BAA Compliance Deadline – September 23, 2014

In January 2013, the U.S. Department of Health and Human Services (HHS) announced the Health Insurance Portability and Accountability Act of 1996 (HIPAA) omnibus final rule (Final Rule) implementing a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information.

HIPAA covered entities and business associates were required to comply with many of the applicable requirements of the Final Rule by September 23, 2013. In certain circumstances, covered entities may have been permitted to delay updating their Business Associate Agreements (BAAs) to comply with the new requirements. However, as of September 23, 2014, all BAAs must be compliant with the Final Rule.

Recent Enforcement, Investigation, and Sanctions

The importance of complying with HIPAA, including BAA compliance, is more apparent than ever in light of influx and intensity of federal, state, and private actions related to data privacy and security.  Recent enforcement actions include the following:

  • In July 2014, Community Health Systems, a Tennessee-based hospital chain with 206 hospitals, discovered that an outside group of hackers targeted its computer network and stole patient data of approximately 4.5 million individuals. Federal law enforcement is in the process of investigating this incident.
  • A hospital in Rhode Island has agreed to pay the state of Massachusetts $150,000 to settle claims brought by its Attorney General regarding a breach of patient information involving the information of Massachusetts residents. Due to the variety of state laws, entities may face liability in another state even in the case where there is no enforcement by a federal agency or agency within the state the entity resides.
  • In June 2014, HHS announced that Parkview Health System agreed to settle potential violations of HIPAA with a payment of $800,000 and the adoption of a Corrective Action Plan to address deficiencies. Parkview, a nonprofit health care system in Ohio, had taken custody of the medical records while assisting a retiring physician in transitioning her patients and considering the possibility of purchasing the physician’s practice. The settlement resulted when an investigation found that Parkview left 71 cardboard boxes of medical records unattended on the driveway of the physician’s home.   
  • In March 2014, Skagit County, Washington, agreed to a settlement, including a $215,000 payment for a breach that occurred when unknown parties accessed electronic protected health information that was inadvertently moved to a publicly accessible server maintained by Skagit County. 
  • In February 2014, Triple-S Salud, Inc., the dominant health insurer in Puerto Rico, announced that the Puerto Rico Health Insurance Administration fined the insurer $6.78 million for a 2013 breach in which Triple-S Salud inadvertently mailed a pamphlet that included beneficiaries' Medicare claims numbers to 13,336 of its dual-eligible beneficiaries. The fine, which is being imposed by Puerto Rico, is significantly higher than any fine HHS has levied on an organization.

Regulatory Changes and Proposals

Since the Final Rule’s implementation, HHS also has released new guidance clarifying the Final Rule and proposals to future regulatory provisions, such as

  • Mental Health: In February 2014, HHS released guidance clarifying some of the most frequently asked questions regarding mental health information, such as disclosure of a minor’s mental health information. HHS's guidance can be found here.
  • Laboratory Results: In February 2014, HHS amended the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to allow laboratories to provide patients with access to their completed test reports upon their request, rather than requiring that patients receive test results from their physicians.
  • National Instant Criminal Background Check System (NICS):As part of the Obama Administration’s efforts to reduce gun violence, HHS issued a Notice of Proposed Rule Making on January 7, 2014, to remove legal barriers under HIPAA that may prevent states from reporting certain information to NICS. If adopted as drafted, the HIPAA Privacy Rule would be modified to permit certain discloses to NICS to identify persons prohibited by federal law from possessing or receiving a firearm for reasons related to mental health. Notably, several states, such as Illinois, have similar requirements in place. 

Looking Forward

While these updates have clarified certain aspects of HIPAA, HHS has yet to provide guidance on a number of important substantive issues, including the minimum necessary standard, breach notification, accounting of disclosures, risk assessments, and electronic signatures.