Matthew Fischer, is a partner in Sedgwick LLP’s San Francisco office. He focuses on intellectual property, media, data privacy and complex commercial litigation.
The long-awaited HIPAA Omnibus Final Rule (“Final Rule”), which primarily amends regulations in the HIPAA Privacy and Security Rules and breach notification rules, went into effect on March 26, 2013 and the compliance date is fast approaching. Data centers and cloud providers servicing the health care industry should take particular note that the Final Rule clarifies that they are officially considered “business associates” under HIPAA and must therefore comply with all applicable privacy and security requirements.
The Final Rule expands the definition of “business associate” to include an entity that “creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity.” While most data centers and cloud providers have operated under the assumption that they are considered business associates, the Final Rule leaves no doubt and explains in the preamble that “document storage companies maintaining [PHI] on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold.”
The changes broaden the definition of a business associate even further to encompass all subcontractors that create, receive, maintain or transmit PHI on behalf of a business associate. Thus, not only must data centers enter into a business associate agreement (“BAA”) with covered entities pledging to maintain adequate administrative, physical and technical safeguards to protect PHI, they must also enter into BAAs with their subcontractors, who in turn must now institute the same privacy and security measures This obligation continues down the vendor chain with respect to other subcontractors.
Under the Final Rule, business associates are directly liable for the following Privacy Rule requirements as well as that of their subcontractors, even if they never entered into a BAA:
- Impermissible uses and disclosures of PHI;
- Failure to enter into a BAA with subcontractors;
- Failure to provide breach notification to the covered entity;
- Failure to provide access to a copy of electronic PHI to either the covered entity or the owner of the data and;
- Failure to disclose PHI when required by HHS; and failure to provide an accounting of disclosures of PHI upon request.
Covered entities and business associates that are considering contracting with data centers and cloud providers will carefully scrutinize whether their vendors have implemented adequate administrative, physical and technical safeguards as mandated by HIPAA. They also will likely require the disclosure of any vendors to which the business associate outsources those portions of its operations that involve PHI, in order to ensure that such subcontractors are HIPAA-compliant as well.
Establish a Part of the Business as HIPAA-Compliant
One cost-effective and practical option available to data centers and cloud providers is to make a select part of the business HIPAA-compliant and institute strict procedures to ensure that the receipt, maintenance or transmission of PHI occurs only in the compartmentalized HIPAA-compliant part of the system. Data centers and cloud providers should also have their own template BAA so they are not stuck using a covered entity’s proposed BAA, which may have onerous terms and obligations that are not even mandatory under HIPAA. Likewise, it is helpful to have a template subcontractor BAA in place that ensures protection from liability arising from vendors to which operations involving PHI have been outsourced.
The Office of Civil Rights (“OCR”), which is the enforcement arm of the Department of Health and Human Services (“HHS”), has significantly intensified its enforcement efforts and HIPAA compliance audits over the last few years, even going so far as to target small hospices. Civil monetary penalties can range from $100 to $50,000 per violation, with a cap of $1.5 million for multiple violations. With the issuance of the Final Rule, many in the health care industry expect that the OCR will start to directly investigate business associates for non-compliance.
The September 23, 2013 compliance deadline for the Final Rule is right around the corner; although companies operating under existing BAAs can continue to do so until March 26, 2014.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.