The US Department of Health and Human Services (HHS) has just proposed new regulations designed to fulfill the amendments made to HIPAA last year when the economic stimulus act (ARRA) was passed by Congress. The separate Health Information for Economic and Clinical Health (HITECH) Act was grafted onto ARRA. Recall that among the HIPAA amendments included in ARRA were:

  • Bigger penalties and tougher enforcement
  • Direct regulation of “business associates” of “covered entities”
  • Breach notification requirements
  • Expansion of patient rights to restrict disclosure and demand accounting for disclosures
  • New regulations for privacy and security of information

The proposed HHS regulations implement various provisions of HITECH and particularly focuses upon business associates. HHS has created a new website for information about all the moving parts of HIPAA privacy and security. As you connect the HIPAA dots, it’s important to remember that some provisions of the security rules will directly apply to business associates. HHS has proposed giving business associates six months from the effective date of the final regulations to comply with new requirements. In addition, the new rules will grandfather existing business associate agreements for one year after the effective date [§164.532(d) and (e)] giving everyone time to negotiate and implement new agreements where necessary.

Under the proposed rules, business associates will have their own “business associates” now called “subcontractors” who will also be liable for violations of HIPAA. Yes that’s right, business associates must obtain “business associate agreements” (BAAs) from those who subcontract with them – BAAs for BAAs. Under §160.103 (3), a business associate is defined to include “a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.” The new regulations will focus the attention of business associates on information security and HIPAA compliance. Here’s how HHS describes the circumstances:

“Up to this point, the consequences of failing to meet the privacy and security standards were limited to a business loss in the form of a terminated contract. In the context of the business associate’s overall business, the risk of losing the contract may not be a sufficient incentive to warrant investing in added security or establishing privacy policies potentially at significant expense. There may be other more benign reasons such as ignorance of potential threats or lack of knowledgeable personnel on staff. Regardless of the reason, to avoid the risk of the far more serious penalties in this proposed rule, we expect that business associates and subcontractors that have been lax in their complying with the privacy and security standards may now take steps to enhance their security procedures and strengthen their policies for protecting the privacy of the protected health information under their control.” [see page 164]

The proposed regulations contain several important explanations of the investigation, enforcement, and penalties for HIPAA violations. HHS provides guidance on the levels of inattention that create the greatest risk for covered entities and business associates from “did not know” to “willful neglect” of responsibilities. The regulations also describe the factors for determining the level of penalty.

Finally, the proposed rules contain clarifications to existing rules such as this one with which I leave you to ponder deeply:

“We propose to modify the definition of “protected health information” at §160.103 to provide that the Privacy and Security Rules do not protect the individually identifiable health information of persons who have been deceased for more than 50 years.” [see page 108]