70
7X24MAGAZINE SPRING2014
Who isSubject toHIPAAand
Wheredo InformationTechnology
VendorsFit?
Broadlyspeaking,HIPAAapplies to
entitiesand individualshandlingor
otherwisehavingaccess to “protected
health information” (PHI).More
specifically, “coveredentities,”
“businessassociates”and their
“subcontractors”aresubject toHIPAA
compliance. The three termsare
defined in theHIPAARules.
8
Put simply,
• ‘coveredentities’ arehealthcare
providers, healthplans, andhealthcare
clearinghouses (referred to in this
articlesimplyashealthcareproviders);
• ‘businessassociates’ areentities that
provideservices tocoveredentities
and
create, receive,maintain, or transmit
PHI; and
• ‘subcontractors’ are thoseentities
thatprovideservices tobusiness
associates
and
create, receive,
maintain, or transmitPHI.
PHI isdefinedbroadly toencompass
any information thatallowssomeone to
(i) linkan individualwithhisorher
physicalormental healthcondition, (ii)
theprovisionofhealthcareservices, or
(iii) thepayment forhealthcare
services.
9
Dependingonwhere information
technology (IT)vendors fall in the
schemeofaparticular transaction, they
willbeeitherbusinessassociatesor
subcontractors. In theOmnibusRule,
HHSmadeclear that ‘business
associate’ includesentities that
maintainPHI, “even if the [entitiesdo]
notactuallyview thePHI.”
10
But, notall
ITvendorsaresubject toHIPAA
compliance. Somequalify for theso-
called ‘conduitexception,’when the
vendor “transports informationbut
doesnotaccess itother thanona
randomor infrequentbasisas
necessary toperform the
transportationserviceoras requiredby
other law.”
11
Theconduitexception is
narrow
and “is intended toexclude
only
thoseentitiesprovidingmerecourier
services, suchas theU.S.Postal Service
orUnitedParcel Serviceand their
electronicequivalents, suchas internet
serviceproviders (ISPs)providingmere
data transmissionservices.”
12
In
distinguishingconduits fromother IT
vendors,HHSspecificallyadvised that,
“adatastoragecompany thathas
access to [PHI] (whetherdigitalorhard
copy)qualifiesasabusinessassociate,
even if theentitydoesnotview the
informationoronlydoessoona
randomor infrequentbasis.
”
13
Assuch,
datacentersandmostother ITvendors
that touchonPHI inperforming
services forhealthcareprovidersor
theirbusinessassociatesaresubject to
HIPAAcompliance.
DirectEnforcementandFinancial
Responsibility
TheOfficeofCivilRights (OCR) isa
componentof theDepartmentof
HealthandHumanServices.OCR
servesas the federal enforcerofHIPAA
forall civil remedies.While rarelyused,
HIPAAdoes includecriminalprovisions,
whichareenforcedby theDepartment
ofJustice. Further, theHITECHAct
grantedpermission to theState
Attorneys’General toenforceHIPAAon
behalfof theircitizensas
parens
patriae
.
Prior to theHITECHAct, business
associatesandsubcontractorswerenot
subject todirectenforcement. Instead,
theirobligationsarosesolelyunder the
contractual termsofanagreement
commonlycalled the “Business
AssociateAgreement” (BAA).Assuch,
businessassociatesandsubcontractors
wereonlysubject tocontractual
remedies forbreachof theBAA.But, as
a resultof theHITECHAct, business
associatesandsubcontractorsarenow
subject todirectenforcementby the
OCR, theDOJandStateAttorneys’
General.
More importantly, however, covered
entitiesare financially responsible for
theHIPAAviolationsof theirbusiness
associates, andbusinessassociatesare
financially responsible for theHIPAA
violationscommittedby their
subcontractors.HHSclarified these
obligations in theOmnibusRule:
Acoveredentity [orbusinessassociate,
asapplicable,] is liable, inaccordance
with theFederal common lawof
agency, foracivilmoneypenalty fora
violationbasedon theactoromission
ofanyagentof thecoveredentity [or
businessassociate, asapplicable],
includingaworkforcememberor
businessassociate [or subcontractor, as
applicable], actingwithin thescopeof
theagency.
Asa result, coveredentitiesand
businessassociateshaveastrong
interest inensuring that those they
engage toprovideservicescanmeet
both the requirementsof theHIPAA
Rulesaswell asany indemnification
provisions.
Thecivilpenaltyprovisionsare tiered,
with thepenaltyamount increasing
with theorganization’s levelof
knowledge regardingaparticular
violation (
i.e.
, culpability)andwhether
theviolationwascorrected ina timely
fashion.
TheHHSSecretaryhasabroadamount
ofdiscretion in imposingcivilmonetary
penalties.However,HHSmadeclear in
14
