HIPAA Omnibus Rule Makes Important Changes with Respect to Business Associate Agreements

March 28, 2013

The recent Omnibus Rule has made changes to HIPAA, which will have enormous potential implications for businesses doing work—even indirectly—with health care providers and other covered entities, as well as the covered entities themselves. It has long been recognized that businesses handling protected health information for covered entities must operate pursuant to Business Associates Agreements (BAAs). As the Omnibus Rule became effective March 26, 2013, the requirements of those Agreements have changed with respect to who is covered, what activities are covered and the potential liability and consequences for breaches of the HIPAA privacy requirements.

Arguably, the most dramatic change is the inclusion of subcontractors in the definition of “business associate.” Historically, only those businesses dealing directly with covered entities were explicitly included in the definition; the implication of the privacy rules to those with whom they subcontracted were murky. However, that situation is no more. Subcontracting businesses are now directly liable for privacy breaches and subject to enforcement by the Office of Civil Rights.

This expanded definition of “business associate” creates new obligations for subcontractors, many of whom previously have not had to deal directly with HIPAA compliance issues. Similarly, covered entities will face a rash of questions regarding how the subcontractors of their associates are conducting business, as well as whether they should reserve the right to approve subcontractors or attempt to exercise control over their destruction policies and demand access to their books and records. This has implications for both the BAAs between covered entities and how business associates document their relationships with subcontractors.

While many business associates may or may not have used some form of BAA with their subcontractors, business associates now must have their own written BAAs with subcontractors. The obligations of each party with respect to reporting and other compliance issues are different, which means that the terms of subcontracting BAAs need to be different from the terms of the BAA between the covered entity and the business associate. Stated alternatively, gone are the days when business associates thought they could get away with photocopying the BAA they were handed by a covered entity to provide them protection downstream.

These changes also call into question what has been a knee jerk reaction by some business associates and covered entities to ensure that there is a BAA in place with all entities with whom they contract. The Omnibus Rule has brought into focus the requirements for what constitutes handling of protected health information. Businesses that have only incidental exposure to that information may not be subject to the privacy rules. Potential business associates and their subcontractors now need to ask whether they are taking on potential liability when they do not need to do so. Similarly, covered entities need to question whether they are potentially demonstrating a lack of understanding of their HIPAA obligations by offering, or even demanding, BAAs from associates when they are not needed.

There is also new guidance on the question of when a covered entity can be held liable for breaches caused by their downstream associates. This question of vicarious liability is now determined with reference to the federal common law of agency. This implicates both the issue of how much control a covered entity seeks to exercise over a business associate, and the terms of the governing BAA. What was once considered safe practice for covered entities may now create unwanted liability.

We at Axley Brynelson strongly recommend that, if you are a party to a HIPAA business associate agreement, or are asked to sign one, you seek trusted counsel regarding these changes and how they affect your operations.

To subscribe to email alerts from Axley Law Firm, click here.