Final HIPAA Rules Clarifies Direct Liability of Business Associates and Subcontractors

The HIPAA omnibus rule contains important changes concerning business associate and downstream contractor liability. These changes implement provisions of the HITECH Act, which sought to make business associates more accountable for the use, disclosure and security of PHI. Under the HIPAA Final Rule, business associates and their subcontractors now face HIPAA enforcement actions and are directly liable for violating the HIPAA Security Rule as well as certain provisions of the Privacy and Breach Notification Rules.

In the HIPAA Final Rule, HHS clarified the provisions for which business associates and subcontractors now face direct liability. These provisions include: (1) impermissible uses and disclosures¹; (2) failure to provide breach notification to the covered entity²; (3) failure to provide access to a copy of electronic PHI to either the covered entity, the individual, or the individual's designee (whichever is specified in the business associate agreement)³; (4) failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request⁴; (5) failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf⁵; failure to disclose PHI where required by the Secretary to investigate or determine the business associate's compliance with the HIPAA Rules⁶; failure to provide an accounting of disclosures (if subject to those requirements pursuant to the BA agreement)⁷; and (7) failure to comply with the requirements of the Security Rule.⁸

Business associates are not required to comply with other provisions of the Privacy Rule, such as providing a notice of privacy practices or designating a privacy official, unless the covered entity has chosen to delegate such a responsibility to the business associate.

The Final Rule clarifies that a person or an entity is a business associate as a result of receiving PHI from a covered entity in the performance of services, regardless of whether they have entered into a written BA agreement.

The final rule also establishes a parallel set of contracting requirements for subcontractors of business associates who create, receive, maintain, or transmit PHI on behalf of the business associate. The final rule requires covered entities to obtain satisfactory assurances regarding the protection of PHI from their business associates, and business associates must do the same with their subcontractors, and so on, no matter how far "down the chain" the information flows. Furthermore, a subcontractor is a business associate to the extent that it is carrying out a delegated function for a BA, subject to the same legal obligations as a BA that has contracted directly with a CE, again regardless of whether they have entered into a written BA agreement.

The agreement between a business associate and a subcontractor may not permit the subcontractor to use or disclose PHI in a manner that would not be permissible if done by the business associate. In short, each agreement in the business associate chain must be as stringent or more stringent as the agreement above with respect to the permissible uses and disclosures.

The final rule makes clear that a covered entity is not required to enter into a direct contract or other arrangement with subcontractors of its business associates. HHS believes that making subcontractors directly liable for violations of the applicable provisions of the HIPAA Rules will help to alleviate concern on the part of covered entities that PHI is not adequately protected when provided to subcontractors.

 

---

¹ See § 164.502(a)(3).

² See § 164.410.

³ See § 164.502(a)(4)(ii).

⁴ See § 164.502(b).

⁵ See § 164.502(e)(1)(ii).

⁶ See § 164.502(a)(4)(i).

⁷ See 76 Fed. Reg. 31426 (May 31, 2011).

⁸ Section 13401 of the HITECH Act provides that the Security Rule's administrative, physical, and technical safeguards requirements in §§ 164.308, 164.310, and 164.312, as well as the Rule's policies and procedures and documentation requirements in § 164.316 apply to business associates. 

---