New HIPAA Provisions Place Requirements on Business Associates of Covered Entities

As you likely know, the American Recovery and Reinvestment Act of 2009 significantly changed provisions in the HIPAA Privacy and Security Regulations, broadening their applicability and creating new provisions that place new requirements on those covered by the rules, such as physicians. These laws had not undergone revision since they were enacted years ago.

For years, physicians have had to ensure that appropriate agreements were in place with their business associates, which includes anyone who provides legal, accounting, consulting, financial, quality assurance, or billing services, among others. These agreements have a great amount of standard language and require the business associate to secure the physician's protected health information and use and disclose it only as appropriate.

Prior to the stimulus package, the HIPAA rules did not directly apply to business associates, as they were only subject to the contract provisions mentioned above. Regulatory authorities could not enforce the provisions against or sanction a business associate. The stimulus package changed this by:

• Extending many provisions of the HIPAA rules to business associates
• Expanding civil and criminal penalties for violation of the applicable rules to business associates
• Requiring periodic compliance audits of business associates by the United States Department of Health and Human Services.

The stimulus package also created the first comprehensive security breach notification requirements for the unauthorized acquisition, access, use, or disclosure of protected health information, where the breach compromises security or privacy. These new rules require notification to patients and the HHS Secretary in the event of a breach. Depending on the number of individuals impacted, other notifications may be required.

In addition, penalties will be increased up to a maximum of $1.5 million depending on certain factors. Some groups have criticized those that enforce the rules for the limited number of enforcement actions taken. The new law gives state attorneys general the authority to bring suit in federal district court against any person violating the rules on behalf of state residents to stop further violation or to obtain damages on behalf of such residents. The court will be allowed to award attorneys fees to the state in such actions.

Physicians should now take certain steps with respect to the compliance of its business associates, including:

• Business Associate Agreements should be amended to ensure that the business associate is specifically required to comply with relevant provisions.
• Business Associate Agreements should now contain language which requires the business associate to inform the physician within a certain period of time (the shorter the better for the physician) of a breach.

Among other provisions that physicians may want to consider with their attorney for inclusion are:

• Requiring business associates to maintain sanctions against agents and subcontractors that violate the terms of the Business Associate Agreement.
• Allowing the physician to inspect and request information of the business associate to ensure compliance.
• Stating that the business associate has no ownership rights over the protected health information.
• Allowing the physician to terminate the agreement if the business associate is named as a defendant in a criminal proceeding for a violation of the rules or a finding or stipulation that business associate has violated the rules has been entered in an administrative or civil proceeding.
• Provisions allowing for injunctive relief (the prevention of further breaches).
• Indemnification provisions.
• Provisions requiring business associate to make it and those associated with it available to physician as needed in the event of litigation or administrative proceedings being commenced related to the rules.
• Language stating that the agreement is not meant to allow a non-party to the agreement the opportunity to sue the parties.

It is important to note that physicians are not required to monitor or oversee the ways that their business associates carry out privacy safeguards or the extent to which the business associate abides by the Business Associate Agreement.

Physicians are not responsible or liable for the actions of their business associates. However, if a physician finds out about a material breach or violation of the contract by the business associate, he or she must take certain steps required by the rules and the agreement.

Given the increased expected enforcement, the now greater penalties and the increasing interest of patients in privacy rights, it is important that physicians appropriately amend Business Associate Agreements. This will give physicians a sense of whether his or her business associates are ready and willing to agree to the new provisions. In addition, if physicians have any concerns about the policies or practices of a business associate, the physician should make efforts to obtain further information and terminate the contract if warranted.

In this climate, it is important that physicians both update and reinvigorate their own HIPAA compliance plan and ensure business associates do the same.