The new HIPAA-HITECH regulation is here. Officially titled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules,” this new regulation modifies HIPAA in accordance with the changes mandated by the HITECH Act of 2009. After years of waiting and many false alarms that the regulation was going to be released imminently, prompting joking references to Samuel Beckett’s play Waiting for Godot, HHS unleashed 563 pages upon the world. According to Office for Civil Rights (OCR) director Leon Rodriguez, the rule “marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” I agree with his dramatic characterization of the regulation, for it makes some very big changes and very important ones too.
The most important changes involve expanding HIPAA’s scope of coverage, to regulate business associates (BAs) and subcontractors of BAs. The regulation applies the HIPAA Security Rule and parts of the Privacy Rule to BAs, which are now directly subject to HIPAA enforcement. Subcontractors of BAs are also deemed to be BAs, and there must be a business associate agreement (BAA) between a BA and a subcontractor. In this post, I will discuss these particular changes and their implications for a wide array of businesses and cloud computing in healthcare.
A Litany of Changes
Before I focus on the issue of scope, I want to point out some other key changes that the regulation makes. The regulation strengthens people’s rights to receive electronic copies of their protected health information (PHI). The Breach Notification Rule is changed to presume that any impermissible access, use, or disclosure of PHI is a breach unless a covered entity or business associate can demonstrate a low probability PHI has been compromised. Instead of focusing on harm to the individual, the focus is on the likelihood PHI has been improperly accessed or exposed. Decedent PHI is protected for 50 years after death. Previously, HIPAA protected PHI after death without any time limitation. For patients who pay for treatment out-of-pocket, patients have a right to restrict insurance companies from accessing the PHI. And as directed by the HITECH Act, the regulations provide for much stronger penalties for violations. There are many other changes too – I’m only hitting a few highlights.
HIPAA’s Expanded Scope
In my view, the most monumental change involves the vastly expanded scope of HIPAA. The regulation applies the HIPAA Security Rule and parts of the HIPAA Privacy Rule to business associates (BAs). A BA is any person or entity that, on behalf of a covered entity, “creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing.”
Previously, business associates were only indirectly subjected to HIPAA’s requirements. Covered entities had to have a business associate agreement (BAA) with a business associate that provided adequate assurances that PHI would be safeguarded. Now, HHS has direct enforcement power over business associates.
Additionally, subcontractors are now considered BAs and are subject to the same direct HHS enforcement. The regulation includes within the definition of a BA any “subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.” Commentary to the regulation provides that “[a]pplying HIPAA privacy and security requirements directly to subcontractors also ensures that the privacy and security protections of the HIPAA Rules extend beyond covered entities to those entities that create or receive protected health information in order for the covered entity to perform its health care functions.” According to the commentary: “A subcontractor is then a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information.” The intent, as the regulation commentary explains, is to ensure that HIPAA protections extend “no matter how far ‘down the chain’ the information flows.” BAs are subject to the same civil and criminal penalties under HIPAA as covered entities.
What parts of the Privacy Rule apply to BAs? First, a BA is “directly liable under the Privacy Rule for uses and disclosures of protected health information that are not in accord with its business associate agreement or the Privacy Rule.” Second, a BA must disclose PHI when required by HHS for a compliance investigation. Third, when an individual requests an electronic copy of PHI from a covered entity, a BA is required to disclose PHI to the covered entity or to the individual in order to satisfy the covered entity’s obligations. Fourth, the minimum necessary rule applies to BAs.
The Implications for the Cloud
Are cloud computing service providers BAs? I believe that they would be covered. The regulation commentary provides that the “data transmission organizations that the Act requires to be treated as business associates are those that require access to protected health information on a routine basis. Conversely, data transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates.” The commentary also elaborates that “entities that manage the exchange of protected health information through a network, including providing record locator services and performing various oversight and governance functions for electronic health information exchange, have more than ‘random’ access to protected health information and thus, would fall within the definition of ‘business associate.’” Mere “conduits” of PHI, such as postal carriers or courier services are not BAs because a “conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law.”
According to the FAQ on the HHS website, “[t]he mere selling or providing of software to a covered entity does not give rise to a business associate relationship if the vendor does not have access to the protected health information of the covered entity. If the vendor does need access to the protected health information of the covered entity in order to provide its service, the vendor would be a business associate of the covered entity.” The guidance includes the following example: “[A] software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software function, is a business associate of a covered entity.”
The only ambiguity is if the PHI is encrypted, and the cloud provider lacks access to the unencrypted PHI, then does the cloud provider have access to it?
Overall, providers should realize that regardless of whether they provide services to covered entities or BAs, they will be deemed BAs if they create, receive, maintain, or transmit PHI for a regulated function or activity, “including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing.” In addition to having to follow key parts of the Privacy Rule and all of the Security Rule, and being subject to HIPAA enforcement and penalties, BAs are also fair game for HHS audits.
Beyond the Cloud
Beyond the Cloud, many other companies will find themselves within HIPAA’s expansive domain. HHS recognized in its commentary that small BAs might be particularly burdened with having to comply with HIPAA as they previously “may not have engaged in the formal administrative safeguards such as having performed a risk analysis, established a risk management program, or designated a security official, and may not have written policies and procedures, conducted employee training, or documented compliance as the statute and these regulations would now require.” Nevertheless, in spite of these challenges, all BAs must comply.
We are in a new regime of HIPAA enforcement, with HHS enforcing HIPAA quite vigorously, plus state attorneys general can now enforce HIPAA. The penalties are much higher now too. This new regulation will be a wake-up call to many companies.
I applaud these changes to HIPAA. They keep PHI within HIPAA’s bubble of protection, as far too frequently before PHI would flow beyond the bubble, and it would be used and handled by companies that lacked adequate protections. The new HIPAA-HITECH regulation goes far to add protections and enforcement to PHI far and wide. There will be growing pains, of course, but this is a key step in the maturation of the HIPAA regime. Of course, some flaws in HIPAA remain, but on balance, HIPAA is one of the most comprehensive and impactful of privacy rules, and now the regulation have taken it to a new level. This is a big step forward in the protection of health privacy.
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells.