HIPAA Series Part II: Effect on Business Associates

Last month’s Part I installment provided an in-depth discussion of the historical underpinnings and foundation of the current HIPAA regulation.1   This month’s Part II installment will focus on the latest amendment to the HIPAA legislation, which significantly alters previously published requirements affecting business associates and their subcontractors. Specifically, the January 25, 2013 edition of the Federal Register published four final rules that affect business associates under HIPAA: (1) the definition of business associate; (2) the liability of business associates and subcontractors; and, (3) the level at which agreements between business associates and “covered entities” are scrutinized.  The final rule, which goes into effect on March 26, 2013, requires all covered entities and business associates to comply with the new regulations as of September 23, 2013.

Under previous HIPAA regulations, a business associate was generally defined as “…a person who performs functions or activities on behalf of, or certain services for, a covered entity that involves the use or disclosure of protected health information [PHI].”2  In the January 25, 2013 final rule, this definition was expanded to include a person who “creates, receives, maintains, or transmits PHI on behalf of a covered entity” [emphasis added], and includes any individual or entity providing patient safety activities, data transmission of PHI to a covered entity on a routine basis; or vendors of personal health records. 3  It has been estimated that approximately half a million business associates will fall under the new definition,4 though the Office of Civil Rights (OCR) has yet to issue clarification regarding “the types of entities that do and do not fall within the definition of business associate.”5

The Final Rule goes on to clarify the definition of subcontractor as an example of a “downstream entity” that “work[s] at the direction of or on behalf of a business associate and handle[s] PHI…”, and further specifies that any such downstream entity would also be obligated to comply with HIPAA provisions and liabilities as a primary business associate, “even if the entity does not actually view the [PHI].”6  This updated definition would include entities such as document storage companies, e.g., a cloud provider contracted by a legal firm to store medical malpractice records, which previously have not been covered under HIPAA.7   In addition, covered entities and business associates are further required to obtain and maintain business associate agreements with each other, as well as with any subcontractors or downstream entities, to ensure that all relevant entities are in compliance with HIPAA regulations regarding PHI.8 Toward this end, the U.S. Department of Health and Human Services (HHS) has provided specific guidance and sample language of business associate agreements on its website.9

Additional changes were made regarding the penalties associated with HIPAA violations.  Under the Final Rule, business associates are now (in addition to covered entities) directly liable for breaches in HIPAA, i.e., the impermissible use or disclosure of PHI, unless it can demonstrate a low probability that the PHI has been compromised, through a risk assessment.10  This differs from previous regulation that determined penalties based on the “…nature and extent of the violation… [and] of the resulting harm[Emphasis added] as a result of noncompliance.11  The rule calibrates fines for breaches of the regulation based on three tiers of culpability, namely: (1) “reasonable cause”; (2) “reasonable diligence”; and, (3) “willful neglect”, associated with fines up to $50,000, not to exceed $1.5 million annually, as well as criminal liabilities.12 

The latest amendment to the HIPAA regulation markedly differs from several requirements set forth in previous regulatory guidance regarding the protection of PHI.  The alteration of definitions for business associates and subcontractors greatly expands the reach of these regulations to entities not previously impacted by HIPAA, e.g., data management companies.  Additionally, the extension of liability to business associates and the relatively short time frame for implementation, i.e., the “prior to September 23, 2013 deadline”, may prove difficult for many entities newly obligated to comply with the recently published regulations.   As relevant covered entities and business associates await further guidance and clarification from HHS regarding the final rules, it is recommended that these entities review all business associate and subcontractor relationships and agreements for compliance with the new regulations, as well as internal policies and personnel education regarding appropriate management of PHI.13

1
“HIPAA Series Part I: History and Overview of HIPAA Legislation,” Health Capital Topics Newsletter, Vol. 6, No. 2, February 2013

2
“Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule” Federal Register, US Government, Vol. 78, No. 17, January 25, 2013, p. 5570.

3
Ibid, p. 5570-5572

4
“BAs are now Under Great Pressure”, by Theresa define and Francie Fernald eds., Report on Patient Privacy, Volume 13, No. 2, ,February 2013, p. 9.

5
Ibid, US Government, January 25, 2013, p. 5571.

6
Ibid, US Government, January 25, 2013,  p. 5572-5573.

7
Ibid, Fernald, p. 9-10.

8
Ibid, Fernald, p. 10.

9
“Business Associate Contracts: Sample Business Associate Agreement Provisions”, U.S. Department of Health & Human Services, January 25, 2013, http://www.hhs.gov/ocr/privacy/ hipaa/understanding/coveredentities/contractprov.html(Accessed March 12, 2013)

10
Ibid, US Government, January 25, 2013, p. 5641.

11
Ibid, US Government, January 25, 2013, p. 5641-5642; “HIPAA Administrative Simplification: Enforcement”, Federal Register, Vol. 74, No. 209, October 30, 2009, p. 56128

12
Ibid, US Government, January 25, 2013, p. 5582-5583.

13
“Final HIPAA/HITECH Privacy and Security Rules: ‘Covered Entity’ and ‘Business Associate’ Issues for Employers”, by Schiff Hardin LLP, The National Law Review,  March 10, 2013, p. 3, available at http://www.natlawreview.com/article/final-hipaahitech-privacy-and-security-rules-covered-entity-and-business-associate-i

© Health Capital Consultants
Todd A. Zigrang

Todd A. Zigrang, MBA, MHA, CVA, ASA, FACHE, ABV, is the President of Health Capital Consultants (HCC), where he focuses on the areas of valuation and financial analysis for hospitals, physician practices, and other healthcare enterprises. Mr. Zigrang has over 28 years of experience providing valuation, financial, transaction and strategic advisory services nationwide in over 2,000 transactions and joint ventures. Mr. Zigrang is also considered an expert in the field of healthcare compensation for physicians, executives and other professionals.

Mr. Zigrang is the co-author of "The Adviser’s Guide to Healthcare – 2nd Edition" [2015 – AICPA], numerous chapters in legal treatises and anthologies, and peer-reviewed and industry articles such as: The Accountant’s Business Manual (AICPA); Valuing Professional Practices and Licenses (Aspen Publishers); Valuation Strategies; Business Appraisal Practice; and, NACVA QuickRead. In addition to his contributions as an author, Mr. Zigrang has served as faculty before professional and trade associations such as the American Society of Appraisers (ASA); the National Association of Certified Valuators and Analysts (NACVA); Physician Hospitals of America (PHA); the Institute of Business Appraisers (IBA); the Healthcare Financial Management Association (HFMA); and, the CPA Leadership Institute.

Mr. Zigrang holds a Master of Science in Health Administration (MHA) and a Master of Business Administration (MBA) from the University of Missouri at Columbia. He is a Fellow of the American College of Healthcare Executives (FACHE) and holds the Certified Valuation Analyst (CVA) designation from NACVA. Mr. Zigrang also holds the Accredited Senior Appraiser (ASA) designation from the American Society of Appraisers, where he has served as President of the St. Louis Chapter. He is also a member of the America Association of Provider Compensation Professionals (AAPCP), AHLA, AICPA, NACVA, NSCHBC, and, the Society of OMS Administrators (SOMSA).

Jessica L. Bailey-Wheaton

Jessica L. Bailey-Wheaton, Esq., is Senior Vice President and General Counsel of HCC. Her work focuses on the areas of Certificate of Need (CON) preparation and consulting, as well as project management and consulting services related to the impact of both federal and state regulations on healthcare transactions. In that role, Ms. Bailey-Wheaton provides research services necessary to support certified opinions of value related to the Fair Market Value and Commercial Reasonableness of transactions related to healthcare enterprises, assets, and services.

She serves on the editorial board of NACVA’s The Value Examiner and is the current Co-Chair of the American Bar Association (ABA) Health Law Section’s Membership Committee and the Young Lawyer Division (YLD) Liaison to the ABA Health Law Section Governing Council. She has previously presented before the ABA, American Health Law Association (AHLA). NACVA, the National Society of Certified Healthcare Business Consultants (NSCHBC), and the American College of Surgeons.

Ms. Bailey-Wheaton is a member of the Missouri and Illinois Bars and holds a J.D., with a concentration in Health Law, from Saint Louis University School of Law.

Janvi R. Shah

Janvi R. Shah, MBA, MSF, CVA, serves as Senior Financial Analyst of HCC. Mrs. Shah holds a M.S. in Finance from Washington University Saint Louis and the CVA designation from NACVA. She develops fair market value and commercial reasonableness opinions related to healthcare enterprises, assets, and services. In addition she prepares, reviews and analyzes forecasted and pro forma financial statements to determine the most probable future net economic benefit related to healthcare enterprises, assets, and services and applies utilization demand and reimbursement trends to project professional medical revenue streams and ancillary services and technical component (ASTC) revenue streams.

Click Here for More Information on
HCC's Leadership and Capabilities
© Health Capital Consultants
Healthcare Valuation Banner Advisor's Guide to Healthcare Banner Accountable Care Organizations Banner