Posted on January 23, 2013 by William Maruca

Urgent - Verify Your Business Associate and Subcontractor Agreements by This Friday 1/25/13 to Qualify for Extension

The September 23, 2013 deadline for updating Business Associate Agreements is extended for one year under the Omnibus Rule for covered entities who have compliant Business Associate Agreements in place by Friday, January 25, 2013. This also applies to agreements between Business Associates and their subcontractors.

Covered Entities and Business Associates (as well as Business Associates and their subcontractors) may continue to rely on those agreements for up to one year beyond the compliance date of the modifications, regardless of whether the contract meets the applicable contract requirements in the Omnibus Rule. This includes existing written agreements between business associates and subcontractors under which such subcontractors agree to the same restrictions and conditions that apply to the business associate. Such contracts are deemed to be compliant with the modifications to the Rules until either the covered entity or business associate has renewed or modified the contract following the compliance date of the modifications, or until September 23, 2014 (one year after the compliance date), whichever is sooner. "Evergreen" contracts which automatically renew also qualify for the extension.

Covered Entities (providers, health plans/insurers, and clearinghouses) should verify that they have current signed business associate agreements in place no later than this Friday in order to be grandfathered for an extra year.

Business Associates who have delegated functions to subcontractors involving PHI need to make sure they have signed written agreements in place that meet the standards of the existing rule under which the subcontractors agree to follow HIPAA.   This is where there may be more gaps, since many Business Associates may have been unaware of their obligations to assure compliance by their subcontractors.

 

Even grandfathered Business Associate Agreements and subcontractor agreements should be reviewed to see if the contracted party (business associate or subcontractor) is acting as an agent of the Covered Entity or Business Associate.  If it is, the date on which a breach is discovered (or should have been discovered) is imputed up contractual chain and could mean that the Covered Entity is responsible for reporting breaches it knows nothing about. 

If you need help determining whether you qualify for grandfathering, please contact your Fox Rothschild attorney immediately

Tags: , , , ,
  • Print
  • Comments
  • Trackbacks
  • Share Link
Posted on July 9, 2010 by Elizabeth Litten

Proposed HITECH Regulations Require Business Associates to Police Subcontractors Receiving PHI

 

On Thursday, July 8, 2010, the Department of Health and Human Services (HHS) announced proposed modifications to the HIPAA Privacy & Security Rules implementing the HITECH Act.  The proposed modifications include new requirements on business associates with regard to their subcontractors.  

The Office for Civil Rights (OCR) within HHS proposes to include in the definition of “business associate” in § 160.103 subcontractors that create, receive, maintain, or transmit protected health information on behalf of a business associate. OCR specifies that it does not intend this proposed modification to mean that a covered entity is required to have a contract with the subcontractor. Rather, the “obligation is to remain with the business associate who contracts with the subcontractor.” In § 164.308(b)(2), OCR proposes “to make clear that it is the business associate that must obtain the required satisfactory assurances from the subcontractor to protect the security of electronic protected health information.”  

The proposed rule casts business associates into a much more active role, requiring them to enter into business associate agreements (BAAs) with their subcontractors. In effect, business associates would be expected to act as though they are covered entities in terms of identifying when protected health information (PHI) is transmitted to third parties and policing the privacy and security of PHI whenever it flows downstream or outside the business associate workforce.

Because a covered entity with which a business associate has contracted still has an ultimate responsibility for the privacy and security of the PHI of its patients or clients, existing BAAs may require further review and amendments to protect the covered entity sufficiently should this rule be adopted.

Tags:
  • Print
  • Comments
  • Trackbacks
  • Share Link
Posted on October 23, 2009 by Elizabeth Litten

Covered Entity Liability for Business Associate Ignorance of Breach under HITECH -- Really?

For covered entities (CEs) who have tight privacy and security measures in place, the breach notification requirements under HITECH (amending HIPAA) might not seem especially onerous.  But what about breaches the CE doesn't know about?  What if the CE's business associate (BA) fails to report a breach of unsecured health information?  What if the BA doesn't even know about the breach? 
 
The Interim Final Rule published by the Office of Civil Rights (OCR), Department of Health and Human Services (HHS) on August 24, 2009 confirms what others doubted when I raised the paranoid-sounding possibility:  "yes, a CE must meet the breach notification requirements and timeline, even when the CE is not responsible for, and does not even know about, a breach." The Interim Final Rule explains that the Secretary of HHS will "attribute knowledge of a breach by a workforce member or other agent (other than the person committing the breach), which may include certain business associates, to the covered entity itself." 
 
The date a breach is discovered is extremely important (triggering the 60-day notice requirement).  The fact that a CE has no actual knowledge of a BA's breach, and might not even know whether the BA is exercising diligence in detecting possible breaches, will not protect the CE from liability for failing to find out about and provide required notice of the breach.  The clock starts running when the BA knew, or should have known, about the breach.  According to OCR, "covered entities should ensure their workforce members and other agents [such as BAs, depending on whether they count as "agents" under federal common laws of agency] are adequately trained and aware of the importance of timely reporting of privacy and security incidents and the consequences of failing to do so." 
 
Tags: ,
  • Print
  • Comments
  • Trackbacks
  • Share Link
Posted on March 28, 2008 by Helen Oscislawski

One Man's Scrap Paper .... (part 2)

 

On my previous post, I left open the question of whether UPS is on the hook under HIPAA for the box of medical records that ended up in a paper scrap resale warehouse.  The brief response is not under HIPAA. 

The federal government has expressly stated that mail carriers are not considered business associates under the HIPAA Privacy Rule when they handle protected health information on behalf of a covered entity provider.  The federal government addressed this exact issue in its guidance document published on December 3, 2002.  There, the question posed and government's answer were as follows:

Q:  Are the following entities considered "business associates" under the HIPAA Privacy Rule:  US Postal Service, United Parcel Service, delivery truck line employees and/or their management?

A:  No, the Privacy Rule does not require a covered entity to enter into business associate contracts with organizations, such as the US Postal Service, certain private couriers and their electronic equivalents that act merely as conduits for protected health information.  A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law.  Since no disclosure is intended by the covered entity, and the probability of exposure of any particular protected health information to a conduit is very small, a conduit is not a business associate of the covered entity.

As such, UPS had no direct legal obligation under HIPAA or as a Business Associate to safeguard the medical records in the hospital's box.  A covered entity may, however, attempt to impose additional obligations on its delivery service carriers through contract terms, if possible.

Tags:
  • Print
  • Comments
  • Trackbacks
  • Share Link