ABA Health eSource
December 2009 Volume 6 Number 4

After HITECH, Business Associate Agreements Impose Substantial Burdens
That Are No Longer Necessary

By Mark S. Hedberg, Partner, Hunton & Williams LLP, Richmond, VA

AuthorThe terms “business associate” and “business associate agreement” have been an official part of the national healthcare lexicon since 2001, when the federal Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rules”) 1 were published pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). 2 But the “business associate approach” to disclosures of protected health information (“PHI”) by HIPAA’s covered entities that was taken in the Privacy Rules (and then the Security Rules) was not intended to be part of the regulatory fabric - business associates are not mentioned anywhere in HIPAA, and the Secretary of Health and Human Services had no legislative authority to regulate them directly. 3 Accordingly, the regulators applied a patch to cover this gap in legislative authority “by requiring covered entities to apply many of the provisions of rule to the entities with whom they contract for administrative and other services.” 4 Business associate agreements were the means by which this was accomplished.

The assurances covered entities were required to extract were not insignificant. Under the Privacy Rules, business associate agreements must require a business associate:

  • not to use or further disclose PHI other than as permitted or required by the underlying business arrangement (contract) or as required by law,
  • to use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract,
  • to report to the covered entity any use or disclosure of PHI not provided for by its contract of which it becomes aware, and
  • to impose the same requirements applicable through the business associate agreement to the business associate to any agents or subcontractors of the business associate, among other things. 5

Additionally, under the Security Rules a business associate agreement must require business associates to “[i]mplement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic [PHI].” 6 These requirements also posed logistical challenges. Covered entities had to identify all of their business associates and develop agreements that complied with the regulations, although the regulators published sample business associate contract provisions as an appendix to the Privacy Rules 7 which could be used as a starting point. Some large covered entities had to enter into hundreds of agreements. Once these agreements were put in place, one wonders the extent to which they were ever looked at again.

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act 8 changed matters significantly. HITECH imposes direct requirements on business associates to comply with certain provisions of the Security Rules and the Privacy Rules, and subjects business associates to civil and criminal liability for failing to do so. 9 But rather than eliminating the need for business associate agreements in light of this new, direct regulation of business associates, HITECH preserves them and arguably requires that they be amended to reflect the new requirements. For example, Section 13401(a) of HIPAA provides:

Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title [Title XIII of Division A of the ARRA] that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.

Similarly, Section 13404(a) provides

In the case of a business associate of a covered entity that obtains or creates [PHI] pursuant to a written contract (or other written arrangement) described in section 164.502(e)(2) of title 45, Code of Federal Regulations, with such covered entity, the business associate may use and disclose such protected health information only if such use or disclosure, respectively, is in compliance with each applicable requirement of section 164.504(e) of such title. The additional requirements of this subtitle [Subtitle D of Title XIII of Division A of the ARRA] that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.

There has been some debate over the proper reading of the last sentence of these two provisions. Some have suggested that the statutory language actually accomplishes the amendment and requires no implementation. The more conservative reading (and in the author’s view the reading that best gives effect to the plain language of the statute) 10 is that these provisions affirmatively require business associate agreements to be amended by the parties, but either way the redundancy is unnecessary. HITECH’s new statutory obligations eliminate the need for the regulatory patch -- but rather than removing it, and letting the substantive fabric of HITECH, the Privacy Rules and the Security Rules provide the necessary protections, HITECH not only keeps the patch in place but requires it to be made bigger.

It is difficult to understand the purpose that is served by requiring HITECH’s statutory obligations to be imposed by contract as well. Doing so would appear only to drive up costs for business associates and covered entities due to the necessary amendments without enhancing the protections afforded. A more practical and efficient approach would have eliminated the regulatory requirement for business associate agreements in favor of HITECH’s compliance obligations, which would have left covered entities and their business associates free to include as much or as little of them in their contracts as they determined was appropriate under the circumstances.

Reducing cost is a central theme of the ongoing healthcare reform debate. Eliminating these duplicative requirements would be a step in that direction. Accordingly, the author suggests that readers send their views on this issue to Congress and to the U.S. Department of Health and Human Services’ Office of Civil Rights, which is responsible for enforcing the Privacy Rule and the Security Rule.

1 Final Rule, Standards for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. 53,182 et seq.(Aug. 14, 2002)(codified as amended at 45 C.F.R. Part 160, Subparts A & B, and Part 164, Subpart E).
2 Pub. Law 104-191, 110 Stat. 1936 (Aug. 21, 1996).
3 Proposed Rule, Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 59,917, 59,924 (Nov. 3, 1999) (“Because we do not have the authority to apply these standards directly to any entity that is not a covered entity, the proposed rule does not directly cover many of the persons who obtain identifiable health information from the covered entities”).
4 Id; see 45 C.F.R. §§ 164.502(e) & 164.504(e) (current requirements for covered entities to obtain by written agreement “satisfactory assurances” that a business associate will appropriately safeguard health information disclosed to it by the covered entity).
5 See 45 C.F.R. § 164.504(e)(2)(ii)
6 Id. § 164.314(a)(2)(i)(A).
7 67 Fed. Reg. 53,182, 53,264-66.
8 The HITECH Act consists of Division A, Title XIII, and Division B, Title IV, of the American Recovery and Reinvestment Act of 2009 (“ARRA”), Pub. Law 111-5, 123 Stat. 115 (Feb. 17, 2009).
9 HITECH §§ 13401, 13404.
10 The language used in HITECH is ineffective as a statutory act of incorporation for two reasons. First, the phrase “shall be incorporated” speaks to a future duty of covered entities and business associates to incorporate the requirements into their business associate agreements. If Congress actually had intended to amend all such agreements by statute, it would have used more definite language (such as “are hereby incorporated into all business associate agreements”). Second, HITECH does not address in any respect the contract terms being incorporated, and unlike the initial Privacy Rule and Security Rule standards for business associate agreements the HITECH privacy and security requirements are not susceptible of being parroted in a contract.

The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.