisdictional questions to arise in the comment period and beyond … As you can imagine, many companies in this subcontracting realm will have to go from 0 to 60 fairly quickly in terms of the documentation of their compliance.”

According to Leopard, the business associate agreement portion of the NPRM is "ripe" for public comment. The transition period for amending business associate agreements when necessary is 240 days (from the publication of final rule) plus one year.

Gallagher also pointed out that the modifications to the HIPAA privacy rule in the NPRM proposes to:
  • Apply privacy rule to business associates;
  • Modify definitions of “healthcare operations” and “marketing;”
  • Modify definition of “minimum necessary” and discuss applicability to business associates;
  • Strengthen patient options to opt out of fundraising communications;
  • Modify authorizations required for the sale of PHI;
  • Discuss PHI about deceased individuals; and
  • Discuss disclosure of student immunization records.

Currently, the federal government is accepting public comment on the NPRM for a period of 60 days, ending on Sept. 13.