Final HIPAA Rule: Security Statutory Authority and Direct Regulation of Business Associates

February 4, 2013.  Today, we cover the security safeguards of the HIPAA Security Rule, as Modified by the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.

The statutory authority for applicability of the HIPAA Security Rule is in Section 13401 of the HITECH Act (123 STAT. 262):  Application of Security Provisions and Penalties to Business Associates of Covered Entities

(a) Application of Security Provisions.–Sections 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures and Documentation Requirements) of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity.  The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.

(b) Application of Civil and Criminal Penalties.–In the case of a business associate that violates any security provision specified in subsection (a), sections 1176 and 1177 of the Social Security Act (42 USC 1320d-5, 1320d-6) shall apply to the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provision.

We focus on (a) in this post, and will discuss (b) later in this series of posts when we discuss Enforcement.

In general, the modifications to the HIPAA Security Rule by the Final Rule HITECH Act modifications were as stated in the statutory language above:  business associates are directly regulated by the federal government in a manner similar to that of covered entities.  Previously, the business associate provided “satisfactory assurances” in the business associate contract, so enforcement was contractual via the covered entity rather than through direct federal regulation.  Today, we look at modifications to the definitions of administrative, physical, and technical safeguards.  Tomorrow, we look at the change in language in the administrative safeguards (a)(1)-(8), and Wednesday the change in language for administrative safeguard (b):  Business associate contracts and other arrangements.

First, the introductory texts of 164.308, 164.310, and 164.310, as noted above in (a) with respect to application, were changed to include “business associate,” so each reads the same:  “A covered entity or business associate, in accordance with 45 CFR 164.306:” where 164.306 is Security Standards:  General Rules.  We will cover modifications to 164.306 tomorrow.

Next, the language of the standards and implementation specifications for the Physical Safeguards (164.310) and Technical Safeguards (164.312) were not modified in the Final Rule, but the modification of the introductory text requires business associates to comply and document compliance with them, as well as with the Administrative Safeguards (164.308), where in some standards, “business associate” is included in the regulatory language, as we will show tomorrow.

Finally, the definitions of Administrative Safeguards and Physical Safeguards are modified to include “business associate,” whereas the Technical Safeguard definition is not modified.

Definitions (modifications are underlined)

Administrative safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information.

Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

Technical safeguards means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.

Tomorrow, Security Standards:  General Rules and Administrative Safeguards (a).

Leave a Reply

Your email address will not be published. Required fields are marked *