Overview
On February 17, 2009, President Obama signed into law the Health Information Technology for Economic and Clinical Health Act ("HITECH" or the "Act"), as part of the American Recovery and Reinvestment Act of 2009. The Act made sweeping changes to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Privacy and Security Rules promulgated under HIPAA. This Alert focuses primarily on Subtitle D of HITECH, which includes important provisions concerning the security and privacy of health information, and specifically on the key provisions of the subtitle relating to business associates. Future Alerts will address changes in HIPAA for covered entities, security breach reporting requirements, and the use of health information technology.
Until now, HIPAA has only directly regulated covered entities. Business associates were only indirectly subject to HIPAA, through business associate agreements with covered entities. This model, which led to significant holes in terms of real enforcement, will now change dramatically, as HITECH makes business associates directly subject to HIPAA effective February 17, 2010.
Business Associates And The Security Rule
The most significant new obligations for business associates arise under the Security Rule, with business associates now required to comply directly with the Security Rule's administrative, physical, and technical safeguard requirements. As part of the new compliance requirements, business associates must also appoint a security official, develop written policies and procedures, document security activities, and train their workforce on how to safeguard protected health information ("PHI").
These developments completely change the playing field for business associates. Previously, because business associates were only indirectly subject to HIPAA through contract, their failures to comply with HIPAA's requirements could have resulted at most in a breach of contract claim by the covered entity. Under HITECH, however, a business associate that fails to comply with the Security Rule will be subject to enforcement as if it were a covered entity. In this sense, business associates will essentially be indistinguishable from covered entities.
Business Associates And The Privacy Rule
The application of HITECH to business associates' compliance obligations under the Privacy Rule is more complex, as the Act does not make business associates directly subject to that rule. Instead, HITECH creates a direct statutory obligation for business associates to comply with the restrictions on use and disclosure of PHI contained in Section 164.504(e) of the Privacy Rule, which is the section that sets forth the mandatory provisions of a business associate agreement. Because the business associate agreement generally requires the business associate to comply with the same obligations with respect to use and disclosure of PHI that are imposed on a covered entity, the net result of the change in law will be to subject business associates directly to enforcement of the Privacy Rule. Again, where a business associate formerly only had contractual obligations to limit its use and disclosure of PHI, it now faces civil and criminal penalties in an enforcement action for failure to comply with those obligations.
In contrast to the new provisions of the Security Rule, the revised Privacy Rule will not specifically require business associates to appoint a privacy officer or develop policies and procedures. Nevertheless, given the potential consequences in terms of direct liability and increased enforcement, we recommend that business associates develop compliance policies and procedures.
Enforcement
The Act authorizes state attorneys general to bring actions to obtain injunctive relief or damages against a covered entity or a business associate when a citizen believes his or her medical privacy has been violated. The state attorney general may also collect attorneys' fees for pursuing civil actions for such violations. While there is still no private right of action under HIPAA, permitting attorneys general to initiate enforcement actions will undoubtedly result in increased HIPAA litigation.
Civil And Criminal Penalties
Business associates that violate the HIPAA security or privacy provisions or the terms of their business associates agreement will now face the same civil and criminal penalties as covered entities.
Next Steps
Over the next year, both business associates and covered entities will need to amend their existing business associate agreements to comply with the new requirements. Business associates will also need to take significant steps to develop policies and procedures for compliance with the Security and Privacy Rules. With the effective date currently less than one year away, business associates should initiate compliance efforts now.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
