By Scott Dondershine and Tony Fama
ZZZZZ… — the common sound when we start talking to information technology companies about their obligations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). How can that possibly apply to us? We are in the information technology business not the health care business!
Well, folks, we tell our clients, you may still be subject to HIPAA, thanks to the final “Omnibus Rule” that went into full effect on September 23, 2013. That rule and its underlying legislation known as the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, expanded the scope of HIPAA and, most importantly for many information technology companies, made “business associates” directly liable under HIPAA. Before September 23, 2013, only “covered entities” (basically a fancy term for a health plan, a health care clearinghouse or a health care provider) were directly liable under HIPAA and its regulations. Now, “business associates” also have obligations under HIPAA and are subject to enforcement (including criminal and civil penalties) by federal and state government officials. As a result, there are important consequences for any failure to comply with HIPAA’s requirements.
The saga begins in understanding the broad definition of a “business associate” – “BA” for short. The final rule defines a BA as a person or entity that either (1) creates, receives, maintains or transmits protected health information (“PHI”) in the performance of services for a covered entity; or (2) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for a covered entity where the provision of such services involves the use or disclosure of PHI.
It is important to note that, under the final rule, a BA may not even be a direct business partner of a “covered entity.” For instance, a BA may be a subcontractor of another BA that is a service provider to a covered entity. Alarm bells ringing yet….?
The definition is broad enough to capture information technology companies that receive or use any PHI, whether directly on behalf of a covered entity or indirectly through another BA. A BA, for instance, could receive PHI in the course of providing hosting or other cloud services. If any PHI is stored on the servers of that IT company, the IT company is a BA even if the IT company never even knew about the PHI and even if it never accesses or uses the PHI!
Many covered entities are requesting their IT providers to enter into business associate agreements (“BAA”). And, if you are a BA, then you need to enter into a BAA with any subcontractors, e.g., hosting companies, that you use if they have the access to any PHI through you. You may be a BA even if a covered entity hasn’t asked you to sign a BAA. The key issue is whether, on behalf of a covered entity, either directly or indirectly, you create, receive, maintain, or transmit any PHI.
In addition to entering into BAAs with any upstream covered entities and downstream BAs, a BA also needs to take other actions to comply with the requirements of HIPAA’s “Security Rule.” Primarily, like covered entities, BAs must implement and maintain administrative, physical, and technical safeguards to protect the security and integrity of PHI. Among other things, these safeguards mean you have to:
- Adopt a policies and procedures manual that reflects the company’s approach to protecting the security of electronic PHI (the manual should also provide procedures for complying with HIPAA’s various privacy requirements applicable to BAs);
- Conduct regular training of the staff on those policies and procedures;
- Enforce the policies and procedures among the staff;
- Appoint a security officer to be responsible for your compliance program; and
- Conduct a thorough analysis of the potential risks and vulnerabilities to the security and integrity of the PHI you retain in electronic format for a covered entity – and document the analysis you have done.
BAs were supposed to have all of these measures in place by September 23, 2013, as that was the deadline established for compliance. We expect, however, that many companies are still working to put all of these steps into effect.
HIPAA and HITECH hold vast implications for many companies, including information technology companies. The legislation is broad and evolving. This Client Alert is intended as an introduction only – it does not cover many key concepts. Let us know if you want to discuss the issues in this Client Alert with you in greater detail.
Disclaimer. This Client Alert does not provide legal advice. We are providing it for general informational purposes only.