Released last week, the Health Insurance Portability and Accountability Act (HIPAA) final omnibus rule (available here) not only finalized proposed changes, but also included changes that the Department of Health and Human Services (HHS) says will expand HIPAA requirements to business associates of healthcare providers and any entity with which they subcontract.

With this final rule, HIPAA now covers the processors of health insurance plans and other service providers that handle protected healthcare information (PHI), including both contractors and subcontractors. PHI is protected health information as such term is defined in 45 C.F.R. 160.202.

The final rule defines “subcontractor” as “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.” 45 C.F.R. 160.202. The discussion of the final rule clarifies that a subcontractor is a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of PHI.   According to the definition of "business associate" under the final rule, if a business associate subcontracts part of its function requiring access or use of PHI to another organization, that subcontractor is also subject to HIPAA."  45 C.F.R. 160.202.  There must be an agreement between the business associate and its subcontractor that contains the elements required to be included in business associate agreements and describes the subcontractor's permitted uses and disclosures of PHI (which may not include uses and disclosures not permitted to the business associate).” An example of this subcontractor relationship would be a third party administrator business associate that contracts with another party to shred and destroy documents containing PHI. 

Previously, the focus of HIPAA has been on covered entities themselves.  A "covered entity" is defined as a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction subject to HIPAA. 45 C.F.R. 160.202. Under the final rule, covered entities must ensure that business associates, which now include subcontractors, protect "electronic protected health information they create, receive, maintain, or transmit on behalf of the covered entities." 45 C.F.R. 164. 308. Thus, every connected contractor and subcontractor must be responsible for each other and subcontractors are now directly liable to HHS for breaches. It is important to note that a covered entity is not liable for the actions of a subcontractor as there is no direct relationship between the entities.

Business associates (and therefore subcontractors as well) have until the Sept. 23, 2013 compliance date to comply with these new provisions. Keep checking the Barnes & Thornburg Healthcare blog in the upcoming weeks for more information on what subcontractors, and other business associates, can expect under these new regulations.