The privacy and security regulations under the Health Information Portability and Accountability Act (HIPAA) have evolved into a long and winding regulatory road with more hurdles to come, as some of the rules are not yet promulgated.

Because this law unfolded in pieces, including its scope and applicability, there are many entities outside the health care industry that are (perhaps unwittingly) “on the hook” for HIPAA compliance, and their steadfast corporate counsel may have no idea either. 

Many Businesses (including Law Firms) Do Not Realize They Are Regulated by HIPAA

The final HIPAA omnibus rule came out in 2013, implementing changes that had been promulgated in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which made some sweeping changes to HIPAA. Prior to the omnibus rule, affirmative compliance obligations and potential liabilities applied only to “covered entities,” which include health care providers and health plans, among other types of entities. “Business associates”—i.e., people or entities performing services to the covered entity or performing functions on the entity’s behalf involving protected health information (PHI)—were liable only contractually through the business associate agreements (BAAs) that HIPAA requires. 

The omnibus rule defined the term “business associate” to include any person or entity (other than those in the capacity of a member of the covered entity’s workforce) who creates, receives, maintains, or transmits PHI on behalf of a covered entity for a function or activity regulated by HIPAA. The most significant expansion of the term was that now all subcontractors of business associates are also business associates. 

The omnibus rule thus dramatically expanded the definition of “business associate,” rendered business associates directly liable to the government for HIPAA violations, and obligated business associates to have affirmative HIPAA compliance programs. This affects lawyers in two ways: (1) all lawyers who represent covered entities as clients and receive PHI are business associates of those clients and must have their own internal compliance programs; and (2) lawyers who do not live and breathe HIPAA may be unaware that their clients outside the health care industry are in fact covered as business associates under the expanded definition in the omnibus rule and have affirmative compliance responsibilities to avoid penalties.

It is like a hall of mirrors: if your reflection shows up anywhere, comply with HIPAA. As a result, like “first-line” business associates, subcontractors are now directly responsible for complying with certain HIPAA privacy and security obligations. In other words, from a compliance perspective, there is no difference between “first-line” business associates and “downstream” subcontractors. Additionally, just like covered entities, business associates are required by the new rules to enter into BAAs with subcontractors prior to disclosing PHI.