Having proper internal systems and procedures in place to manage data security is essential for organizations storing personal information in any industry. But health care organizations that rely on external vendors to process, store, or otherwise use such information must take extra steps to ensure those vendors take proper security measures, because a failure on the part of a vendor can be attributable to the organization using that vendor. Indeed, merely failing to execute a “business associate agreement” with vendors to obtain adequate assurances that those vendors will appropriately safeguard protected health information (“PHI”) will be regarded as a failure on the part of the covered entity to comply with HIPAA – even where there is no separate indication of a data breach. The U.S. Department of Health and Human Services (“HHS”) recently re-affirmed that principle by requiring that a health care provider pay $31,000 and comply with a two-year corrective action plan because it did not enter a business associate agreement with a third-party service provider. In other words, in the HHS’ view, providing PHI to a vendor in the absence of such an agreement effectively constitutes a breach.
On April 20, 2017, the HHS Office for Civil Rights (“OCR”) announced it had reached an agreement with the Center for Children’s Digestive Health (“the Center”), a small, Illinois-based health care provider, because it failed to sign a business associate agreement with Filefax Inc. (“Filefax”) prior to transferring records containing PHI of nearly 11,000 patients to Filefax for storage. According to the Resolution Agreement entered into by OCR and the Center, an investigation for potential violations of the Privacy Rule (45 C.F.R. Part 160 and Subparts A and E of Part 164) revealed that the Center:
- Failed to “obtain satisfactory assurances from Filefax, in the form of a written business associate agreement, that Filefax would appropriately safeguard the PHI that was in Filefax’s possession or control”; and
- “Impermissibly disclosed the PHI of at least 10,728 individuals to Filefax when [the Center] transferred the PHI to Filefax without obtaining Filefax’s satisfactory assurances, in the form of a written business associate agreement, that Filefax would appropriately safeguard the PHI.
In addition to the $31,000 payment, the Resolution Agreement requires that the Center update and distribute internal policies and procedures to comply with federal standards, including drafting business associate agreements and training materials, as well as submit annual reports to HHS regarding compliance with the Resolution Agreement’s terms.
As the HHS website explains, “HIPAA Rules generally require that covered entities . . . enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information.”1 Such contracts “also serve to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.”2 A business associate is anyone not part of the covered entity’s workforce who “performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.”3 In addition, HHS regulations state that even a business associate’s subcontractors count as business associates for the purpose of maintaining data security, where that subcontractor has been delegated a function, activity or service involving the creation, receipt, maintenance, or transmission of PHI.4
Given this broad definition, it is important for companies to evaluate whether a business associate contract might be required every time they deal with third parties and personal data. As this recent HHS Resolution Agreement indicates, the federal government will hold health care organizations accountable if they don’t obtain satisfactory assurances from their business associates to ensure the security of PHI. And even in the absence of a breach, failure to obtain assurances that a vendor will treat PHI appropriately can have serious consequences for health care organizations. Ultimately, covered entities should recognize that HHS will view a failure to execute a business associate contract where appropriate as a breach of that entity’s HIPAA obligations, and may lead to significant financial and reputational consequences.
While $31,000 may not seem significant to larger organizations, prior HHS settlement amounts have been substantially larger. For example, in July 2016, Oregon Health & Science University – a significantly larger institution – paid $2.7 million in connection with the disclosure of PHI of more than 3,000 individuals to a third-party service provider without obtaining a business associate contract, the theft of a laptop computer, and the University’s alleged failure to implement proper data security policies and procedures. In addition, Raleigh Orthopaedic Clinic, P.A. agreed to a $750,000 settlement in April 2016 after disclosing X-ray films of more than 17,0000 individuals to a third-party vendor without first obtaining a business associate contract with that vendor.