ABA Health eSource
August 2010 Volume 6 Number 12

Proposed Rule Addressing Security Rule Compliance by Business Associates and Subcontractors

By Suzanne D. Nolan, Esq., Frank, Haron, Weiner and Navarro PL C, Troy, MI

AuthorThe proposed rule set forth in the Notice of Proposed Rulemaking released by the U.S. Department of Health & Human Services (HHS) 1 applies Security Rule provisions directly to business associates, a term which has been expanded to include subcontractors who create or use protected health information (PHI) while performing services for a business associate. 2 The proposed rule implements the provisions of the Health Information Technology for Clinical Health (HITECH) Act that require business associates to directly comply with the Security Rule.

Under the proposed rule, the business associate-subcontractor relationship is regulated in the same manner as is the covered entity-business associate relationship. Pursuant to proposed § 164.308(b)(2), a business associate may permit a subcontractor to use electronic PHI (e-PHI) on its behalf only if the business associate obtains satisfactory assurances that the subcontractor will implement appropriate measures to safeguard the e-PHI. 3 Additionally, the business associate must enter into a written agreement or other written arrangement with a subcontractor that complies with the requirements for a business associate agreement. 4 A business associate who fails to obtain such assurances or fails to enter into a written business associate agreement with a subcontractor will not be in compliance with the Security Rule. 5 The proposed revisions to Section 164.308 place the burden on obtaining these assurances from a subcontractor on the business associate and not on the covered entity. 6 The requirements that apply to the written contracts between the business associate and subcontractor are the same ones that apply to the written contract between the business associate and the covered entity. 7

Breach notification is another important regulatory obligation required of business associates. Under the proposed § 164.314(a)(2)(i)(C), a business associate is required by the Security Rule to report breaches of unsecured PHI, as defined in Section 164.410, to the covered entity. 8 Similarly, pursuant to the proposed § 164.314(a)(2)(iii), a subcontractor is required to report such breaches to the business associate on whose behalf it is performing services. The proposed rule also revises § 164.306 to require that as part of reviewing and updating a security program, covered entities and business associates must update their documentation for the security program. 9 Additionally, HHS proposes to amend Section 164.316(a) to permit changes to security policies and procedures only if such changes are documented and implemented in accordance with the Security Rule.

Most of the other modifications to the Security Rule are very straightforward changes that specifically amend an existing regulation to state such regulation now applies to business associates as well as to covered entities. These modifications implement the HITECH requirement that the regulations apply to business associates in the same manner as they apply to covered entities. The modified regulations are 45 CFR §§ 164.302, 164.304, 164.306, 164.308, 164.310, 164.312, 164.314 and 164.316. Notably, while HITECH did not specifically state that business associates were subject to §§164.306 and 164.314, the proposed rule clarifies that business associates are subject to these two sections.

The days of lax compliance with the Security Rule by business associates and their subcontractors appear to be gone given the direct regulation of both under the proposed rule, the penalties for noncompliance with the Security Rule, and the penalties for security breaches that result in the disclosure of unsecured e-PHI. Not only is compliance required, but HHS can take into account an organization’s compliance history in setting the amount of these penalties. Accordingly, business associates have a strong incentive to comply with the Security Rule to protect both their contractual relationships with covered entities and their own financial health.

It takes considerable effort to comply with the various complexities of the Security Rule. Because the Security Rule is meant to be flexible and adaptable for businesses of all sizes, it does not require specific measures to be used. Instead, the Security Rule sets forth 18 required standards which are organized into administrative safeguards, physical safeguards, and technical safeguards. Each standard has implementation specifications which provide instructions on how to meet the standard. Some implementation standards are required and some are addressable. Required implementation standards must be implemented as part of an organization's security program. If an addressable specification is not adopted, the organization must document why it was not reasonable to adopt the specification and adopt an alternative measure if it is reasonable and appropriate to do so. 10 Physical safeguards, which are meant to protect an organization's electronic information systems and e-PHI from unauthorized access, and technical safeguards, which deal with using technology to protect e-PHI and control access to e-PHI, are only part of a security program.

Over half of the standards are administrative standards which require documented policies and procedures for managing the day-to-day operations of an organization, the conduct and access of work force members to e-PHI and the use of security controls. An organization is required to develop a written security program that describes how each of the 18 standards is met. The starting point for such a security program is a risk analysis that assesses the manner in which an organization creates, receives, maintains or transmits e-PHI, the threats and vulnerabilities to such e-PHI, the impact of such threats, the physical security measures available, the technical security measures available, the level of risk, and documentation of the risk analysis. The risk analysis, in large part, will determine what safeguards should be adopted by an organization to meet the requirements of the Security Rule.

Attorneys have an important role to play in advising clients on Security Rule compliance and in drafting a written security program. It is important to alert any client who touches e-PHI to the possibility that the client is now considered a business associate. Clients who are business associates must begin developing a compliant security program if they do not already have one. It is particularly important for attorneys to advise their clients on the requirements of the Security Rule, to assist them in analyzing the results of a risk analysis, and to draft the appropriate written policies and procedures that are the backbone of a security program. Attorneys can work with IT personnel to develop and document a security program that will meet the requirements of the Security Rule and can be followed by a client. Clients, even those who already have a compliant security program, need advice on the increased risks associated with a failure to follow existing security programs. Clients also need to consider whether it is cost effective to implement additional safeguards including any safeguards needed to meet the requirements to secure e-PHI within the meaning of the safe harbor to the breach notification regulations.

Various governmental publications exist to assist attorneys in becoming familiar with the requirements of the Security Rule. On July 14, 2010, HHS posted the HIPAA Security Standards: Guidance on Risk Analysis , developed by the Office of Civil Rights (OCR), on its website. 11 This is the first in a series of updated guidances that OCR intends to provide to assist in identifying and implementing effective and appropriate administrative, physical and technical safeguards to secure e-PHI. Other papers pertaining to security safeguards are also available on the HHS website. 12 Guidelines published by the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, are an invaluable resource. Compliance with the NIST guidelines is not required for an organization to comply with the Security Rule. But the guidelines represent the industry standard for good practices with respect to securing e-PHI. 13 Moreover, the technologies and methodologies set forth in NIST’s An Introductory Resource Guide for Implementing the HIPAA Security Rule 14 can be used to render PHI unusable, unreadable or indecipherable to unauthorized individuals within the meaning of the breach notification safe harbors. 15

Even if the proposed rule is modified to eliminate the direct regulation of subcontractors, the handwriting is on the wall that security cannot be ignored by anyone. All organizations that touch e-PHI need to have security programs in place that comply with the Security Rule. OCR has announced a stepped up enforcement effort to identify organizations not complying with the Security Rule. Moreover, security breaches now must be reported to HHS. As more and more breaches occur and are reported to HHS, if nothing else, covered entities are apt to begin demanding full compliance with the Security Rule from their business associates and from the business associate’s subcontractors to minimize the negative impact on the covered entity of any downstream security breach. Similarly, business associates will demand the same of their subcontractors. Without such security, it is almost impossible to ensure that PHI will remain confidential, accurate, and available when needed.

1 U.S. Department of Health and Human Services, Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act: Proposed Rule, 75 Fed. Reg. 40868 (July 14, 2010).
2 See, John R. Christiansen and Amy K. Fehn, Casting a Vastly Expanded Regulatory Net: Implications of the New Definition of Business Associate Under HITECH, published in this volume of The ABA Health eSource, for a thorough discussion of how the proposed rule expands HIPAA to subcontractors.
3 75 Fed. Reg. 40917, 40918 (July 14, 2010), to be codified at 45 CFR § 164.308(b)(2).
4 75 Fed. Reg. 40918 (July 14, 2010), to be codified at 45 CFR § 164.308(b)(3).
5 Id., to be codified at 45 CFR ' 164.314(a)(2).
6 75 Fed. Reg. 40917 (July 14, 2010), to be codified at 45 CFR § 164.308(b)(1).
7 75 Fed. Reg. 40918 (July 14,2010), to be codified at 45 CFR § 164.314.
8 Id.
9 This requirement is part of the current 45 CFR ' 164.316(b)(2)(iii).
10 See 68 Fed. Reg. 8334, 8336 (Feb. 20, 2003); 45 CFR § 164.306(d)(3).
11 Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf.
12 These papers are available at http://www.hhs.gov/ocr/hipaa.
13 These guides are available at http://csrc.nist.gov/publications/PubsSPs.html.
14 NIST Special Publication 800-66-Revision 1.
15 U.S. Department of Health and Human Services, Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information. 74 Fed. Reg. 19008 (April 27, 2009).

The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.