As insurers, producers and administrative service providers work towards compliance with the privacy and data security requirements of the Health Information Technology for Economic Clinical Health Act (“HITECH”)*, one particularly thorny issue is “What needs to be done with business associate agreements?”
By way of background, a business associate generally is any person who performs a function on behalf of, or certain services for, a covered entity regulated under the privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) where the function or service involves individually identifiable health information. Business associates include administrative service providers, producers and other third parties that provide services to health plans and other covered entities.
Under current law, the rules implementing HIPAA’s privacy and security standards (the “HIPAA Privacy Rule” and the “HIPAA Security Rule”) require a covered entity to execute a written agreement with each of its business associates under which the business associate must comply with certain minimum requirements. Among other things, the business associate agreement must establish the permitted and required uses and disclosures of protected health information; prohibit the business associate from using or disclosing protected health information in any way that would violate HIPAA if done by the covered entity; require the business associate to safeguard the confidentiality and security of protected health information; require the business associate to report security incidents involving electronic protected health information and report any use or disclosure of information in violation of the agreement; and require the business associate to assist the covered entity in complying with its obligations under HIPAA, such as providing individuals with access to their protected health information and providing an accounting of certain disclosures upon request.
Currently, a business associate that violates its business associate agreement is liable for breach of contract but is not directly liable for violating HIPAA.
HITECH makes major changes to the way business associates are regulated under HIPAA. In specific,
Effective September 23, 2009:
- Business associates are required to notify covered entities of any breach of unsecured protected health information. “Unsecured protected health information” is information that has not been encrypted or otherwise rendered unusable, unreadable or indecipherable to unauthorized individuals in accordance with guidelines issued by the Department of Health and Human Services (“DHHS”). To comply with this requirement, business associates should ensure that they have adequate policies and procedures in place to detect, evaluate and report breaches.
Effective February 17, 2010:
- Business associates become directly liable under HIPAA for any violation of the mandated minimum standards for business associate agreements.
- Business associates must comply with the administrative, technical and physical security standards that apply to electronic protected health information under the HIPAA Security Rule in the same manner as a covered entity. Complying with these standards will require business associates to go through a formal, documented process of ensuring that required security specifications are implemented and evaluating whether “addressable” specifications are reasonable and appropriate for their operational environment.
- A business associate will be deemed to violate HIPAA if it knows of a pattern of activity or practice of a covered entity that constitutes a material breach of the covered entity’s business associate contract and does not take reasonable steps to cure the breach or if such steps are unsuccessful, (i) terminate the contract if feasible or (ii) report the problem to DHHS if termination is not feasible. The scope of this requirement is unclear because it is difficult to see how a covered entity might breach a business associate agreement given that the mandated provisions for such agreements impose duties on the business associate, but not the covered entity. This provision of HITECH may be intended to require a business associate to take action if it knows of a pattern or practice by a covered entity that violates HIPAA. Clarification from DHHS may shed light on how this provision will be applied.
- DHHS will be required to conduct periodic compliance audits of business associates (and covered entities).
In addition, HITECH establishes certain new privacy and security requirements for covered entities (some of which are more on the order of codifying or clarifying existing regulatory requirements) and provides that all such requirements also are applicable to business associates. Among the requirements that are likely most relevant to health plans are clarified minimum necessary standards and restrictions on marketing communications.
HITECH provides that the new requirements it establishes for covered entities and business associates “shall be incorporated into the business associate agreement between the business associate and the covered entity.” The new requirements must be incorporated into business associate agreements by February 17, 2010.
Amending business associate agreements in time for the compliance deadline poses certain difficulties. First, for many covered entities, it may not be feasible to amend all business associate agreements by February 17, 2010. Amending the agreements will take time and require considerable administrative resources.
As an interim measure, if existing business associate agreements contain language requiring the business associate to comply with applicable law, it may be sufficient to distribute correspondence reminding business associates of their responsibility to comply with HITECH as a matter of law and as a matter of compliance with their business associate agreement. Such correspondence may be enough to put the covered entity in compliance with the requirement to incorporate the HITECH requirements and would allow time to make substantive amendments to business associate agreements as they are renewed.
Second, it is not clear whether HITECH requirements that are not directly relevant to a particular business associate must be included in that business associate’s agreement. For example, HITECH establishes certain new requirements regarding access to protected health information and accounting for disclosures with respect to electronic health records (“EHRs”) managed by health care clinicians. It is unclear whether these requirements need to be reflected in an agreement with a business associate that does not handle such records. Moreover, the scope of records that may qualify as EHRs is not entirely clear and may be subject to interpretation by future DHHS rulemakings or guidance, adding to the uncertainty as to whether provisions addressing such records must be included in any particular agreement. A simple solution is to incorporate contingent provisions into all business associate agreements requiring the business associate to provide the assistance needed by the covered entity to comply with HITECH requirements relating to EHRs if any such records are handled by the business associate. A similar approach may be taken with other new HITECH requirements that may or may not apply to any particular business associate depending on the factual circumstances and how the new requirements may be interpreted by federal authorities.
HITECH requires covered entities to comply with certain new security breach notification requirements relating to unsecured protected health information. As with the related business associate requirements, the breach notification requirements for covered entities became effective September 23, 2009. Ensuring compliance with these requirements means that covered entities must know of any breaches experienced by their business associates. Existing business associate agreements should contain language requiring the business associate to provide notice of a use or disclosure that would constitute a breach. Nevertheless, as covered entities are amending their business associate agreement, they may want to review breach notification language to ensure that it provides robust protection. For example, covered entities may want to consider language that,
- Is sufficiently broad to require notice of any security incident that might trigger a duty to notify affected individuals under HITECH or under state security breach notification laws;
- Requires the business associate to cooperate with the covered entity in investigating any security incident and implementing mitigating measures deemed appropriate by the covered entity, including notifying affected individuals even if not required by law and providing affected individuals with services to protect themselves against identity theft;
- Requires the business associate to bear the expense of any mitigating measures the covered entity deems appropriate.
HITECH increases the civil and criminal penalties for HIPAA violations and enhances the enforcement scheme for HIPAA in other ways--for example, by authorizing state attorneys general to enforce HIPAA. Given the greater risk of liability under the new enforcement regime, covered entities may want to review their existing business associate agreements to ensure that they contain provisions that,
- Establish a strong indemnification in favor of the covered entity for liability resulting from the business associate’s conduct;
- Specifically allow the covered entity to seek equitable relief to stop an ongoing violation of the business associate’s contractual duty to maintain the security and confidentiality of protected health information;
- Require the business associate to conform its practices to annual guidance DHHS is required to issue concerning “the most effective and appropriate technical safeguards” to facilitate compliance with the Security Rule;
- Permit the covered entity to audit the privacy and security practices of the business associate.
Conversely, business associates may want to negotiate provisions that,
- Indemnify the business associate for liability resulting from actions taken at the direction of the covered entity or resulting from conduct of the covered entity;
- Allow the business associate to renegotiate the price of its services if conforming its practices to data security guidance issued by DHHS imposes material costs on the business associate;
- Establish limits on the right of a covered entity to conduct an audit.
The amendment of business associate agreements to comply with HITECH also offers an opportunity to review these agreements to be certain they address other issues relating to data privacy and security. For example, if covered entities have not already done so, they may want to incorporate provisions into their agreements specifically requiring business associates to comply with data encryption standards mandated by state law and standards relating to the federal identity theft Red Flags Rule where applicable.
Achieving HITECH compliance will require considerable resources. Covered entities and business associates alike will want to make the most of this process by thinking broadly about the issues at stake and ensuring that the agreements they negotiate provide the best possible protection of their interests.
*HITECH is found in division A, title XIII and division B, title IV of the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5.
About the author
Joe Holahan is a member of the firm’s Insurance and Reinsurance Group and Privacy and Data Security Group. He regularly counsels clients on compliance with state and federal privacy and data security laws.