In January of 2013, the United States Department of Health and Human Services (HHS) released a set of “omnibus regulations” under the Health Insurance Portability and Accountability Act (HIPAA), which amended the requirements for compliant business associate agreements and implemented various provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH), as it pertains to the electronic communication of protected health information (PHI). The initial publication of the omnibus regulations went into effect in September of 2013, and provided a one-year grandfathering period for then-compliant entities. Accordingly, as of September 22, 2014, the new omnibus requirements for business associates and subcontractors are in full force. Among the numerous new and amended provisions of the omnibus regulations, two areas are most-prominently highlighted: the addition of subcontractors (non-employed delegates of services) to the HIPAA framework, and the expansion of regulations pertaining to electronic-PHI.
Under the new framework, HIPAA-compliant business associate agreements must be in place not only between covered entities and their business associates, but also between covered entities and their subcontractors, and between business associates and their subcontractors. There is not currently an independent requirement that covered entities enter into business associate agreements with their business associates’ subcontractors. The expansion of HIPAA business associate requirements to include subcontractors is accompanied by numerous HHS warnings that subcontractor breaches of HIPAA provisions are attributable to covered entities, even if only indirectly associated with the covered entity by way of a business associate.
In addition to the establishment of business associate agreements among subcontractors, the new omnibus regulations also require HIPAA-compliant agreements to include sufficient, specific protocols with respect to the creation, transmission, and maintenance of electronic PHI, as well as a framework for effective and immediate reporting of suspected HIPAA breaches by covered entities, business associates, and subcontractors, irrespective of whether electronic PHI is a routine part of each entity’s involvement or tasks.