Alert November 19, 2009

Business Associates of HIPAA Covered Entities Need Action Plans for New Federal Breach Notification Requirements

The new federal data breach notification requirements, introduced by the HITECH Act that was part of the American Reinvestment and Recovery Act signed into law by President Obama in February 2009, affect not only “covered entities” (e.g., healthcare providers, insurers and clearinghouses) but also “business associates,” (e.g.,companies that provide services – often, technology services – to such covered entities and have access to protected health information) and vendors of personal health records (“PHR”).

The HITECH Act gave the Department of Health and Human Services (“HHS”) jurisdication over the business associates for the first time, and PHR vendors are subject to the Federal Trade Commission’s jurisdiction for enforcement.  Both HHS and the FTC have published rules on the new breach notification requirement.  Generally, the breach notification rules require companies to notify individuals, the regulators and, in certain cases, the media, when unsecured protected health information is breached.  Both the FTC rule and the HHS rule are now in force.  Both HHS and FTC will assess sanctions for failure to provide the required notice for breaches discovered after February 22, 2010. 

While covered entities and PHR vendors each face their own particular compliance challenges, this article focuses on the compliance strategies for business associates.  Business associates need to act quickly to minimize the risk of being involved in a breach that triggers these new notification requirements, and also must be prepared to respond to any breach in compliance with the HITECH Act.  Business associates should also review the terms of their agreements with covered entities, and their plans for incident response in the event that a breach occurs.

Are you a business associate? 

The term “business associate” was introduced by the Health Insurance Accountability and Portability Act (“HIPAA”).  Generally, it refers to entities that provide certain services to covered entities and, in connection with those services, have access to protected health information.  A wide range of entities can be business associates – the determination depends on the function and level of access to individually identifiable health information rather than the particular industry of the company.

Our company is a business associate to one or more covered entities, what should we be doing now to prepare for these breach notification requirements?

Companies that are business associates should reduce the likelihood that they will be involved with a breach that gives rise to notification requirements under the HITECH Act, applicable state law, and/or the terms of their agreements with covered entities.  Here are several steps that business associates should take now:

If classified as a business associate, ensure that this classification is correct and accurate.  Many companies can feel pressured by their customers to execute business associate agreements whether or not they are indeed business associates.  Before the HITECH Act, there was always a certain level of risk involved with executing business associate agreements, however with the changes being ushered in by the HITECH Act, being a business associate entails a new level of risk.  Executing business associate agreements subject entities  to direct regulation by a federal agency, including enforcement and penalty provisions, and should only be done so if the entity truly meets business associate requirements.

As noted above, business associates are generally companies that provide services on behalf of HIPAA covered entities that involves the use or disclosure of protected health information.  Prior to executing a business associate agreement, companies should ensure that they do meet this definition.  As discussed further below, companies may also be able to restructure their business relationship and the performance of services to eliminate the company’s access to protected health information, and thus potentially eliminate the need for a business associate agreement and the federal regulation that comes with it. Of course, companies will still need to comply with the contractual obligations they have agreed to (whether a business associate or not), but if a company is not a business associate, then the enforcement of those obligations would be under a breach of contract theory by the other party, rather than enforcement by a federal agency, which could be the case if a company is a business associate.

Review executed business associate agreements and be very mindful of new agreements.   Given the changes to HIPAA introduced by the HITECH Act, many covered entities will soon be focusing on renegotiating existing business associate agreements to ensure that the agreements reflect the provisions of the HITECH Act. Business associates are well advised to develop and implement a strategy for negotiating business associate agreements.

Limit protected health information.   All entities, whether or not business associates, can limit their risks by limiting the amount of protected health information that they access, receive and/or possess.  If a business relationship can be structured so that such access is eliminated, or at least minimized, the risk of experiencing a reportable breach or other violations will also be reduced.

Improve security and consider encryption where possible. The new breach notification rules will only apply to information that is “unsecured.”  Business associates are advised to ensure that, to the extent possible, all information is “secured.”  HHS has issued guidance specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable or indecipherable to unauthorized individuals and thus, not, unsecured.  Accordingly, business associates can reduce the odds that they will be involved in a reportable breach, by, to the extent possible, encrypting all protected health information.

Train Employees. Many breaches have resulted from simple employee error. Accordingly, it is essential to ensure that all employees have appropriate training about the company’s policies and procedures for ensuring the privacy and security of all protected health information.

Develop an incident response plan.  Hopefully, there will never be a breach that necessitates a response, however all business associates should plan in advance for a worst case scenario and have a formalized incident response plan in the event of a breach.  The HITECH Act is very specific in terms of the content, timing and format of notices that most be delivered to affected individuals.  Under the regulations, the business associates’ responsibility will be to ensure that the applicable covered entity receives proper notice of the breach without unreasonable delay, but in no event more than 60 days after becoming aware of the breach.  Covered entities likely are going to push for more rapid notice from their business associates.  Any breach response plan must address not only the requirements of the HITECH Act, but also whatever terms have been agreed to with covered entities in the applicable business associate agreements.

*    *    *    *    *

While the regulators have asserted that it will not enforce the breach notification requirements until February 2010, the requirements are now in effect. Accordingly, it is vital that business associates undertake efforts to develop and implement a compliance strategy without further delay.