A Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entity’s recent settlement with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) highlights the need for entities subject to HIPAA to enhance their focus on compliance, including with respect to their relationships with business associates.
Compliance with HIPAA requires covered entities to maintain appropriate administrative, technical, and physical safeguards to protect protected health information (PHI), including, but not limited to, executing business associate agreements (BAAs) with vendors who have access to PHI, implementing HIPAA compliance policies and procedures, and conducting a security risk analysis.
On December 4, 2018, the OCR announced a settlement with a covered entity based on allegations that the entity failed to implement adequate security measures and execute a BAA, which led to an unauthorized disclosure of PHI. As a result, the entity had to pay a substantial sum to the OCR and enter into a corrective action plan.
Specifically, between 2011 and 2012, the covered entity, a Florida provider of contracted internal medicine physicians to hospitals and nursing homes, engaged the services of an individual to provide billing services based on the individual’s assertion that he was a representative of the billing company. Ultimately, it was discovered that the individual made this representation without the knowledge or permission of the medical billing company.
In 2014, the covered entity learned that patient information – including patient names, dates of birth, and social security numbers – was viewable on the billing company’s public facing website. The covered entity subsequently filed breach notification reports with the OCR indicating that 9,255 patients could have been affected by the breach. In the resolution agreement, the covered entity agreed not only to pay $500,000 to the OCR, but also to implement a significant corrective action plan, which includes the adoption of BAAs where appropriate, a complete business-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Privacy and Security Rules.
It is particularly significant that the covered entity allegedly never entered into a BAA with the individual providing medical billing services, and did not have any HIPAA policies and procedures in place, including those requiring the use of BAAs, until 2014 – years after the billing service was engaged. Additionally, the covered entity failed to conduct a risk analysis prior to 2014, despite HIPAA’s requirement that covered entities and business associates perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the entity’s electronic PHI.
While it is true that the individual misstating his authority from the billing company is atypical, this enforcement action reinforces the general need for covered entities to vet their potential business associates prior to engagement and enter into appropriate contractual terms to ensure that the PHI of their patients is protected. Simply implementing adequate safeguards to comply with HIPAA could have mitigated the risk of the unauthorized disclosure of PHI in these unusual circumstances – as well as in more common examples (e.g., a business associate’s systems falling prey to a hacker) – and in turn, avoided a costly OCR enforcement action.
In an effort to maintain compliance and mitigate such risks, covered entities should perform diligence on potential vendors and document and manage their relationships with those vendors. In addition to being required under HIPAA, requiring that vendors sign BAAs is useful in documenting inherent risks and risk mitigation techniques associated with the use of third-party contractors. BAAs help to mitigate such risks by requiring business associates to comply with a variety of requirements under HIPAA, including the safeguarding of PHI, limiting its use and disclosure in connection with the functions performed or services the business associate provides, and requiring notifications of breaches of PHI. At a more basic level, the conversations that typically occur during the negotiation of a BAA often reflect the extent to which a vendor is appropriately prepared to address the various requirements of HIPAA.
While the above settlement highlights the importance of a covered entity implementing adequate safeguards, documenting and managing its vendor relationships, and properly vetting its potential vendors, business associates may also be the target of heightened HIPAA enforcement. For example, 12 states recently filed a federal lawsuit against an electronic health record vendor for, in contravention of its policies, allegedly failing to implement basic security measures to protect electronic PHI from unauthorized access, including the implementation of security safeguards or controls to prevent the exploitation of system vulnerabilities and the encryption of electronic PHI. The lack of safeguards allegedly resulted in a breach of electronic PHI of about four million individuals.
Providing some additional context to the importance of an active and robust HIPAA compliance program, the OCR has ramped up its enforcement of HIPAA violations and in 2018 alone has collected over $25,000,000 from such violations.