The Final HIPAA Rule: Conduits, Agents, and Subs -- Oh my!
On January 17, 2013, the Office for Civil Rights (“OCR”), Department of Health and Human Services, issued the long-awaited final rule: “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.” The final rule is effective March 26, 2013. Covered Entities (“CEs”) and Business Associates (“BAs”) must comply with the applicable requirements by September 23, 2013.
The final rule seeks to address OCR’s findings in carrying out Executive Order 13563, which required OCR to conduct a retrospective review of existing regulations to identify ways to reduce costs and increase flexibilities under HIPAA. The rule may or may not reduce costs, but the guidance provides more certainty for some businesses, and more flexibility for others, in interpreting privacy regulations that seemingly inhibited growth and development in the health care industry.
The rule clarifies that persons who undertake patient safety activities are BAs, as are organizations such as Health Information Organization, E-prescribing Gateways, or Regional Health Information Organizations that provide data transmission of PHI to a CE or its BA and that require access on a routine basis to such PHI. As much as the rule offers certainty on these entities, however, it also offers room for argument, as OCR declined to define them with specificity.
Indeed, OCR declined to statically define any type of BA, emphasizing repeatedly the necessity of performing a factual analysis in uncertain situations, guided by principals designed to meet the overarching goals of HIPAA, HITECH and GINA. OCR first settled a topic of some debate at health lawyers’ conferences by acknowledging that mere conduits are not BAs.
Read more about the Final HIPAA Rule after the jump
 This is to conform to the statutory provisions of the Patient Safety and Quality Improvement Act of 2005 (PSQIA), 42 U.S.C. 299b-21, et. seq. PSQIA provides for the establishment of Patient Safety Organizations (“PSOS”) to receive reports of patient safety events or concerns from providers and provide analyses of events to providers. Such reports may include PHI. 42 CFR 3.10 et seq.
 OCR declined requests for a more specific definition of “Health Information Organizations,” saying only that the term currently refers to organizations that govern health information exchange among organizations within a defined geographic area, but that as the industry evolves, the types of entities that fall within this definition may change.
I. The “Conduit Exception” Is Recognized and In General, Conduits Are Not BAs
For years, many HIPAA pundits talked and acted as though the “conduit exception” was a figment of a lawyerly imagination – a hobgoblin of our own creation, to paraphrase a literary work usually saved for the holiday season we just left behind. Imaginative lawyers are vindicated: In the final rule, OCR emphasizes that “mere conduits” for the transport of PHI who do not access the information other than on a random or infrequent basis are not BAs.
However, the OCR cautioned that “[t]he conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services.” That is, a “conduit” does not access PHI “other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.” This includes reviewing whether data transmitted is arriving at its intended destination. “In contrast, an entity that requires access to protected health information in order to perform a service for a covered entity such as record locator services is not a conduit,” and is therefore a BA.
Accordingly, OCR preserved a fact-based analysis with regard to whether entities have more than “random” access to PHI and thus are BAs. On one end of the spectrum sits those entities that manage the exchange of PHI through a network or perform oversight and governance functions for electronic health information exchanges. These, the final rule establishes, are BAs because they have more than “random” access. However, where on the spectrum other businesses or activities lie depends on all relevant facts and circumstances – a test that makes the risk averse nervous while everyone else celebrates the joys of flexibility. OCR declined to define what it means to have “access on a routine basis,” saying such a determination “will be fact specific based on the nature of the services provided and the extent to which the entity needs access to protected health information to perform the service for the covered entity.”
OCR emphasized that whether an entity acts on its ability to access PHI is not determinative of whether the entity is a BA. OCR clarified, for example, that a records storage facility that maintains PHI on behalf of a CE is a BA “even if the entity does not actually view” the PHI, while a transmission service (digital or hard copy) that temporarily stores transmitted data is not even if it “peeks.” OCR explained that while transmission services have access equal to that of storage facilities, the difference between the two situations is the “transient versus persistent nature of that opportunity.”
If a test arises from all of this, it is one that asks not only whether the entity creates, receives, maintains, or transmits PHI, but also whether the entity has a persistent opportunity to access PHI, as opposed to a transient one. If the answer is yes, the entity is BA without regard to whether it randomly, infrequently, or ever views the PHI. This is a new test.
II. Entities That Are Agents of CEs And of Other BAs Are Themselves BAs
The final rule also gives unprecedented credence to a fact-based agency theory for determining whether vendors are BAs. For example, the OCR instructed that vendors are BAs when they contract with a CE to offer personal health records to one or more individuals on behalf of the CE. In contrast, OCR explained, if PHI is provided pursuant to an individual’s written authorization, then the vendor is not acting on behalf of the CE and is not a BA even if the vendor also has a contract with the CE governing the exchange or data. That is, the final rule indicates that the extent to which a vendor will be considered a BA depends on whether the vendor is acting like an agent of a CE in connection with the PHI at issue.
OCR justified its application of the Federal common law of agency by citing § 160.402(c), which references the Federal common law of agency, and reiterating its belief that “adopting the Federal common law to determine the definitions and application of these terms achieves nationwide uniformity in the implementation of the HIPAA Rules.” Nationwide uniformity, OCR said, furthers “the efficiency and effectiveness of the health care system as a whole.” Whether the 50 states would agree, or federal court judges for that matter, it is now therefore established: Federal agency law applies.
The agency test must always bow to the overarching definition of a BA of course, i.e., if an entity receives, maintains, or transmits PHI or has a persistent opportunity to access PHI, the entity is a BA. However, understanding the agency test is important to determining who is liable for whose failure to comply with HIPAA and the scope of responsibility. If agency is not analyzed, an entity may incorrectly believe it is not a BA because it did not agree to perform services that fall within the strict statutory definition of a BA. If agency is not considered, a person may perform services without having a BA agreement, which OCR may determine is unlawful because the person was acting as a CE’s agent. If a CE blames a vendor for a HIPAA violation but has no BA agreement with the vendor, the CE may want to hold the vendor liable on an agency theory.
OCR provided guidance on the federal common law of agency it is discussion of how a CE may be liable for the acts of a BA under § 160.402(c). Over all, OCR emphasized the importance of a fact-specific analysis, “taking into account the terms of a business associate agreement as well as the totality of the circumstances involved in the ongoing relationship between the parties.” More specifically, “[t]he essential factor in determining whether an agency relationship exists between a covered entity and its business associate … is the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity.” According to OCR’s further tutorage, CEs, BAs, and vendors should analyze their relationships, determine their obligations, and draft their agreements based on the following principals:
(1) If the time, place, and purpose of the vendor’s conduct show that the vendor is under the control of a CE or BA, the vendor may be an agent;
(2) If the vendor engaged in a course of conduct that was subject to a covered entity’s control, the vendor may be an agent;
(3) If a vendor’s conduct is commonly performed by BAs to accomplish the service performed on behalf of a CE, the vendor may be an agent;
(4) If the CE or BA reasonably expected that the vendor would engage in the conduct in question, the vendor may be an agent;
(5) If the terms of the parties’ agreement states that the vendor “must make available protected health information in accordance with § 164.524 based on the instructions to be provided by or under the direction of the covered entity,” the vendor is an agent with regard to this activity;
(6) If a CE contracts out or delegates a particular obligation under HIPAA to the vendor, the vendor is probably an agent;
(7) If the type of service and skill level required to perform the service are such that the CE or BA would not have the expertise to provide interim instructions to the vendor regarding the service, the vendor is probably not an agent;
(8) If a CE is legally or otherwise prevented from performing the service or activity to be performed, the vendor is probably not an agent;
(9) If a contract between the parties sets terms and conditions that create contractual obligations such that the only avenue of control is for the CE to amend the terms of the agreement or sue for breach of contract, the vendor is probably not an agent;
(10) An agency relationship may exist even if a CE does not retain the right or authority to control every aspect of its business associate’s activities;
(11) An agency relationship may exist even if a covered entity does not exercise the right of control but evidence exists that it holds the authority to exercise that right;
(12) An agency relationship may exist even if a covered entity and its business associate are separated by physical distance (e.g., if a covered entity and business associate are located in different countries);
(13) The terms, statements, or labels given to parties (e.g., independent contractor) do not control whether an agency relationship exists – it is the the manner and method in which a covered entity actually controls the service that decides the analysis.
Accordingly, a mere contract phrase to the effect that a vendor is not an agent will not make it so, will not help the vendor avoid obligations as a BA under HIPAA and HITECH, and will not protect a CE from responsibility for the vendor-BA’s conduct. As OCR stated, the analysis of whether a BA is an agent “will be fact specific and consider the totality of the circumstances involved in the ongoing relationship between the parties.”
OCR left little to the imagination of creative lawyers where an agency relationship exists. The final rule is crystal clear that person or entity that creates, receives, maintains, or transmits PHI or performs a PHI-related service or delegated HIPAA obligation on behalf of another entity is a BA subject to the HIPAA Breach Notification Rule. Perhaps for emphasis, OCR asserted that these BAs are subject to HIPAA rules, “and not that of the FTC.”
The FTC governs "PHR-related entities.” Businesses are PHR-related entities if they interact with a vendor of personal health records either by offering products or services through the vendor’s website – even if the site is covered by HIPAA – or by accessing information in a personal health record or sending information to a personal health record. “Many businesses that offer web-based apps for health information fall into this category.” http://business.ftc.gov/documents/bus56-complying-ftcs-health-breach-notification-rule. Examples include Apps that help consumers manage their medications or let them upload readings from a device like a blood pressure cuff or pedometer into a personal health record. The final rule does not change such PHR-related entities into BAs in all circumstances, emphasizing that consumers still control their own information. For example, the final rule does not change FTC guidance that if a site is simply available to consumers for inputting their own information in a way that does not interact with personal health records offered by a vendor, the site operator is not a PHR-related entity. Accordingly, for example, if the site “just allows consumers to input their weight each week to track their fitness goals” the site operator is not a PHR-related entity, is not a BA, and is not subject to the breach notification rules. However, OCR makes it clear that where consumers are not in control – where a CE or BA ultimately controls the handling of the PHI - then PHR-related entities become BAs, subject to HIPAA’s breach notification rule.
III. “Subcontractor” Is A New Term of Art, and Subcontractors Are BAs
The final rule also establishes that a person to whom a BA “delegates a function, activity, or service” other than someone acting as a member of the BA’s workforce, is indeed called a “subcontractor,” a neologism that caused angst in many a grammarian and raised the ire of lexicologists far and wide. More importantly, the final rule establishes that where the delegated function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information, the subcontractor is a BA.
Responding to commentators’ concern that this rule would require covered entities to contract with subcontractors, OCR underscored that BAs are the parties obligated to obtain satisfactory assurances that their subcontractors will safeguard PHI. “The final rule makes clear that a covered entity is not required to enter into a contract or other arrangement with a business associate that is a subcontractor.” See §§ 164.308(b)(1) and 164.502(e)(1)(i).”
As a practical matter, CEs are very concerned when their BAs delegate obligations to unknown parties over whom the CEs have no control. Elaborate provisions are included in business associate agreements to ensure that BAs obtain covenants from subcontractors that PHI will be protected to the same extent required under the CE’s agreement with the BA. Almost acknowledging the need to continue this practice, OCR further opined: “[W]e believe that making subcontractors directly liable for violations of the applicable provisions of the HIPAA Rules will help to alleviate concern on the part of covered entities that protected health information is not adequately protected when provided to subcontractors.” (Emphasis added.)
The final rule seeks to ensure, perhaps above all else, “that individuals’ health information remains protected by all parties that create, receive, maintain, or transmit the information in order for a covered entity to perform its health care functions.” Everyone “down the chain,” as OCR put it, from CE to BA to Subcontractor1 to Subcontractors 2-5, and so on, and so on, and so on, must ensure that they comply with HIPAA and HITECH and that they obtain satisfactory assurances that the parties with whom they contract will comply with HIPAA and HITECH. Reading between the lines of the final rule, it is as if OCR shrugged and said, “there’s strength in numbers” or “the more the merrier.” Indeed, who can argue with such accepted wisdom.
 Section 13408 of HITECH requires that such organizations enter into “a written business associate contract or other arrangement with the covered entity in accordance with the HIPAA Rules.”
 Referencing the Enforcement Rule preamble, 71 FR 8390, 8403-04.
 For example, OCR instructed, a BA “that is hired to perform de-identification of protected health information for a small provider would likely not be an agent because the small provider likely would not have the expertise to provide interim instructions regarding this activity to the business associate.” In this situation, the BA would be directly subject to HIPAA and HITECH, but the CE would not be responsible for the BA’s conduct.
 As OCR explained: “[A]n agency relationship would not likely exist when a covered entity is legally or otherwise prevented from performing the service or activity performed by its business associate [such as] accreditation functions performed by a business associate” that cannot be performed by a covered entity seeking accreditation because a covered entity cannot perform an accreditation survey or award accreditation.”