In June 2016, OCR entered into its first settlement agreement with a business associate, Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”), for potential violations of the HIPAA Laws by failing to protect electronic protected health information (“EPHI”) of nursing home residents. The smartphone of a CHCS employee was stolen and contained EPHI. The smartphone was not password protected, and the EPHI was unencrypted. The EPHI of more than 400 residents included social security numbers, diagnostic and treatment information, medications, and the names of family members and legal guardians. OCR determined that CHCS had failed to perform a HIPAA Security Risk Assessment and implement a risk management plan regarding compliance with the HIPAA Laws, and that CHCS didn’t have policies and procedures as required under the HIPAA Security Rule. The settlement included a penalty of $650,000 and a corrective action plan for two years, which will be monitored by OCR.
Many of the provisions of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations (“HIPAA Laws”) now apply to business associates of covered entities. A “business associate” (“BA”) is a person or entity that creates, receives, maintains, or transmits protected health information on behalf of a covered entity. A “covered entity” (“CE”) is a health plan, health care clearinghouse, or a health care provider who transmits PHI electronically for any transactions covered under the HIPAA Laws. “Protected health information” (“PHI”) is any individually identifiable information received by a covered entity and relates to: the past, present, or future physical or mental health of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. “Payment” means the activities undertaken by a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan, or of a health care provider or health plan to obtain or provide reimbursement for the provision of health care. Payment includes determining eligibility and related underwriting activities. “Underwriting purposes” include enrollment and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits. Thus, merely obtaining the name and demographic information of an individual who would like to pursue enrollment with a health plan would not constitute a “payment” activity and such information is not PHI.
The responsibilities of a BA under the HIPAA Laws include compliance with all of the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) and the Breach Notification Rule (45 C.F.R. Part 164, Subpart D). Section 164.502 of the HIPAA Privacy Rule applies to a BA, and other regulations in 45 C.F.R. Part 164, Subpart E may apply, depending on the activities being performed by the BA for a CE. Additionally, 45 C.F.R. Part 160 applies to a BA, which includes refraining from intimidation or retaliation for a person reporting HIPAA non-compliance to the OCR or the entity (160.316). Pertinent Definitions are set forth in 45 C.F.R. 160.103, 160.202, 164.103, 164.304, 164.402, and 164.501. Many business associate agreements will also require a BA to comply with the HIPAA Privacy Rule administrative requirements set forth in 45 C.F.R. 164.530, which are in fact good business practices.
The key requirements under the HIPAA Security Rule include:
- Designate a Security Officer;
- Perform a Security Risk Analysis of the administrative, physical, and technical safeguards (45 C.F.R. §§ 164.308-312) at or near the time it becomes a BA, and periodically review the Analysis (at least every 3 years);
- Have process and policy to identify and report breaches of unsecured PHI and security incidents;
- Implement administrative, physical, and technical safeguards and monitor effectiveness;
- Have policies and procedure related to compliance with the applicable HIPAA laws;
- Educate workforce members about the HIPAA Laws;
- Have policy for disciplinary actions for violations of the HIPAA Laws; and
- Maintain documentation required under the HIPAA Security Rule for 6 years.