Group health plans and their sponsors routinely rely on business associates with whom they want to be able to share “protected health information,” as defined by the Health Insurance Portability and Accountability Act of 1996.

Under HIPAA, covered entities, such as group health plans, health care clearinghouses and health care providers, must enter into “business associate” agreements with their vendors that have access to PHI.

When Congress passed the American Recovery and Reinvestment Act of 2009, it also enacted the Health Information Technology for Economic and Clinical Health Act (HITECH), which extends certain substantive HIPAA privacy and security provisions to business associates.

HITECH also tightens the rules relating to the minimum necessary disclosures of personal health information, imposes additional notice requirements in the case of security breaches and grants new enforcement powers to the states.

The Health and Human Services Department, which enforces HIPAA security and privacy laws, recently released guidance on what counts as “unsecured” information and a request for comments on breach notification under HITECH.

Amending third-party contracts

For employers whose health plans must comply with HIPAA privacy and security rules, HITECH means they will have to review and update contracts with business associates to ensure that the documents reflect the new privacy and security laws.

The changes introduced by HITECH will have enormous consequences for third-party vendors, such as benefits brokers and consultants, that act as business partners for self-funded group health plans and large, experience-rated insured plans.

Such vendors will need to take steps to conform to the substance of the HIPAA security standards. Compliance will, at a minimum, entail the adoption of physical, administrative and technical safeguards. This will include implementing security polices and procedures.

In the case of business associates, HITECH makes the following changes:

• Business associates are now subject to the substantive provisions of the HIPAA security rules generally in the same manner and to the same extent as covered entities

• Business associates must now enter into and abide by a business associate agreement (previously, the burden was on the covered entity to identify business associates and to obtain the necessary business associate agreements)

• Business associates are now subject to civil and criminal penalties for violation of these rules

• HHS is required to conduct periodic compliance audits of business associates as well as covered entities

The extent to which business associates might be subject to HIPAA’s privacy requirements is not clear. According to the conference’s committee report accompanying the legislation, the law “would apply the HIPAA Privacy Rule, the additional privacy requirements, and the civil and criminal penalties for violating those standards to business associates in the same manner as they apply to the providers and health plans for whom they are working.”

But the law does not do this. It instead requires business associates to comply with the privacy requirements added by HITECH, and imposes an obligation on business associates to cure breaches by the counter-party covered entity.

Security breaches

HITECH also calls for a series of notice requirements that apply to both covered entities and business associates in cases of a use or disclosure of “unsecured protected health information.”

Unsecured protected health information means PHI that is not secured through the use of a technology or methodology approved by HHS. A business associate that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” is required to notify the covered entity of the breach within 60 days of discovery.

When contact information is deficient or out of date, or when ten or more individuals are affected, HHS may require that notice be posted on the covered entity’s website, or even published in major print or broadcast media, and include a toll-free phone number. A public notice is mandated when 500 or more individuals are affected.

That the substance of new rules will apply to covered entities and business associates alike significantly raises the compliance bar for some health care vendors that, for the most part, were previously content to simply sign business associate agreements but do little else.

Hammering out details

Still, HIPAA privacy standards will depend on what federal regulators think Congress intended. Something more than current compliance levels will likely be required, but how much more is anyone’s guess.

For example, compliance might require written policies and procedures, workforce training and discipline, and periodic compliance reviews, among other things.

These new rules are generally effective at the beginning of 2010. Interpretive regulations will give both covered entities and their business associates a better sense of what is required. If the past experience with HIPAA compliance is any guide, however, it will be a busy year.

Alden J. Bianchi can be reached at

Register or login for access to this item and much more

All Digital Insurance content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access