April 25, 2022 - Scott R. Landau / Raquel Frier
On March 22, 2022, the Department of Health and Human Services (HHS) issued a guidance statement (GL-2022-03) to clarify covered entities’ obligation to ensure that their business associates comply with HIPAA regulations.
The need for clarification arose from various complaints alleging that HIPAA business associates were failing to comply with various HIPAA Administrative Simplification requirements – which are standards for electronic transactions, code sets, unique identifiers, and operating rules in an effort to reduce paperwork and streamline business processes across health care systems. With this clarification, it is now clear both that: (1) business associates are indeed required to comply with HIPAA administrative simplification requirements; and (2) covered entities can be held responsible for their business associates’ noncompliance with such requirements.
HIPAA Covered Entities and Business Associates
By way of background, HIPAA is a federal law that creates a set of national standards for the protection of certain health information. Only certain organizations, namely, “covered entities” and their “business associates” must comply with the HIPAA Privacy Rule.
HIPAA covered entities include health plans, health care clearinghouses, and health care providers who transmits any health information in electronic form in connection with a transaction for which a standard has been adopted. See 45 C.F.R. § 160.103. A HIPAA business associate is a person (including a partnership, corporation, or other public or private entity) that performs certain services or conducts transactions on behalf of a covered entity (excluding members of a covered entity’s workforce, who are not considered to be business associates). There are four types of HIPAA Administrative Simplification Standards. These requirements, also known as Electronic Data Interchange (“EDI”) Standards, are set forth in 45 C.F.R., Part 162, and: (1) regulate transactions for pharmacy and health care administrative information, including claims; (2) impose operating rules to support standard transactions; (3) require unique identifiers for health plans, providers, and employers; and (4) require code sets (which help classify medical diagnoses, procedures, diagnostic tests, treatments, equipment, and supplies) for clinical diagnoses and procedures. While the regulations state “covered entities” must comply with the administrative simplification standards,” they are silent on whether they apply to business associates. Hence the need for clarification by HHS.
Key Takeaways from the Guidance Statement
In the Guidance Statement, HHS made clear that business associates are indeed required to comply with HIPAA Administrative Simplification Requirements, even though business associates are not “covered entities.” This means that when a covered entity engages a business associate, such as an accountant, IT contractor, or billing company to conduct a transaction for which a standard has been adopted on behalf of the covered entity, the business associate, and any agents or subcontractors thereof, must also comply with the requirements, and that those requirements are not just applicable to covered entities (as had previously been believed by many).
HHS also concluded that covered entities are responsible if their business associates do not comply with applicable HIPAA Administrative Simplification Requirements. There are two takeaways from this guidance. First, covered entities are not relieved from compliance responsibility simply because they engage a business associate to provide services for, or on their behalf. Second, because a “business associate’s actions or inactions are imputed to the covered entity,” a covered entity can be held directly responsible for the failures of their business associates even if they themselves are in full compliance.
Given these clarifications, it is more critical than ever that covered entities not only ensure that they remain in compliance with HIPAA Administrative Simplification Requirements, but that their business associates do as well. Covered entities that have previously relied on business associates to meet certain requirements so that they do not have to will no longer be able to do so, and may face HIPAA enforcement exposure if they or their business associates fail to comply with the rules.
How can we help
AEL are expert healthcare lawyers who have significant experience with HIPAA compliance issues. Read more about our Healthcare Regulatory & Compliance Counseling and Data Privacy & Security Practice Areas. Scott R. Landau is a partner and Raquel Frier is an associate of the Firm. If you are a covered entity such as a health plan, health care clearinghouse, or health care provider, or are a business associate to covered entities, we can help you navigate the HIPAA regulations and avoid noncompliance. If you have any questions please reach out to us.