Practical Considerations: Business Associate Agreements Under The Proposed HITECH Rules
By Mark S. Hedberg, Esquire, Hunton & Williams LLP, Richmond, VA
On July 14, 2010, the Office for Civil Rights (“OCR”) of the Department of Health and Human Services published a Notice of Proposed Rulemaking (the “Proposed Rule”) to (a) implement the health information privacy and security related amendments of the HITECH Act and (b) make certain other modifications to the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) and the Security Standards for the Protection of Electronic Protected Health Information (the “Security Rule”). Several aspects of the Proposed Rule are addressed in this edition of eSource; this article provides practical advice regarding implementation of its business associate (“BA”) agreement provisions.
Although HITECH applies many Privacy Rule and Security Rule provisions directly to BAs and subjects BAs to civil and criminal liability for failing to comply with them), BA agreements are still required, and HITECH requires them to be amended to incorporate the new HITECH privacy and security provisions. The Proposed Rule accomplishes this generically through revisions to several of the required BA agreement elements set forth at 45 C.F.R. § 164.504(e)(2)(ii) and retention of the provision at § 164.504(e)(2)(i) that prohibits (subject to certain exceptions) BA agreements from authorizing any use or disclosure of PHI by a BA that would violate the Privacy Rule if done by the covered entity (“CE”). Thus, at a minimum covered entities and BAs will need to update their agreements to reflect these changes once the Proposed Rule is finalized.
Another change that will be necessary relates to the steps a CE or BA must take if it learns of a pattern or practice that constitutes a material breach of the agreement. Currently, only the CE has obligations in this regard, and under the Privacy Rule a CE is not in compliance with the BA requirements unless the CE takes reasonable steps to cure the breach or end the violation, and if such steps were not successful, to terminate the contract or arrangement or, if termination is not feasible, report the situation to the Secretary. The Proposed Rule would eliminate the requirement to notify the Secretary if termination is not feasible, and a new provision applicable to BAs with respect to subcontractors that mirrors the obligations of a CE as to a BA. According to OCR, this latter provision implements HITECH § 13404(b). This is somewhat surprising because many had read § 13404(b) as addressing the BA’s obligations as to material breaches of a contract or arrangement by a covered entity, not a downstream recipient of PHI from a BA. Once the Proposed Rule is finalized, BA agreements will need to be revised with these requirements in mind.
Additionally, there are at least two areas where it may be wise to go beyond the bare minimum. First, depending on the nature of the services provided by the BA, the parties may wish to address specifically the BA’s obligations with respect to the minimum necessary standard, the prohibition on the sale of PHI, fundraising activities, marketing activities or research activities. Modifications in each of these areas are included in the Proposed Rule.
Second, the way in which the BA agreement addresses breach notification obligations should be considered carefully. The Proposed Rule only requires that the agreement contain language requiring the BA to “[r]eport to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured [PHI] as required by § 164.410.” Significantly, however, under the breach notification rules, determining whether a “breach” under HITECH has occurred requires an assessment of the risk of harm associated with the unauthorized acquisition, access, use or disclosure of PHI. If the BA only needs to give notice of a “breach,” it would seem that the BA would be responsible for and required to conduct such assessment. The parties may prefer to require an initial notice of the event, and then conduct the risk assessment collaboratively. Doing so would help prevent disagreements and surprises.
Covered entities also may wish to impose a shorter deadline for BA notices pertaining to breaches. Although in the case of a BA breach the notice period applicable to the CE (without unreasonable delay, but not to exceed 60 days) usually will begin to run after the CE receives notice of the breach from the BA, if the BA is an agent of the CE, the CE notice period will run concurrently with the BA notice period. The CE accordingly will want to preserve for itself an appropriate portion of the period. Additionally, if the agreement includes a notice requirement as to a potential breach as described above, a much shorter notice deadline would seem to be appropriate.
The preamble to the proposed rule reflects OCR’s recognition that it will be difficult for covered entities and BAs to comply with [the HITECH Act, which generally became effective February 18, 2010] until after we have finalized our changes to the HIPAA Rules. In addition, we recognize that covered entities and BAs will need some time beyond the effective date of the final rule to come into compliance with the final rule’s provisions. In light of these considerations, we intend to provide covered entities and BAs with 180 days beyond the effective date of the final rule to come into compliance with most of the rule’s provisions.
The Proposed Rule’s comment period will remain open until September 13, 2010, and the effective date of the final rule apparently will be 60 days after its publication. Assuming the final rule is published on October 31, 2010, the effective date of the final rule would be December 30, 2010, and the final rule’s compliance date generally would be June 28, 2011.
However, special transition provisions apply with respect to BA agreements. Covered entities and BAs, as well as BAs and their subcontractors, are proposed to be allowed to operate under existing contracts for up to one year beyond the compliance date noted above. Such grandfathering will apply to written contracts that (i) were put into place before the publication date of the final rule, (ii) comply with the HIPAA Rules in effect at the time the contract is put into place, and (iii) are not renewed or modified during the period between the effective date and the compliance date of the final rule. If these requirements are met, the BA agreement must be brought into compliance with the final rule on or before the earlier of (a) the date such agreement is renewed or modified, or (b) one year after the compliance date, whichever is sooner.
Some examples are helpful to illustrate the point. For each example, this article assumes that the final rule will be published on October 31, 2010, and effective on December 30, 2010, and that compliance therefore will be required on June 28, 2011.
Example 1 : If CE and BA enter into a BA agreement that complies with the applicable HIPAA Rules before October 30, 2010, and such agreement is not renewed or modified between October 31, 2010 and June 28, 2011, such agreement must be amended to comply with the final rule by the earlier of (a) the date of any other modification or renewal after June 28, 2011 and (b) June 28, 2012.
Example 2 : If CE and BA have entered into a BA agreement that does not comply with the applicable HIPAA Rules before October 30, 2010, even if such agreement is not renewed or modified between October 31, 2010 and June 28, 2011, such agreement must be amended to comply with the final rule by June 28, 2011.
Example 3 : If CE and BA enter into a BA agreement that complies with the applicable HIPAA Rules before October 30, 2010, and such agreement automatically renews with no changes to its underlying terms on March 15, 2011, such agreement must be amended to comply with the final rule by the earlier of (a) the date of any other modification or renewal after June 28, 2011 and (b) June 28, 2012.
Example 4 : If CE and BA enter into a BA agreement that complies with the applicable HIPAA Rules before October 30, 2010, and such agreement is modified on March 15, 2011, such agreement must be amended to comply with the final rule by June 28, 2011.
CEs and BAs will want to review their existing agreements to determine whether or not they comply with current rules, and take the grandfathering requirements into account as they structure new or modify existing arrangements around the time the final rule’s effective date and compliance date.
The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.