By Carmel M. Roberts, Esq.
As we forge ahead in the new, post-September 23, 2013 HIPAA Omnibus Final Rule compliance world, many of you who do not have a licensed health agent in your agency are probably asking yourselves — so what does this mean for my agency, are we a Business Associate under HIPAA? The answer, like so much in healthcare compliance these days, is not as straight forward or clear cut as we may like it.
For those of you who missed the Michigan AGENT article last month on this topic, the date, September 23, 2013 is when HIPAA “Business Associates”, which are those organizations that work with healthcare providers, health plans, administer an agency health plan, and others who are exposed to sensitive patient data (protected health information, or PHI), are required to comply with new privacy, security and breach notification rules from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR)—known as the HIPAA Omnibus Final Rule.
So with this date in our rear view mirror and the compliance shot clock ticking, do you know if your agency is a HIPAA Business Associate? And do you know all of the organizations that you work with that are also HIPAA business associates? It may not be as simple as you think (or hope) to know. But first, do you really need to care?
The answer to this question is a definitive “yes”. If you are considered a business associate under HIPAA and the HITECH Act, you have substantial obligations that began in September to ensure the privacy and security of patient health information, and you also have notification obligations if you have a “breach” of such information. If you are investigated by OCR and found to be “neglectful” in complying with these provisions under the HIPAA Omnibus Rule, you may find your agency subject to fines, penalties, and corrective action plans, which can be financially substantial and operationally onerous.
So let’s look at what defines a business associate. On the federal Health and Human Services Department website (www.hhs.gov), they define a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” Under the Final Omnibus Rule, the definition is further explained and clarified.
Under the Final Rule, a “business associate” is generally a person or entity that creates, receives, maintains, or transmits protected health information (PHI) in fulfilling certain functions or activities for a HIPAA-covered entity. Health information that is created or received by a covered entity, identifies an individual, and relates to that individual’s physical or mental health condition, treatment, or payment for health care is considered PHI when it is transmitted by or maintained in any form of medium, including electronic media. Notably, the new definition clarifies that “business associates” include entities that “maintain” PHI for a covered entity, such as a data storage company or any PHI stored on a server that is maintained or accessed by a third party.
The Final Rule also clarifies the definition of a “business associate” by expressly including health information organizations, e-prescribing gateways, and other persons that provide data transmission services with respect to PHI and require “routine access” to PHI. In some instances, this “routine access” can include the administration of an employer sponsored healthcare plan. Additionally, as further explained below, the new definition of “business associate” provides that certain subcontractors of business associates are also “business associates.” Due to the significance of the new rules and the imposition of direct liability on business associates under HIPAA, entities which are unsure of whether they qualify as a business associate should clarify with legal counsel.
So the healthcare world we have now moved into isn’t as simple as the previous one. How so? Well first, HIPAA covered entities, those organizations such as healthcare providers and health plans, must revisit their inventory of business associates, and based on the Final Rules, see if they have other organizations that would be considered business associates based on the clarified definitions. If so, they are obligated to have business associate agreements with those organizations.
Then second, if your organization currently works with HIPAA covered entities and has a business associate agreement with them, you would be well served to investigate and understand the new obligations that you now carry under the Final Rules. It is fairly likely that your agency may be either unaware of or unprepared to comply with the provisions of the Privacy Rule, the Security Rule and the Breach Notification Rule. There are specific actions that you must take to consider yourself in compliance. Take a look at HIPAA Final Rule compliance power points MAIA has had prepared for an outline of the steps you should consider at
Third, if your organization is currently a HIPAA business associate, you now may have subcontractors that you work with that are also considered business associates under the Final Rules. You have obligations to execute a business associate agreement with them (view sample agreement: http://bit.ly/hipaa_sample_ba). And they have obligations to comply with the new Rules. And in some cases, these subcontractors may not even be aware that they are now considered business associates. Whether they know it or not, they do have new obligations. So hopefully they are paying attention.
And that brings us to our fourth item. If your agency works in any way with healthcare organizations or healthcare patient data, you should get a legal opinion as to whether you could be considered a business associate under the new Rules. Waiting for your covered entity or upstream business associate to notify you of your obligations and provide you a business associate agreement to sign, may not be the best path. They may not recognize in a timely manner that your agency is, in fact, a business associate. You would be well served to be proactive in this regard and find out for yourself if you are considered a business associate under the new Rules and, if so, learn more about your obligations.
So hopefully in reading this, you realize that there is a lot to do and consider in the wake of the September 23, 2013 implementation deadline. If you require any further motivation, note that OCR has recently completed an audit program where they audited a collection of HIPAA covered entities as to their level of compliance with HIPAA standards. The results were really not encouraging. You can check out the presentation by Linda Sanchez, OCR Senior Advisor, Health Information Privacy and Lead, HIPAA Compliance Audits at http://bit.ly/hipaa_audit. In this presentation, she notes that in the next phase of audits, HIPAA business associates will also be included.
So think about it. If you received a letter from OCR notifying you that your organization is a HIPAA business associate and that you were selected for a HIPAA privacy and security audit, do you think you’d be ready?
MAIA will continue to develop resources and services to assist our members with determining what, if any, compliance obligations they have and how to comply. ?
Disclaimer: The information contained within this article is intended to be used as an informational resource and not viewed as an alternative to legal advice provided by an attorney or any other professional legal services provider.
Carmel M. Roberts is the owner of Agency Legal Solutions, PLLC, a law firm exclusively focused on serving the legal needs of insurance agents and agencies in Michigan. Prior to entering private practice, Roberts spent 15 years serving in executive positions in government and the insurance industry; including serving seven years as the General Counsel and Sr. VP of Government Affairs for the MAIA. She is the author of over 20 regulatory compliance manuals on various issues facing agents and has been directly involved in the passage of more 680 state and federal laws. For more information on Roberts or her firm please go to http://agencylegalsolutions.com.