This is a big deal, says Kate Borten, president of the Marblehead Group, a Massachusetts-based health information security consultancy. If the proposed language stays in the final rule, then the "chain of trust" between organizations handling PHI, envisioned in the HIPAA security rule when first proposed in 1998, finally will be in place, she contends.
The new proposed rule, available on the Federal Register's Public Inspection Desk and being published on July 14, would amend the definition of business associates "to provide that subcontractors of a covered entity--i.e., those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate's workforce, are also business associates to the extent that they require access to protected health information."
The proposed modifications are similar in structure and effect to the privacy and security rules' initial extension of privacy protections from covered entities to business associates through contractual requirements to protect downstream information, according to the proposed rule. "The proposed provisions avoid having privacy and security protections for protected health information lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity."
Allowing such a lapse may enable business associates to avoid liability and circumvent congressional intent, federal officials argue in the proposed rule. "The proposed definition of 'subcontractor' also is consistent with Congress' overall concern that the privacy and security protections of the HIPAA Rules extend beyond covered entities to those entities that create or receive protected health information in order for the covered entity to perform its health care functions."
Consequently, the rule proposes "that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance."
The net effect, consultant Borten says, is that both business associates and their subcontractors would be treated as business associates under the proposed rule. That takes the HITECH Act extension of responsibility and liability to all the contractors and subcontractors who handle PHI.
The rule would require business associates to obtain "satisfactory assurances" from subcontractors that they will comply with applicable requirements of the privacy and security rules. The term "satisfactory assurances," Borten adds, is code for a business associate contract. So contracts with subcontractors will have to have all the language and requirements of a business associate contract with a covered entity.
Requirements of business associates and their subcontractors to protect information was a gaping hole in the security rule that some business associates exploited to share, give or sell data in ways "completely contradictory" to the privacy rule, Borten believes. Congress sought to plug the hole via the HITECH Act, which authorized the new proposed rule. In the rule, the Department of Health and Human Services now is pushing further to touch all those who touch protected health information, which meets congressional intent, she adds.
This article can also be found at HealthDataManagement.com.
Joseph Goedert is news editor at Health Data Management.