Last week, the Department of Justice (“DOJ”) announced the launch of its Civil Cyber-Fraud Initiative (“the Initiative”) aimed at combating “new and emerging cyber threats to the security of sensitive information and critical systems” specifically targeting accountability of cybersecurity obligations for federal contractors and federal grant recipients, by way of the False Claims Act.  The Initiative will be led by the Civil Division’s Commercial Litigation Branch – Fraud Section.

The False Claims Act imposes liability on persons and entities that defraud governmental programs. The Initiative will hold persons and entities accountable, via the False Claims Act, for several practices related to cybersecurity practices including: 1) putting U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, 2) knowingly misrepresenting cybersecurity practices or protocols, and 3) knowingly violating obligations to monitor and report cybersecurity incidents and breaches.

“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” said Deputy Attorney General Lisa O. Monaco in her announcement of the Initiative.

Well that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fiscal and public trust.

As detailed in Deputy General Monaco’s announcement, benefits of implementing the Initiative will include:

  • Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.
  • Holding contractors and grantees to their commitments to protect government information and infrastructure.
  • Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.
  • Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
  • Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.
  • Improving overall cybersecurity practices that will benefit the government, private users and the American public.

Notably, that same day, the DOJ also announced a 2nd cybersecurity related initiative, the National Cryptocurrency Enforcement Team (“the Team”), which will address activities by entities such as virtual currency exchanges that misuse cryptocurrency for criminal activity, including ransomware attacks.  The Team, in addition to prosecuting such violations, will help recover lost cryptocurrency payments, including those to ransomware groups.

The DOJ is strategically increasing focus on cybersecurity, as the Biden Administration makes cybersecurity a top priority. The U.S. government has continued to ramp up efforts to strengthen its cybersecurity in the past year, and we can expect states to continue to legislate and regulate in this area. Businesses across all sectors will likely experience pressure to evaluate their data privacy and security threats and vulnerabilities and adopt measures to address their risk and improve compliance.

Federal contractors know all too well the list of annual requirements and obligations can seem overwhelming at times.  One that may get overlooked by some is annual training requirements. A fairly new such training went into effect in 2017 – it requires certain federal contractors to do annual data privacy training.

According to the U.S. General Services Administration (“GSA”), for example, its agency-wide and role-based training offerings cover the GSA’s policies on protecting personally identifiable information (“PII”). The GSA requires all employees and contractors to complete privacy and security awareness training upon employment and each year thereafter. Importantly,

GSA account holders must complete this training in order to maintain access to the agency’s IT systems and resources such as email, Google Drive and other IT resources.

The current political landscape (President Biden has announced heighted focus in this area, including plans for $10B of investment in government cyber and IT infrastructure), the COVID-19 pandemic where many federal contractors are receiving large amounts of sensitive information, and recent high-profile data security incidents involving the U.S. government, like SolarWinds, provide further reasons to support a business imperative to bolster the privacy and security awareness of your workforce.  Therefore, we recommend following the below steps to ensure your teams are training in this critical area.

  1. Identify if requirements apply, and who needs training

In general, annual privacy training is required for any federal contractor employee who accesses, processes, or handles PII on behalf of a government agency. This includes contractor employees who have access to any system of government records, or who assist in designing, developing, maintaining, or operating a system of records. Prime contractors are required to flow down these privacy training requirements to their subcontractors.

PII is defined in this regulation as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.”

Per the FAR, as noted above, contractor employees may not have access to PII unless they have had the required privacy training.

  1. What must training include

Per the FAR, training must address:

  • The contractors policies and procedures for processing and safeguarding of PII;
  • The provisions of the Privacy Act of 1974, including penalties for violations of the Act;
  • The authorized and official use of a system of records;
  • The restriction on the unauthorized use, handling disclosure, or access of PII or a system of records; and
  • The procedures to follow in the event of a suspected or confirmed breach of a system of records or PII.
  1. Understanding the requirements

A one-size-fits-all training likely will not be sufficient as the FAR requirements are described as “role based” and should be appropriate for different levels of employees. There should also be measures in place to test the knowledge of users. Contractors must also maintain and be able to provide documentation regarding the completion of the privacy training upon the request of their Contracting Officers.

  1. Format of training

Contractors may provide their own training to employees, except in the limited cases where an agency requires that certain training be utilized. Contractors can develop the content internally or use a third-party vendor or firm to do the training. Jackson Lewis provides this type of training to many of our government contractor clients.

  1. Recommended next steps for Government Contractors
  • Determine if your employees have access to PII as part of a government contract.
  • Review privacy procedures and policies to confirm compliance with training requirements.
  • If you are not currently training your employees in compliance with FAR 52.224-3, implement training program for employees handling PII.
  • Review subcontracts, as the privacy training requirements also apply to subcontractors.
  • Reach out to your local Jackson Lewis office with any questions.

During the California Consumer Privacy Act’s (“CCPA”) amendment process prior to enactment, personal information in the employment context was highly contested and has continued to be a point of deliberation even after the CCPA’s effective date last January 1, 2020.  CCPA excludes certain employment-related personal information from most of the act’s requirements until January 1, 2021. This exemption was extended by the California Privacy Rights Act (“CPRA”) (a ballot measure supported last week by a strong majority of  California voters) until January 1, 2023.[1]

Under CCPA, unlike consumers generally, employees, applicants, and independent contractors may not request: the deletion of their personal information; to opt-out of the sale of their personal information; or information concerning the categories of personal information collected, the sources from which personal information is collected, the purpose for collecting or selling personal information; or the categories of third parties with whom the business shares their personal information.  Additionally, prior to CPRA, employees, applicants, and independent contractors, did not have anti-discrimination/retaliation rights under the law.

Anti-Discrimination/Retaliation Provision

The CPRA expands the existing anti-discrimination rights to employees, applicants, and independent contractors.  Section 1798.125 (a)(1)(E) states that “[a] business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights…including…retaliating against employee, application for employment, or independent contractor…”

Thus, although employees, applicants and independent contractors are temporarily excluded from most of the CCPA’s protections, two areas of compliance presently remain: (i) providing a notice at collection, and (ii) maintaining reasonable safeguards for a subset of personal information driven by a private right of action now permissible for individuals affected by a data breach caused by a business’s failure to do so.

In light of the expansion of this provision, employers now cannot discriminate and/or retaliate against employees, applicants, and independent contractors exercising their rights to: i) receive a notice at collection concerning their personal information , and ii) file a private right to action following a data breach involving their personal information caused by the failure of the employer to maintain reasonable safeguards.  Additionally, if CPRA is not amended to extend the exemption beyond December 31, 2022, employees, applicants and independent contractors will receive full rights under the CCPA.  If so, on and after January 1, 2023, employers subject to the CCPA will not be able to discriminate against their California employees if  they decide to exercise their right to know, right to delete, right to opt-out, as well as the new CPRA rights – to restrict disclosures and to correct personal information.

We will continue to update the status of the CPRA, its enforcement and any amendments to its current version.

[1] Prior to the passage of Prop 24 (CPRA), Governor Gavin Newsom signed AB1281 extending the exemption until January 1, 2022.

Trump Administration To Test Biometric Program To Scan Faces Of Drivers |  Zero Hedge

Earlier this month, our Immigration Group colleagues reported the Department of Homeland Security (DHS) would release a new regulation to expand the collection of biometric data in the enforcement and administration of immigration laws. However, as reported by Roll Call, a DHS Inspector General report raised significant concerns about whether Department is able to adequately protect sensitive biometric information, particularly with regard to its use of subcontractors. The expanded use of biometrics outlined in the Department’s proposed regulation, just as increased use of biometric information such as fingerprint or facial recognition by private organizations, heightens the risk to such data.

The amount of biometric information maintained by DHS is already massive. The DHS Office of Biometric Identity Management maintains the Automated Biometric Identification System, which contains the biometric data repository of more than 250 million people and can process more than 300,000 biometric transactions per day. U.S. Customs and Border Protection (CBP) is mandated to deploy a biometric entry/exit system to record arrivals and departures to and from the United States, with the long-term goal to biometrically verify the identity of all travelers exiting the United States and ensure that each traveler has physically departed the country at air, land, and sea departure locations.

In 2018, CBP began a pilot effort known as the Vehicle Face System (VFS) in part to test the ability to capture volunteer passenger facial images as they drove by at speeds under 20 mph and the ability to biometrically match captured images against a gallery of recent travelers. DHS hired a subcontractor to assist with the development of the technology.

According to the inspector general’s report, DHS has a range of policies and procedures to protect biometric information, which it considers sensitive personally identifiable information (SPII). Among those policies, DHS’ Handbook for Safeguarding Sensitive PII, Privacy Policy Directive 047-01-007, Revision 3, December 2017, requires contractors and consultants to protect SPII to prevent identity theft or other adverse consequences, such as privacy incidents, compromise, or misuse of data information on them.

Despite these policies, the DHS subcontractor engaged to support the pilot directly violated DHS security and privacy protocols when it downloaded SPII, including traveler images, from an unencrypted device and stored it on its own network. The subcontractor obtained access to this data between August 2018 and January 2019 without CBP’s authorization or knowledge. Later in 2019, the subcontractor’s network was subjected to a malicious cyberattack involving ransomware resulting in the compromise of 184,000 facial images of cross-border travelers collected through a pilot program, at least 19 of which were posted on the dark web.

As one of our 10 Steps for Tackling Data Privacy and Security Laws, “Vendors – trust but verify” is critical. For DHS, its failure to do so may damage the public’s trust resulting in travelers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry. Non-governmental organizations that experience a similar situation with one of their vendors face an analogous loss of trust, as well as adverse impacts on business, along with compliance enforcement and litigation risks.

Among the recommendations CBP made following the breach was to ensure implementation of USB device restrictions and to apply enhanced encryption methods. CBP also sent a memo requiring all IT contractors to sign statements guaranteeing compliance with contract terms related to IT and data security.  Like DHS, more organizations are developing written policies and procedures following risk assessments and other best practices. However, it is not enough to prepare and adopt policies, implementation is key.

A growing body of law in the United States requires not only the safeguarding of personal information, including biometric information, by organizations that own it, but also by the third-party service providers that process it on behalf of the owners. Carefully and consistently managing vendors and their access, use, disclosure, and safeguarding of personal information is a critical part of any written information security program.

During a presentation at the Professional Services Council Federal Acquisition Conference on June 13, 2019, a high-ranking Department of Defense (“DoD”) official announced, with dramatic flair, that cybersecurity is an allowable cost:

“I need you all now to get out your pens and you better write this down and tell your teams: Hear it from Katie Arrington [Special Assistant to the Assistant Secretary of Defense for Cyber] . . . security is an allowable cost. Amen, right?”

Channeling Jerry McGuire, Arrington added: “Now what you need to do as industry is help me, help you. I’m not the enemy. I’m literally the one person in government who said, ‘Hi, I’m here to help and I’m legit here to help.’”

Arrington’s June 13 presentation, which was titled “Securing the Supply Chain,” is just the latest indication that the DoD – like other federal and state agencies – is making the cyber hygiene of its contractors a priority. (Some of our previous posts on this topic are available here.)

During a webinar earlier this month, Arrington noted that, “[i]f we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base [(“DIB”)] doesn’t have robust cyber hygiene. Only 1% of DIB companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”

Arrington, who appears to be actively involved in the DoD’s development of a cybersecurity assessment and certification program, called the Cybersecurity Maturity Model Certification or CMMC, provided additional details about that program during her June 13 presentation.   Specifically, Arrington announced that:

  1. The CMMC will include five levels of certification. The levels will range from “basic” cyber hygiene to “state-of-the-art.”
  2. The CMMC initiative will require DoD contractor information systems to be certified compliant by an outside auditor. Under the new model, third-party cybersecurity certifiers will “conduct audits, collect metrics, and inform risk mitigation for the entire supply chain,” Arrington said. “Every contract that goes out,” she added, “will have a requirement and every vendor on that contract will have to get certified.”
  3. The DoD will hold 12 listening sessions across the country this summer to solicit feedback about the CMMC from industry and other experts.
  4. The DoD aims to complete the CMMC and begin certifying vendors by January 2020; to begin incorporating the CMMC requirements into requests for information by June 2020; and to include the CMMC in solicitations by September 2020.

Driving home her key point that the cybersecurity of its vendors is a major priority for the DoD, Arrington stated that “[c]ost, schedule and performance are only effective in a security environment.” She added that “[w]e cannot look at security and be willing to trade off to get lower cost, better performing product or to get something faster. If we do that, nothing works and it will cost me more in the long run.”

DoD contractors should heed Arrington’s warning that cost, schedule, and performance will not alone suffice to win future DoD contracts. To best position themselves to compete for those contracts, contractors should consider providing feedback to the DoD this summer about the CMMC, and should promptly begin the process of preparing to comply with its mandates.


On January 3, 2017, the Obama Administration issued a memorandum to all executive departments and agencies setting for a comprehensive policy for handling breaches of personally identifiable information (the “Memorandum”), replacing earlier guidance. Importantly, the Memorandum also affects federal agency contractors as well as grant recipients.

The Memorandum is not the first set of guidance to federal agencies and departments for reporting breaches of personally identifiable information (PII), but it establishes minimum standards going forward (agencies have to comply within 180 days from the date of the Memorandum). The Memorandum makes clear that it is not setting policy on information security, or protecting against malicious cyber activities and similar activities; topics related to the recent fiery debates concerning the 2016 election results and Russian influence.

The Memorandum sets out a detailed breach response policy covering topics such as preparedness, establishing a response plan, assessing incident risk, mitigation, and notification. For organizations that have not created a comprehensive breach response plan, the Memorandum could be a helpful resource, even for those not subject to it. But it should not be the only resource.

Below are some observations and distinctions worth noting.

  • PII definition. Unlike most state breach notification laws, the Memorandum defines PII broadly: information that can be used to distinguish to trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. So, for example, the notification obligation for a federal contractor will not just apply if Social Security numbers or credit card numbers have been compromised.
  • Breach definition. Breaches are not limited phishing attacks, hackings or similar intrusions. They include lost physical documents, sending an email to the wrong person, or inadvertently posting PII on a public website.
  • Training. Breach response training must be provided to individuals before they have access to federal PII. That training should advise the individuals not to wait for confirmation of a breach before reporting to the agency. A belief (or hope) that one will find that lost mobile device should not delay reporting.
  • Required provisions in federal contracts. Federal contractors that collect or maintain federal PII or use or operate an information system for a federal agency must be subject to certain requirements by contract. The Memorandum requires agencies to update their contracts with contractors to ensure the contracts contain certain provisions, such as requiring contractors to (i) encrypt PII in accordance with OMB Circular A-130, (ii) train employees, (iii) report suspected or confirmed breaches; (iv) be able to determine what PII was or could have been accessed and by whom, and identify initial attack vectors, and (v) allow for inspection and forensic analysis. Because agencies must ensure these provisions are uniform and consistent in all contracts, negotiation will be difficult. The Federal Acquisition Regulatory Council is directed to work the Office of Management and Budget to promptly develop appropriate contract clauses and regulatory coverage to address these requirements.
  • Risk of harm analysis. Agencies will need to go through a complex risk of harm analysis to determine the appropriate breach response. Notably, encryption of PII is not an automatic exception to notification.
  • Notification. The rules for timing and content of breach notification are similar to those in many of the state breach notification laws. The Memorandum also advises agencies to anticipate undeliverable mail and to have procedures for secondary notification, something not clearly expressed in most state notification laws. The Memorandum also suggests website FAQs, which can be more easily updated and tailored. Agency heads have ultimate responsibility for deciding whether notify. They can consider over-notification and should try to provide a single notice to cover multiple notification requirements. They also can require contractors to provide notification following contractor breaches.
  • Tabletop Exercises. The Memorandum makes clear that testing breach response plans is essential and expressly requires that tabletop exercises be conducted at least annually.

Federal contractors and federal grant recipients that have access to federal PII will need to revisit (or develop) their own breach response plans to ensure they comply with the Memorandum, as well as the requirements of the applicable federal agency or department which can be more stringent. Of course, those plans must also incorporate other breach response obligations the organizations may have, whether those obligations flow from other federal laws (e.g., HIPAA), state laws, or contracts with other entities. Putting aside presidential politics, cybersecurity threats are growing and increased regulation, enforcement and litigation exposure is likely.

Government contractors have a wide range of unique challenges (find out more about these here), not the least of which is data security. A good example is the interim rule the Department of Defense (DoD) issued last month that implements sections of the National Defense Authorization Act for Fiscal Years 2013 and 2015. In short, these provisions expand the incident reporting requirements for contractors and increase the security requirements for cloud service providers.

The Secretary of Defense determined that “urgent and compelling” reasons exist to issue the interim rule without prior opportunity for public comment. There is an urgent need to protect covered defense information and to increase awareness of the full scope of cyber incidents being committed against defense contractors. The use of cloud computing has greatly increased, according to the Secretary, and has increased the vulnerability of DoD information. The recent high-profile breaches of Federal information also influenced this determination. It is easy to see how similar considerations will influence other federal and state agencies to tighten their data security requirements on their contractors and subcontractors.

The hope here is that the rule will increase the cyber security on DoD information on contractor systems, help to mitigate risk, and gather information for the development of future improvements in cyber security. Note that the DoD will consider public comments to the interim rule before issuing the final rule. Comments must be submitted on or before October 26, 2015 to be considered.

Incident Reporting Highlights

  • Contractors and subcontractors must report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing on that system, or on a contractor’s ability to provide operationally critical support.
  • A “cyber incident” means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. A “compromise” is the disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.
  • Rapid reporting is required – this means 72 hours of discovery of a cyber incident.
  • The DoD recognizes that the reporting may include the contractor’s proprietary information, and will protect against the unauthorized use or release of that information.
  • The reporting of a cyber incident will not, by itself, be interpreted as evidence that the contractor or subcontractor has failed to adequately safeguard covered defense information.

Cloud Computing Highlights

  • Contracts for cloud computing services may be awarded only to providers that have been granted provisional authorization by Defense Information Systems Agency, at the appropriate level.
  • Cloud computing service providers must maintain government data within the 50 states, the District of Columbia, or outlying areas of the United States, unless physically located on DoD premises. Government data can be maintained outside the U.S. upon written notification from the contracting officer.
  • Government data means any information, document, media, or machine readable material regardless of physical form or characteristics, that is created or obtained by the government in the course of official government business.
  • Purchase requests for cloud computing service must, among other things, describe government data and the requirement for the contractor to coordinate with the responsible government official to respond to any “spillage” occurring in connection with the services. Spillage happens when a security incident results in the transfer of classified or controlled unclassified information onto an information system not authorized for the appropriate security level.

Defense contractors and their subcontractors will need to review the interim rule carefully and make adjustments. Of course, the focus here is not solely on personal identifiable information, but the same principles apply. Maintaining a well-thought out and practiced incident response plan is critical.

In June, Connecticut’s governor signed into law Senate Bill 949 which amended the State’s breach notification statute. The requirement that covered businesses must provide one year of identity theft protection services for certain breaches, easily the most popular aspect of the legislation, may have diverted attention from some significant aspects of this new law. Senate Bill 949 established expansive data security requirements for entities contracting with state agencies and entities in the health insurance and administration business (e.g., health insurance insurers, pharmacy benefits managers, and third-party administrators). See a more complete discussion of the law here, and some highlights below.

Contractors Must Implement a Data Security Program

Entities that have contracts with the state and receive “confidential information” from state agencies are required to implement and maintain a “comprehensive data-security program,” including the use of security policies, annual reviews of such policies, access restrictions, and mandatory security awareness training for employees beginning July 1, 2015.

Some of the requirements include:

  • Policies must restrict access to confidential information only to authorized employees.
  • There must be security and breach investigation procedures.
  • The data security program must be reviewed annually.
  • When applicable, contractors must provide the state Attorney General and the contracting agency a report detailing breaches or suspected breaches, including mitigation plans or why the contractor believes no breach occurred.
  • Contractors cannot store confidential information on stand-alone computers or notebooks or portable storage devices, such as USB drives. This provision has limited exceptions.
  • Contractors may not copy, reproduce, or transmit confidential information except as necessary to complete the contracted services.

Because of the way many businesses perform their services today (e.g., utilizing flash drives and allowing employees to work from home, perhaps with their own computers), the new mandates may require significant changes in current practices. Contractors that are “business associates” of a state agency as defined under HIPAA may have to do more than comply with the HIPAA privacy and security regulations, and should revisit their HIPAA policies and procedures to ensure compliance with the state mandates. The contracts themselves also could impose additional security obligations.

Health Insurance Businesses Must Step Up Data Security

Beginning October 1, 2017, any health insurer, health care center, pharmacy benefits manager, third-party administrator, utilization review company, or entity that is licensed to do health insurance business in Connecticut must implement and maintain a “comprehensive information security program to safeguard the personal information of insureds.” Examples of the safeguards the program must include are:

  • secure computer and Internet user authorization protocols;
  • secure access control measures that include, but are not limited to, restriction of access to personal information only to those who require such data to perform their job duties, passwords that are not default passwords and are reset at least every six months, encryption of all personal information while being transmitted on a public Internet network or wirelessly, encryption of all personal information stored on a laptop computer or other portable device, and monitoring of company security systems for breaches of security;
  • designation of one or more employees to oversee the security program;
  • identification and assessment of reasonably foreseeable internal and external risks to the security of the personal information; and
  • annual review of the scope of the secure access control measures.

Many of these entities either are covered entities or business associates under HIPAA. They should take note, however, that some of these new requirements could go beyond basic HIPAA regulatory mandates. For example, the Connecticut law requires passwords be changed at least every six months. The Connecticut law also requires encryption of all personal information while being transmitted on a public Internet network or wirelessly and when stored on a laptop or other portable device. Beginning October 1, 2017, covered health insurance businesses must certify annually to the Insurance Department, under penalty of perjury, that they maintain a comprehensive information security program that complies with the law’s requirements.


Businesses covered by the new requirements must take stock of their current operations, policies, and procedures to determine whether they are in compliance. The law also has implications beyond the businesses to which it applies directly. Consider professional service providers working with covered state contractors or health insurance businesses. Their services might involve the need to access the same confidential information triggering these requirements. These and similarly situated businesses will need to be prepared.

Getting compliant will take time and only after careful assessment and analysis. Turning this task over entirely to the company’s “IT guy” is likely not the best approach. The role of IT is no doubt critical, but these mandates require consideration of administrative and physical safeguards, as well as technical safeguards. They envision careful assignment of access to personal data based on particular need. They seek broad awareness of the safeguards throughout an organization that is accomplished through training and other measures. They mandate incident response planning, a function involving key decision makers in an organization so they know what to expect and their responsibilities in the event of a breach. They require organizations to obligate their third-party service providers to adhere to similar standards. In short, they contemplate a wholesale, enterprise-wide, regularly reviewed approach to securing confidential information that changes and develops with the organization.


Under the HITECH Act, business associates are subject to the HIPAA privacy and security rules (the "HIPAA Rules") virtually to the same extent as covered entities. In addition to implementing this change for business associates ("BAs"), and providing additional guidance concerning what entities are business associates, the final HIPAA regulations issued last week also treat certain subcontractors of BAs as BAs directly subject to the HIPAA Rules. As a result of some of these changes, covered entities and BAs need to re-examine the relationships with their subcontractors to ensure they obtain the appropriate satisfactory assurances concerning the "protected health information" (PHI) they make available to those subcontractors.

Below are some of the key points from the final regulations concerning BAs and subcontractors:

  • Subcontractors. The final HIPAA regulations provide that subcontractors that create, receive, maintain, or transmit PHI on behalf of a BA are business associates. This is a significant expansion of the application of the HIPAA Rules; it makes subcontractors directly liable under the HIPAA Rules.

As a result of this change, just as covered entities need to ensure that they obtain satisfactory assurances concerning compliance with the HIPAA Rules (usually in the form of a business associate agreement, BAA) from their BAs, BAs must do the same with regard to certain subcontractors. This must continue no matter how far “down the chain” the PHI flows.

  • Business Associate Agreement Not Necessary to Establish Status as Business Associate. The final HIPAA regulations confirm that persons and entities that meet the definition of a BA have that status regardless of whether a "business associate agreement" is in place.
  • Data Storage Companies. Entities that maintain PHI (digital or hard copy) on behalf of a covered entity are BAs, "even if [they] do not actually view the [PHI]."  This provision may create significant compliance issues for cloud service providers, as well as hard copy document storage companies, that have access to the records of their clients but may never look at them. The conduit exception is a narrow one and only applies transmissions of data, not storage. 
  • Certain Groups Not Considered Business Associates.
    • Researchers generally are not considered BAs when performing research functions.
    • Banking institutions generally are not considered BAs with respect to certain payment processing activities (e.g., cashing a check or conducting a funds transfer)
    • Malpractice insurers generally are not considered BAs when providing services related to the insurance, but may be BAs when providing risk management and similar services to covered entities.

Transition rule for compliance. A transition rule under the final HIPAA regulations permits covered entities and BAs to continue to operate under certain existing contracts for up to one year beyond the compliance date (September 23, 2013) of the final regulations. A qualifying business associate agreement will be deemed compliant until the earlier of (i) the date such agreement is renewed or modified on or after September 23, 2013, or (ii) September 22, 2014. This rule only applies to the language in the agreements, the parties must operate as required under the HIPAA Rules in accordance with the applicable compliance dates. 

Covered entities and business associates may want to act more quickly to identify and contract with those individuals and entities from whom they must obtain satisfactory assurances under HIPAA.

A Federal Acquisition Regulation proposed on October 14, 2011 (76 Fed. Reg. 63896, 10/14/11), would require federal contractors to conduct privacy training before being given access to government records or handling personally identifiable information. For many entities, training may already be called for under a federal or state law, or contract provision. However, this regulation raises the bar by effectively halting a contractor’s work until the training is performed. Contractors will need to watch this regulation closely as it may affect their businesses. The public may submit comments on this regulation until Dec. 13, 2011.

Key features of the proposed regulations:

  • Contractors would be required to provide initial training and annual training for employees who either —(1) require access to a government system of records; (2) Handle personally identifiable information; or (3) Design, develop, maintain, or operate a system of records on behalf of the federal government.
  • Federal agencies are required to provide contractors the training materials unless, on
    an exception basis, the contracting officer authorizes a contractor to provide its own privacy training materials.
  • The contractor is responsible to ensure the training is completed, and must maintain documentation of the training.
  • Certain privacy clauses will need to be added to the contract between the contractor and  the government.

Training must cover at least the following seven areas:

  1. The protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a);
  2. The handling and safeguarding of personally identifiable information;
  3. The authorized and official use of government system of records;
  4. Restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information;
  5. The prohibition against access by unauthorized users, and unauthorized use by authorized users, of personally identifiable information or systems of records on behalf of the Federal
  6. Breach notification procedures i.e., procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised) and
  7. Any agency-specific privacy training requirements.