February 13, 2013. Today, we finish examining (3)—the third paragraph of four—of the business associate definition, as modified by the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013. The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.
Here is the last of three parts of this paragraph:
“(3) Business associate includes: (iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.” [78 Federal Register 5688]
Predecessor Definition: The HIPAA Security Rule Organizational Requirements at 45 CFR 164.314(a)(2)(i)(B), requires the following:
“(a) Standard: Business associate contracts or other arrangements. (2) Implementation specifications (Required). (i) Business associate contracts. The contract between a covered entity and a business associate must provide that the business associate will– (B) Ensure that any agent, including subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it.” [www.ecfr.gov]
There is no specificity as to the nature of the agreement or requirements between a business associate and subcontractor with respect to the implementation of “reasonable and appropriate safeguards.”
Modified Definition: The Final Rule explicitly defines a subcontractor as a business associate, and modified 45 CFR 164.314(a)(2)(iii) provides for the following:
(a) Standard: Business associate contracts or other arrangements. (2) Implementation specifications (Required). “(iii) Business associate contracts with subcontractors. The requirements of paragraphs (a)(2)(i) [Business associate contracts] and (a)(2)(ii) [Other arrangements] of this section apply to the contract or other arrangement between a business associate and a subcontractor required by 164.308(b)(3) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.”
Under the Final Rule modified definition, we have specificity with respect to the agreement and requirements: implement the Security Rule as a business associate.
Under the Final Rule, the definition of subcontractor is added to 45 CFR 160.103: Definitions, and is as follows: “A subcontractor is a person to whom a business associate has delegated a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.” [78 Federal Register 5689] Again, as a reminder, as also defined at 45 CFR 160.103, person means “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.”
The Final Rule goes on to clarify further: “A subcontractor is then a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information.” … and ”makes clear that a covered entity is not required to enter into a contract or other arrangement with a business associate that is a subcontractor.” [78 Federal Register 5573]
As to “satisfactory assurances” that a subcontractor will appropriately safeguard protected health information, the Final Rule states: “[C]overed entities must ensure that they obtain satisfactory assurances required by the Rules from their business associates, and business associates must do the same with regard to subcontractors, and so on, no matter how far ‘down the chain’ the information flows. This ensures that individuals’ health information remains protected by all parties that create, receive, maintain, or transmit the information in order for a covered entity to perform its health care functions. For example, a covered entity may contract with a business associate (contractor), the contractor may delegate to a subcontractor (subcontractor 1) one or more functions, services, or activities the business associate has agreed to perform for the covered entity that require access to protected health information, and the subcontractor may in turn delegate to another subcontractor (subcontractor 2) one or more functions, services, or activities it has agreed to perform for the contractor that require access to protected health information, and so on. Both the contractor and all of the subcontractors are business associates under the final rule to the extent they create, receive, maintain, or transmit protected health information.” [78 Federal Register 5574]
Finally, in light of the discussion earlier this week with respect to transmission services and conduits having an impact on a person who may or may not be deemed a business associate, the Final Rule notes: “[T]he same interpretations that apply to determining whether a first tier contractor is a business associate also apply to determining whether a subcontractor is a business associate. Thus, our interpretation of who is and is not excluded from the definition of business associate as a conduit also applies in the context of subcontractors as well.” [78 Federal Register 5574]
Here are several things to remember about subcontractors:
- Subcontractors are business associates to the extent they create, receive, maintain, or transmit protected health information.
- Subcontractors are not business associates of covered entities, but rather to another business associate.
- If a subcontractor discovers a breach, the subcontractor reports it up the line through the hierarchy of subcontractors, if applicable, to the business associate that is the contractor to the covered entity, and it is the business associate contractor that reports the discovered breach to the covered entity.
Tomorrow, we conclude the discussion of business associate by looking at four categories of persons in paragraph (4) that are excluded as business associates.