On January 17, 2013, the U.S. Department of Health and Human Services (HHS) released its long-awaited final rule implementing the changes required by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.  The omnibus final rule (available here) modifies many of the obligations applicable to covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Medical device manufacturers will be particularly interested in the changes affecting business associates.  A business associate is an entity that performs a function on behalf of a HIPAA covered entity (e.g., a provider, health plan, health care clearinghouse) involving the use or disclosure of individually identifiable health information (known as protected health information or “PHI”).  HHS has clarified in the past that medical device companies may be considered business associates when assisting covered entities with health care operations functions or performing them on their behalf, such as estimating cost savings a provider may expect form the use of a particular medical device, if that activity requires the use or disclosure of PHI.  When acting as a business associate, a medical device manufacturer must enter into a Business Associate Agreement (BAA) with its covered entity customer.

New Obligations on Business Associates.  Whereas previously a business associate had only contractual liability to a covered entity under the BAA, the HITECH Act made business associates directly subject to significant portions of HIPAA’s Privacy, Security, and Breach Notification Rules.  As a result, Business Associates now face civil and criminal penalties for failure to comply with HIPAA.

Business Associate Agreements.  The final rule addresses several changes to business associate agreements as a result of these new obligations.  Specifically, BAAs must be modified to require that business associates:

  • comply with the Security Rule with regard to electronic PHI;
  • report breaches of unsecured PHI to covered entities;
  • comply with the requirements of the Privacy Rule applicable to covered entities when carrying out their obligations; and
  • ensure that any subcontractors that create or receive PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate.

Subcontractors.  The final rule allows a business associate to disclose PHI to a business associate that is a subcontractor, as long as the business associate enters into an appropriate business associate agreement with its subcontractor.   A subcontractor that enters into a business associate agreement with the primary business associate will be directly liable under HIPAA.

Timeline for Compliance.   The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013 to comply with most requirements.

HHS has allowed additional time for covered entities and business associates to revise their BAAs.  For BAAs in effect as of January 25, 2013, parties have until September 22, 2014, to modify the agreement, unless the parties renew or modify their current contracts between March 26, 2013 (date the final rules take effect) and September 23, 2013 (deadline for compliance with other provisions of the final rule).  In these circumstances, the BAA must be in compliance with the new rules by September 23, 2013.

Conclusion.  Medical device companies that operate as business associates should begin analyzing their business associate agreements and determine what amendments need to be made.   These companies should take steps immediately to ensure compliance with their new obligations, particularly those that are likely to be the most time-consuming, i.e., those obligations related to the security of electronic PHI, breach notification, and executing business associate agreements with subcontractors.

For more information on the new HITECH regulations, see our series of posts on our sister blog, InsidePrivacy.