Recent Omnibus Rule Expands Reach of HIPAA

April 19, 2013

Published in the Portsmouth Herald

By now you may have heard the news about a number of changes on the horizon for the Health Insurance Portability and Accountability Act (“HIPAA”). Since the U.S. Department of Health and Human Services (“HHS”) released its final omnibus rule (the “Rule”) on January 17, 2013, the healthcare industry and those who provide services to them or on their behalf have been busy working on understanding and implementing the changes required by the Rule. HHS has promoted the new Rule as an enhancement of patient privacy protections and the government’s authority to enforce the law. One important way the Rule accomplishes this is by broadening the scope of those directly regulated by HIPAA.

As an example, imagine that a busy medical provider practice (one type of “covered entity” under HIPAA) contracts with an outside company to perform various practice management services on its behalf. As part of performing these services for the medical provider, the management company must receive and handle what is called “protected health information” about the practice’s patients, which is information that could be used to individually identify those patients. This fairly common arrangement makes the management company the “business associate” of the medical practice under HIPAA. Additional examples of common business associate functions performed on behalf of a HIPAA covered entity include claims processing, data analysis, utilization review, and billing. The new Rule affirms that business associates like the management company are directly liable under HIPAA for protecting patient information in the same way as the medical practices themselves, but also revises the definition of business associate so that it brings a wider field of entities under the HIPAA umbrella.

The Rule expands the reach of HIPAA by specifically designating three new categories of businesses that would be considered business associates under HIPAA: (1) health information organizations, e-prescribing gateways, or others that provide data transmission services with respect to protected health information and that require routine access to such protected health information; (2) those who offer a personal health record to one or more individuals on behalf of a covered entity; and, (3) subcontractors that create, receive, maintain, or transmit protected health information on behalf a business associate.

The Rule introduces “subcontractor” as a defined term under HIPAA and means a person or entity to whom a business associate delegates a function, activity, or service, but does not include members of the business associate’s own workforce. In our medical provider/practice management example, a subcontractor might be a third-party shredding company that the practice management company uses to securely destroy and dispose of paper and electronic media containing patient protected health information. When this happens, the new Rule makes sure that the protected health information that is further disclosed “downstream” to the shredding subcontractor is being protected. For example, the practice management company is required to enter into a business associate contract with the subcontractor shredding company to obtain reasonable assurances that the protected health information is only be used by the subcontractor as required by law or for the purposes for which it was disclosed to the subcontractor (i.e., destruction and disposal).

HHS explained in the preamble to the Rule that the intention of extending HIPAA to specifically cover subcontractors was to make sure that there is no lapse in the privacy and security protections of HIPAA merely because someone else is performing a function on behalf of a covered entity who may not have a direct relationship with the covered entity. As a result, entities like the third-party shredding company will now be subject to direct liability and civil monetary penalties under HIPAA if they fail to comply with numerous HIPAA requirements such as notifying covered entities in the event of a breach, complying with privacy and security rules for impermissible uses and disclosures of protected health information, or maintaining and implementing a written electronic security policy. The Rule became effective on March 26, 2013, but business associates and their subcontractors have, for the most part, 180 days (until September 23, 2013) to comply.

Kara Dowal is an attorney with McLane, Graf, Raulerson & Middleton, Professional Association. She can be reached at or at (603)628-1178. The McLane Law Firm is the largest full-service law firm in the state of New Hampshire, with offices in Concord, Manchester and Portsmouth as well as Woburn, Massachusetts.