This guest post was authored by Bianca A. Valcarce, a summer associate with Montgomery McCracken.
HIPAA regulations don’t just impact doctors and health plans. Lawyers, Certified Public Accountants, billing companies, and other third-party vendors who work with protected health information are not only covered by HIPAA requirements, but can be held independently liable for noncompliance. Given recent six-plus figure settlements for violations, HIPAA-regulated entities, including those who provide services to health care professionals, must be proactive to ensure compliance.
Who Must Comply with HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) establishes federal standards for the privacy of individually identifiable health information. The Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS) is responsible for enforcing HIPAA’s Privacy and Security Rules. HIPAA applies to covered entities and business associates.
Covered entities include health plans, health care clearinghouses, and health care providers (although HIPAA only covers health care providers who electronically transmit protected health information (PHI) for certain transactions, the standard is so broad that nearly all health care providers are covered).
Business Associates (BAs) are persons or entities providing services on behalf of covered entities involving the use or disclosure of protected health information. BA services include: legal services, actuarial services, accounting, consulting, data aggregation, management, administrative services, accreditation, and financial services. Examples of BAs may include:
- A CPA firm whose accounting services to a health care provider involve access to PHI;
- A law firm that accesses PHI in defending a physician against a malpractice lawsuit;
- A document storage or disposal/shredding company receiving PHI;
- Billing companies for covered entities;
- An organization that accredits covered entities; and
- A consulting company that performs utilization reviews for a hospital.
Pursuant to the 2013 HIPAA Omnibus Rule, BAs are now directly liable for certain HIPAA requirements, such as ensuring the permissible use of PHI and performing security risk assessments. This year, in the first action solely against a BA, the Catholic Health Care Services of the Archdiocese of Philadelphia settled with OCR for $650,000 for violating HIPAA after the theft of a Catholic Health Care-issued cellphone compromised the PHI of over 400 nursing home residents.
What are some first steps for HIPAA compliance?
One of the most important things covered entities and BAs can do is make sure they have a written Business Associate Agreement (BAA). Recent settlements highlight the importance of having a BAA in place. In March, North Memorial Health Care of Minnesota agreed to a $1.55 million settlement agreement after the laptop of a vendor— Accretive Health – containing unencrypted PHI for over 6,500 patients was stolen. North Memorial failed to have a BAA in place with Accretive Health for over six months and failed to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.
In April 2016, the Raleigh Orthopaedic Clinic, P.A. reached a $750,000 settlement after exposing PHI to a vendor without a proper BAA, leaving PHI without safeguards and vulnerable to misuse or improper disclosure. With no agreement in place, Raleigh Orthopaedic released x-ray files of over 17,000 patients to a scam vendor that recycled the films to harvest their silver content.
Most recently, in July 2016, the Oregon Health and Science University signed a resolution agreement with OCR for $2.7 million, following data breaches from 2013. One of the breaches involved the storage of information for over 3,000 patients with Google without having an official BAA. Of note, Google does offer BAAs that can be put in place for use with Gmail, Calendar, and Drive, but not other Google apps.
In its May 2016 alert, OCR recommended that covered entities have BAAs defining how PHI is used and providing time frames for BAs to report breaches, security incidents, or cyber-attacks. The OCR website provides a sample BAA. A BAA must (1) describe the permitted and required uses of PHI by the business associate; (2) provide that the business associate will not use or further disclose the PHI other than as permitted or required by the contract or as required by law; and (3) require the business associate to use appropriate safeguards to prevent a use or disclosure of the PHI other than as provided for by the contract.
OCR’s May 2016 alert also notes covered entities and BAs should conduct security risk assessments to evaluate their security and privacy practices. To guide covered entities and BAs through this process, a Security Risk Assessment Tool is available, developed through a collaboration of OCR, the Office of the National Coordinator for Health Information Technology, and the Office of General Counsel for HHS.
What happens in the event of noncompliance?
Reports of potential HIPAA violations may result in Resolution Agreements, settlements in which a covered entity or BA agrees to perform obligations, report to HHS, and submit to HHS monitoring, generally for three years. It may also include paying a resolution amount. In the settlements above:
- Catholic Health’s agreement includes a two-year mandatory plan involving annual assessments; revision, development, and maintenance of policy and procedure; and other updates, including encryption, mobile device and data integrity controls, and password management.
- North Memorial’s corrective action plan requires developing BA policy and procedure, modifying existing risk analysis, developing internal risk management plans, and training.
- Raleigh Orthopaedic’s plan involves assessing of entities as BAs, creating standard template BAAs put in place prior to PHI disclosure, establishing standards for documenting BAAs beyond termination of the relationship, and limiting disclosure beyond the scope of a BAA.
- Oregon Health and Science agreed to a three-year corrective action plan to update encryption; increase security awareness training, including training on disclosures to third-parties that require a BAA; and thorough assessment of their security management process.
OCR is conducting audits to ensure compliance. Right now, Phase 2, a desk audit of 167 covered entities and BAs, is underway. These audits – and the recent settlements – serve as a reminder to all covered entities and BAs that they should regularly review their HIPAA policies and procedures, have a BAA in place for all BAs, and regularly conduct security risk assessments to evaluate their security and privacy practices.
Moving forward, one thing is clear: in light of the Catholic Health Care settlement, if you are a BA, such as a law firm, accounting firm, or management company, you must comply with the HIPAA privacy and security rules or face the potential of direct liability for any failure to protect PHI. Communication and collaboration between covered entities and their BAs to ensure HIPAA compliance is key.