• Home

  • Documents

  • Omnibus Final Rule Issued on HIPAA/ HITECH Act ......Omnibus Final Rule Issued on HIPAA/ HITECH Act:...
4
Pillsbury Winthrop Shaw Pittman LLP www.pillsburylaw.com 1 February 7, 2013 Omnibus Final Rule Issued on HIPAA/ HITECH Act: Significant Changes for ‘Business Associates’ By Gerry Hinkley, Allen Briskin and Caitlin Bloom On January 25, 2013, the Department of Health and Human Services published the much-anticipated Omnibus Final Rule (the “Final Rule”), which, with respect to business associates and their subcontractors, conforms HIPAA’s Privacy and Security Rules to a number of changes brought about by the HITECH Act, implements a number of regulatory changes seen in HHS’s proposed rule-making, and modifies a number of other proposed regulatory changes. The Final Rule expands the reach of the HIPAA Rules by clarifying that those who “maintain and transmit” protected health information on behalf of covered entities are subject to many of those rules as business associates of those covered entities. Moreover, certain subcontractors of business associates are now to be treated as business associates themselves. As a result, business associates and those subcontractors are required to enter into business associate agreements with each other, and those subcontractors will be responsible for HIPAA compliance not only under those contracts but also directly under the HIPAA Rules themselves. Finally, the Final Rule also changes a number of the mandated terms of business associate contracts and will require covered entities, business associates and subcontractors to revisit their existing agreements for compliance with the Final Rule’s new requirements. The Final Rule takes effect March 26, 2013, and compliance generally is required by September 23, 2013. Business associate contracts that were in effect on January 25, 2013, and that complied with the HIPAA Rules in effect on that date, may qualify for an extension of the compliance deadline if those contracts are neither modified nor renewed between March 26 and September 23, 2013. Business associate contracts that do not qualify for the extension must be brought into compliance by September 23, 2013. After that date, contracts that do qualify for the extension must be brought into compliance when they are renewed or modified and in no event later than September 22, 2014. Client Alert Employment Health Care & Life Sciences Privacy, Data Security & Information Use

Omnibus Final Rule Issued on HIPAA/ HITECH Act ......Omnibus Final Rule Issued on HIPAA/ HITECH Act: Significant Changes for ‘Business Associates’ By Gerry Hinkley, Allen Briskin

  • Upload
    others

  • View
    1

  • Download
    0

Embed Size (px)

Citation preview

  • Client Alert Health Care & Life Sciences

    Pillsbury Winthrop Shaw Pittman LLP www.pillsburylaw.com 1

    February 7, 2013

    Omnibus Final Rule Issued on HIPAA/ HITECH Act: Significant Changes for ‘Business Associates’ By Gerry Hinkley, Allen Briskin and Caitlin Bloom

    On January 25, 2013, the Department of Health and Human Services published the much-anticipated Omnibus Final Rule (the “Final Rule”), which, with respect to business associates and their subcontractors, conforms HIPAA’s Privacy and Security Rules to a number of changes brought about by the HITECH Act, implements a number of regulatory changes seen in HHS’s proposed rule-making, and modifies a number of other proposed regulatory changes.

    The Final Rule expands the reach of the HIPAA Rules by clarifying that those who “maintain and transmit” protected health information on behalf of covered entities are subject to many of those rules as business associates of those covered entities. Moreover, certain subcontractors of business associates are now to be treated as business associates themselves. As a result, business associates and those subcontractors are required to enter into business associate agreements with each other, and those subcontractors will be responsible for HIPAA compliance not only under those contracts but also directly under the HIPAA Rules themselves. Finally, the Final Rule also changes a number of the mandated terms of business associate contracts and will require covered entities, business associates and subcontractors to revisit their existing agreements for compliance with the Final Rule’s new requirements.

    The Final Rule takes effect March 26, 2013, and compliance generally is required by September 23, 2013. Business associate contracts that were in effect on January 25, 2013, and that complied with the HIPAA Rules in effect on that date, may qualify for an extension of the compliance deadline if those contracts are neither modified nor renewed between March 26 and September 23, 2013. Business associate contracts that do not qualify for the extension must be brought into compliance by September 23, 2013. After that date, contracts that do qualify for the extension must be brought into compliance when they are renewed or modified and in no event later than September 22, 2014.

    Client Alert

    Employment

    Health Care & Life Sciences

    Privacy, Data Security & Information Use

  • Client Alert Health Care & Life Sciences

    Pillsbury Winthrop Shaw Pittman LLP www.pillsburylaw.com 2

    Expanded Definition of ‘Business Associate’ Parties That “Create, Receive, Maintain or Transmit” Protected Health Information (“PHI”). The Final Rule clarifies and expands the HIPAA Rules’ definition of “business associate” to include one who, other than in the capacity of a member of a covered entity’s workforce, “creates, receives, maintains, or transmits” PHI on behalf of a covered entity for a function or activity that is regulated under HIPAA. As a result, as indicated under the HITECH Act, parties that provide data transmission services for covered entities (or for their business associates, as explained below), and who require routine access to PHI, are to be treated as business associates. In addition, those that provide data storage and other maintenance services and that have ongoing access to that PHI also now clearly fall within the HIPAA Rules’ requirements for business associates. In contrast, those that act as mere “conduits” for the transmission of PHI, such as telecommunications carriers, remain outside HIPAA’s regulation.

    Subcontractors of Business Associates. Perhaps the most dramatic change with respect to business associates brought by the Final Rule is HHS’s decision to implement its earlier rulemaking proposal to expand the definition of “business associate” to include certain subcontractors. The Final Rule adds a new definition of “subcontractor” that includes any person to whom a business associate delegates a function, activity or service, other than in the capacity of a member of the business associate’s workforce. Any such subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate is also considered to be a business associate. As a result, like the business associate for which it provides services, the subcontractor is directly regulated under the Privacy and Security Rules, and is subject to compliance audits and potentially liable for civil money penalties and other enforcement measures for non-compliance.

    Business Associate Contracts Between Business Associates and Subcontractors. Prior to the Final Rule, a business associate’s contract with a subcontractor was required only to include the subcontractor’s agreement to be bound by the same restrictions and conditions with respect to the treatment of PHI that applied to the business associate under its business associate contract with the covered entity. Under the Final Rule, the business associate and the subcontractor are required to enter into a business associate contract that includes all the terms and conditions for such contracts mandated by the Privacy and Security Rules. As a result, following the Final Rule, subcontractors will be responsible for an expanded set of legal obligations that arise both directly under the HIPAA Rules and under their business associate contracts.

    Downstream Subcontractors. As a consequence of subcontractors being included within the definition of “business associate,” the Final Rule provides that, if a subcontractor delegates functions to sub-subcontractors that involve the creation, receipt, maintenance, or transmission of PHI on behalf of a business associate, those sub-subcontractors will be treated as business associates and therefore be directly subject to the HIPAA Rules’ requirements and required to enter into business associate contracts with their own subcontractors, if any, down to and including all downstream contractors that perform functions involving the creation, receipt, maintenance or transmission of PHI.

    Permitted Uses and Disclosures of PHI by Downstream Subcontractors. The Privacy Rule will require that each business associate use and disclose PHI only for the purposes, and only when, permitted under the HIPAA Rules. A business associate that contracts directly with a covered entity will also be restricted by the limitations on use and disclosure of PHI imposed under its business associate contract with the covered entity. In turn, that business associate may only disclose PHI to a subcontractor to the extent permitted by that business associate contract with the covered entity, and the subcontractor may be further limited in its use and disclosure of PHI by any limits imposed under its business associate contract with the business associate. As a result, contracts with downstream subcontractors should be drafted and

  • Client Alert Health Care & Life Sciences

    Pillsbury Winthrop Shaw Pittman LLP www.pillsburylaw.com 3

    managed carefully to comply with what may potentially be multiple levels of restrictions imposed upon permitted uses and disclosures of PHI through business associate contracts.

    Other Business Associates. The Final Rule’s expanded definition of “business associate” also clarifies that it applies to health information organizations, e-prescribing gateways, and others that provide data transmission services to covered entities with respect to PHI, and that require access on a routine basis to that PHI. While many parties offering personal health records (“PHRs”) to consumers remain beyond HIPAA’s jurisdiction, those who offer PHRs on behalf of a covered entity are covered by the HIPAA Rules as business associates.

    Scope of Rules that Apply to Business Associates Security Rule. The Final Rule requires all business associates, including subcontractors, to comply with the substantive provisions of the Security Rule, and implement administrative, physical and technical safeguards to ensure the confidentiality, integrity and availability of electronic PHI, and the Security Rule’s policy and procedure and documentation requirements. However, the Security Rule retains its existing flexibility regarding the implementation of required safeguards, so that business associates and subcontractors may tailor their security measures to be appropriate to their size, complexity, and capabilities, their technical infrastructures and hardware and software capabilities, the cost of security measures, and the probability and criticality of potential risks to the electronic PHI they create, receive, maintain or transmit.

    Privacy Rule. The Final Rule requires business associates, including subcontractors, to comply with specified provisions of the Privacy Rule. With some exceptions, business associates are subject to the Privacy Rule’s rules concerning permitted uses and disclosures of PHI (though they are further limited to the uses and disclosures that would be permitted for the covered entity), the prohibition on the sale of PHI, and the Rule’s requirements to adhere to the “minimum necessary” rule, enter into business associate contracts, and obtain authorizations for uses and disclosures of PHI not permitted by an exception. Under the Final Rule, business associates are required to support covered entities’ compliance with their obligations to report breaches of unsecured PHI, to provide individuals with access to and copies of their PHI, to make certain amendments to PHI, and to provide accountings of disclosures.

    Review and Revision of Business Associate Agreements Covered entities, business associates, and those business associates’ subcontractors should review their business associate and other contracts for compliance with the Final Rule, and prepare to make amendments or enter into new agreements as is required for compliance.

    As noted above, the Final Rule will require business associates’ contracts with their subcontractors to incorporate all the terms and conditions the Privacy Rule mandates for business associate contracts. Existing business associate contracts should be reviewed for compliance with the following changes brought by the Final Rule:

    Changes in the definition of “business associate” and the new definition of “subcontractor.”

    The business associate must obtain satisfactory assurances that subcontractor(s) will appropriately safeguard PHI.

  • Client Alert Health Care & Life Sciences

    Pillsbury Winthrop Shaw Pittman LLP www.pillsburylaw.com 4

    The business associate contract must provide that the business associate will comply with applicable requirements of the Privacy and Security Rules.

    The business associate contract must provide that the business associate will ensure that any subcontractors that create, receive, maintain or transmit electronic PHI on behalf of the business associate agree to comply with the applicable requirements of HIPAA by entering into a business associate contract or other arrangement that complies with the Privacy and Security Rules.

    The business associate contract with a subcontractor must allow the business associate to terminate the contract if the business associate knows of a pattern of activity or practice of the subcontractor that constitutes a material breach of the subcontractor’s obligations under the contract, and reasonable steps to cure the breach or end the violation are unsuccessful.

    The business associate contract must provide that the business associate will report to the covered entity any breach of unsecured protected health information as required by the Privacy Rule.

    The business associate contract must provide that any subcontractor that creates, receives, maintains or transmits PHI on behalf of the business associate agrees to the same restrictions and conditions that apply to the business associate with respect to that information.

    To the extent that the business associate is to carry out an obligation of the covered entity under HIPAA, the business associate agreement must require that the business associate comply with the requirements of HIPAA that apply to that obligation.

    HIPAA’s requirements for business associate contracts between a covered entity and a business associate apply to a business associate contract between a business associate and a subcontractor.

    If you have any questions about the content of this alert, please contact the Pillsbury attorney with whom you regularly work, or the authors below.

    Gerry Hinkley(bio) San Francisco +1.415.983.1135 [email protected]

    Allen Briskin (bio) San Francisco +1.415.983.1134 [email protected]

    Caitlin B. Bloom (bio) San Francisco +1.415.983.1023 [email protected]

    This publication is issued periodically to keep Pillsbury Winthrop Shaw Pittman LLP clients and other interested parties informed of current legal developments that may affect or otherwise be of interest to them. The comments contained herein do not constitute legal opinion and should not be regarded as a substitute for legal advice. © 2013 Pillsbury Winthrop Shaw Pittman LLP. All Rights Reserved.

    mailto:[email protected]:[email protected]:[email protected]://www.pillsburylaw.com/gerry-hinkleyhttp://www.pillsburylaw.com/allen-briskinhttp://www.pillsburylaw.com/caitlin-bloom

From HIPAA to HITECH OMH Briefing. Overview Part 1: HIPAA Review Part 2: HITECH Highlights Part 3: HITECH Breach Notification Requirements

From HIPAA to HITECH OMH Briefing. Overview Part 1: HIPAA Review Part 2: HITECH Highlights Part 3: HITECH Breach Notification Requirements

Documents
On ramp hipaa-omnibus-presentation

On ramp hipaa-omnibus-presentation

Technology
HIPAA Enforcement Guide - TeachPrivacy · In 2013, HHS issued the Omnibus Final Rule implementing HITECH Act changes in HIPAA. But its enforcement approach changed earlier, right

HIPAA Enforcement Guide - TeachPrivacy · In 2013, HHS issued the Omnibus Final Rule implementing HITECH Act changes in HIPAA. But its enforcement approach changed earlier, right

Documents
Federal Update on HIPAA and HITECH Privacy and Security … · 2014-02-28 · The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American

Federal Update on HIPAA and HITECH Privacy and Security … · 2014-02-28 · The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American

Documents
Hipaa hitech security flyer

Hipaa hitech security flyer

Documents
Hipaa Goes Hitech

Hipaa Goes Hitech

Health & Medicine
HIPAA/HITECH Privacy and Security

HIPAA/HITECH Privacy and Security

Documents
WELCOME TO HIPAA & HITECH TRAINING

WELCOME TO HIPAA & HITECH TRAINING

Documents
OCR HIPAA Audit Readiness - isacantx.org Pre - OCR HIPAA Audit... · Page 2 OCR HIPAA Audit Readiness Introduction Basic components of HIPAA and HITECH legislation HITECH and rising

OCR HIPAA Audit Readiness - isacantx.org Pre - OCR HIPAA Audit... · Page 2 OCR HIPAA Audit Readiness Introduction Basic components of HIPAA and HITECH legislation HITECH and rising

Documents
HIPAA & HITECH: Why So Serious?

HIPAA & HITECH: Why So Serious?

Healthcare
HIPAA Risk Assessment · OMNIBUS FINAL RULE •On January 17, 2013, HHS released the Omnibus Final Rule (“Final Rule”) interpreting and implementing provisions of the HITECH Act

HIPAA Risk Assessment · OMNIBUS FINAL RULE •On January 17, 2013, HHS released the Omnibus Final Rule (“Final Rule”) interpreting and implementing provisions of the HITECH Act

Documents
HIPAA Security Policies & Procedures (HITECH & Omnibus updated) · 2019-10-15 · Supremus Group LLC 4261 E University Dr, 30-164, Prosper, TX 75078 Page 1 of 20 Why Create HIPAA

HIPAA Security Policies & Procedures (HITECH & Omnibus updated) · 2019-10-15 · Supremus Group LLC 4261 E University Dr, 30-164, Prosper, TX 75078 Page 1 of 20 Why Create HIPAA

Documents
Hitech changes-to-hipaa

Hitech changes-to-hipaa

Health & Medicine
HIPAA omnibus rule update

HIPAA omnibus rule update

Business
HIPAA Security Policies & Procedures (HITECH & Omnibus ... · 20/02/2003  · Developed by HIPAA compliance officer with practical knowledge of HIPAA compliance, security experts

HIPAA Security Policies & Procedures (HITECH & Omnibus ... · 20/02/2003  · Developed by HIPAA compliance officer with practical knowledge of HIPAA compliance, security experts

Documents
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule

HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule

Health & Medicine
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1)

MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1)

Health & Medicine
Hipaa hitech express slideshow 2013

Hipaa hitech express slideshow 2013

Technology
HIPAA HITECH E-Prescribing / E-Prescription

HIPAA HITECH E-Prescribing / E-Prescription

Health & Medicine
HIPAA HITECH training 7-9-12

HIPAA HITECH training 7-9-12

Health & Medicine
HIPAA/HITECH Update

HIPAA/HITECH Update

Documents
HITECH Modifications to HIPAA

HITECH Modifications to HIPAA

Documents
HIPAA-HITECH-MU Simplified

HIPAA-HITECH-MU Simplified

Documents
Whitepaper HIPAA Compliance...White Paper: HIPAA Compliance A GUIDE FOR COMPANIES USING AXCIENT SERVICES TO FACILITATE HIPAA AND HITECH COMPLIANCE. HIPAA & HITECH Overview The Health

Whitepaper HIPAA Compliance...White Paper: HIPAA Compliance A GUIDE FOR COMPANIES USING AXCIENT SERVICES TO FACILITATE HIPAA AND HITECH COMPLIANCE. HIPAA & HITECH Overview The Health

Documents
HIPAA AND HITECH EDUCATION

HIPAA AND HITECH EDUCATION

Documents
HITECH/HIPAA BA Checklist - Christiansen IT Lawchristiansenlaw.net/.../2013/06/CITL-HITECH-HIPAA-Ga… · Web viewHIPAA/HITECH Business Associates Gap Analysis Christiansen IT Laws

HITECH/HIPAA BA Checklist - Christiansen IT Lawchristiansenlaw.net/.../2013/06/CITL-HITECH-HIPAA-Ga… · Web viewHIPAA/HITECH Business Associates Gap Analysis Christiansen IT Laws

Documents
HITECH/HIPAA (privacy) 2013 Omnibus Final Ruleappealacademy.com/wp-content/uploads/2013/09/NCHIMA_Webinar… · • Prohibits use and disclosures of genetic information for underwriting

HITECH/HIPAA (privacy) 2013 Omnibus Final Ruleappealacademy.com/wp-content/uploads/2013/09/NCHIMA_Webinar… · • Prohibits use and disclosures of genetic information for underwriting

Documents
DO ASK BUT DON’T TELL HIPAA PRIVACY RULE. HITECH/OMNIBUS FINAL RULE HIPAA enacted in 1996; compliance required April 14, 2003 for the Privacy Rule and

DO ASK BUT DON’T TELL HIPAA PRIVACY RULE. HITECH/OMNIBUS FINAL RULE HIPAA enacted in 1996; compliance required April 14, 2003 for the Privacy Rule and

Documents
Lessons Learned from HIPAA Audits...Requires HHS to provide for periodic audits to ensure covered ... HIPAA/HITECH Act Omnibus Final Rule Not Finalized OMB has extended review of the

Lessons Learned from HIPAA Audits...Requires HHS to provide for periodic audits to ensure covered ... HIPAA/HITECH Act Omnibus Final Rule Not Finalized OMB has extended review of the

Documents
HIPAA HITECH POLICY · 2010. 8. 10. · HIPAA HITECH POLICY Effective March 1, 2010 OVERVIEW OF THE HIPAA HITECH ACT OF 2009 The Health Information Technology for Economic and Clinical

HIPAA HITECH POLICY · 2010. 8. 10. · HIPAA HITECH POLICY Effective March 1, 2010 OVERVIEW OF THE HIPAA HITECH ACT OF 2009 The Health Information Technology for Economic and Clinical

Documents