Header graphic for print


Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Unencrpyted Laptops Prove Costly

Posted in Articles, HIPAA Enforcement, Privacy & Security

Is the PHI on all your mobile devices encrypted?  If not, here’s another two million reasons to make encryption your top priority. The Office of Civil Rights (OCR) of the Department of Health and Human Services announced on April 22, 2014 that they had imposed nearly $2 million in penalties on two entities as a result of the theft of unencrypted laptops.

As previously noted in this blog, theft or loss of laptops or other portable electronic devices remains a predominant factor in HIPAA breaches, constituting 57.5% of the approximately 400 List Breaches that involved reported theft or loss as of August 2013.

In the first incident, Concentra Health Services was fined $1,725,220 and agreed to adopt a corrective action plan after an OCR investigation following a report of the theft of an unencrypted laptop from a physical therapy clinic.  According to the press release,

“OCR’s investigation revealed Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk.  While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information.”

This isn’t Concentra’s first experience with laptop theft. The OCR list of Breaches Affecting 500 or More Individuals (also known as the “Wall of Shame”) includes two prior similar incidents, one in 2009 and another in 2011. (It is unclear whether this theft was related to the 2011 incident). Modern Healthcare reports that Concentra reported 16 additional breaches involving fewer than 500 individuals’ records.  So, although 434 out of 597 laptops had been encrypted according to HealthITSecurity.com, a batting average of .726 wasn’t good enough given their status as repeat offenders. Concentra’s resolution agreement, including the Corrective Action Plan, is available here and is worth reading.  Among other conditions, OCR requires that the company provide an update regarding its encryption status, including the percentage of all Concentra devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) that are encrypted and an explanation for the percentage of devices and equipment that are not encrypted.

The company’s incomplete and inadequate implementation of compliance steps after known vulnerabilities had been identified may also have contributed to the severity of the penalty.  One of the worst things a covered entity or business associate can do is to engage in a half-hearted compliance effort that documents knowledge of uncorrected problems.

In the second case, Arkansas-based QCA Health Plan reported the theft of an unencrypted laptop containing records of 148 individuals. OCR noted that its investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA agreed to pay $250,000 and implement upgraded security procedures and employee training. QCA’s Resolution Agreement and Corrective Action Plan is here. This case marks only the second time OCR has fined an entity for a breach involving less than 500 individuals’ PHI, following the Hospice of North Idaho settlement.

One lesson is clear from both incidents: if these laptops had been encrypted in accordance with NIST standards, neither entity would have been subjected to fines and additional government oversight.  As enforcement continues to ramp up and target both Covered Entities and Business Associates, and as the use of mobile devices continues to increase, there is no excuse to delay full implementation of encryption.  Encryption isn’t a panacea, but it’s as close as you can get in the HIPAA compliance world.

When the Long Arm of HIPAA Reaches into Mergers, Acquisitions and Asset Sales of Health Care Practices

Posted in HIPAA Business Associates

Michael J. Coco writes:

If you have ever bought or sold a business, or you have experience with the process, you are aware of the due diligence efforts and multiple agreements required to close the deal. Transactions involving the sale or purchase of health care related business, such as a medical practice, often take the form of asset purchases, set in motion by executing an asset purchase agreement (“APA”). The APA can be a voluminous document written by the purchaser to protect the purchaser. APAs have been known to cover every conceivable circumstance that may reflect negatively on the purchaser after the acquisition. APAs have been known to cover everything from the seller’s violation of a local ordinance to more serious violations, including violations of federal law. With a novelette of protective provisions, a well-written APA seems to cover everything. But like all legal documents, a typical APA needs to keep up with evolving law and, in the case of health care, the law evolves quickly.

Major and fairly recent changes in healthcare law include the clear requirement under applicable HIPAA provisions for covered entities to have business associate agreements in place and for business associates to have subcontractor agreements in place. Breach notification rules and penalties have also been created or refined under HIPAA. The typical APA requires the seller to represent that it has not violated any law, and often expands this representation to its employees. However, few APAs discuss potential HIPAA breaches by employees, or breaches by business associates. More importantly, there may be no specific representation that the seller has in place all of the appropriate business associate agreements.

Although a good due diligence review should evaluate business associate agreements, the purchaser should consider adding specific business associate agreement and breach representations, along with the corresponding indemnification provisions. Buyers should request copies of all business associate agreements currently in place, as well as any subcontractor agreements. In addition, the buyer should ask a seller to disclose any circumstance in which it discovered a potential breach, but determined the breach was not reportable based on an internal risk assessment conducted by the seller. Because the buyer is ordinarily acquiring the good will of the medical practice as an essential element, a past breach by the seller or the seller’s business associate could seriously reduce the value of the buyer’s investment. For this reason, buyers should consider adding specific breach and business associate representations to their APAs.

[Michael Coco handles a range of corporate matters, focusing his practice primarily in the area of health law. As a former ER staff nurse and chemist, Michael has in-depth insight into such topics as FDA approval of medical devices as well as hospital compliance with federal and state laws and regulations, including privacy and security of health information and professional standards.]

Wild West Data Breach Sheriff Wins a Round Back East

Posted in HIPAA Enforcement

LabMD is not the only company that has tried to buck the FTC’s assertion of authority over data security breaches. Wyndham Worldwide Corp. has spent the past year contesting the FTC’s authority to pursue enforcement actions based upon companies’ alleged “unfair” or “unreasonable” data security practices.  On Monday, April 7, 2014, the United States District Court for the District of New Jersey sided with the FTC and denied Wyndham’s motion to dismiss the FTC’s complaint.  The Court found that Section 5 of the FTC Act permits the FTC to regulate data security, and that the FTC is not required to issue formal rules about what companies must do to implement “reasonable” data security practices.  Notably, Wyndham’s data breach involved personal information that included names, addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes, and did not involve HIPAA-covered Protected Health Information (PHI), so the court did not address the coexistence of data security authority under the FTC Act and HIPAA.

My Fox Rothschild LLP colleague, Todd Rodriguez, recently posted a blog describing the new HIPAA “Security Risk Assessment Tool” (SRA Tool) developed by the Department of Health and Human Services (HHS) as a collaboration between the Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC).  The tool, available for download, supplements the detailed Omnibus Rule standards with a practical, hands-on resource entities can use to evaluate the efficacy of their data security practices, and users are asked to provide feedback on the SRA Tool by submitting comments before June 2, 2014.

By contrast, the FTC expects companies to review its enforcement actions and figure out what not to do when it comes to data security practices.  As reported by Andrew Scurria in Law360 on March 26, 2014, FTC Chairwoman Ramirez appeared before a Senate Commerce Committee panel and responded to critiques that the FTC has not provided enough guidance to businesses regarding appropriate data security practices.  Ramirez referenced the consent decrees resulting from the cases the agency has brought and settled under the unfairness and deception prongs of Section 5 of the FTC Act, and said that companies can “discern” the FTC’s approach to data security enforcement from those.

The recent victory in the Wyndam case may be a sign that the “other” data security sheriff in town, the FTC, will ramp up its enforcement actions and catch more companies that have either been unable to “discern” the FTC’s expectations or to avoid hacking incidents or other security intrusions.  Unfortunately, because it does not appear that the FTC will issue any regulatory guidance in the near future about what companies can do to ensure that their data security practices are reasonable, companies must monitor closely the FTC’s actions, adjudications or other signals in an attempt to predict what the FTC views as data security best practices.

The Wild West of Data Breach Enforcement by the Feds

Posted in Uncategorized

Imagine you have completed your HIPAA risk assessment and implemented a robust privacy and security plan designed to meet each criteria of the Omnibus Rule.  You think that, should you suffer a data breach involving protected health information as defined under HIPAA (PHI), you can show the Secretary of the Department of Health and Human Services (HHS) and its Office of Civil Rights (OCR), as well as media reporters and others, that you exercised due diligence and should not be penalized. Your expenditure of time and money will help ensure your compliance with federal law.

Unfortunately, however, HHS is not the only sheriff in town when it comes to data breach enforcement.  The Federal Trade Commission (FTC) has been battling LabMD for the past few years in a case that gets more interesting as the filings and rulings mount (In the Matter of LabMD, Inc., Docket No. 9357 before the FTC).  LabMD’s CEO Michael Daugherty recently published a book on the dispute with a title analogizing the FTC to the devil, with the byline, “The Shocking Expose of the U.S. Government’s Surveillance and Overreach into Cybersecurity, Medicine, and Small Business.”  Daugherty issued a press release in late January attributing the shutdown of operations of LabMD primarily to the FTC’s actions.

Among many other reasons, this case  is interesting because ofthe dual jurisdiction of the FTC and HHS/OCR over breaches that involve individual health information.

On one hand, the HIPAA regulations detail a specific, fact-oriented process for determining whether an impermissible disclosure of PHI constitutes a breach under the law.  The pre-Omnibus Rule breach analysis involved consideration of whether the impermissible disclosure posed a “significant risk of financial, reputational, or other harm” to the individual whose PHI was disclosed.  The post-Omnibus Rule breach analysis presumes that an impermissible disclosure is a breach, unless a risk assessment that includes consideration of at least four specific factors demonstrates there was a “low probability” that the individual’s PHI was compromised.

In stark contrast to HIPAA, the FTC can bring an enforcement action based upon its decision that an entity’s data security practices are “unfair”, but it has not promulgated regulations or issued specific guidance as to how or when a determination of “unfairness” is made.  Instead, the FTC routinely alleges that entities’ data security practices are “unfair” because they are not “reasonable” – two vague words that leave entities guessing about how to become FTC compliant.

In 2013, LabMD filed a motion to have the FTC’s enforcement action dismissed.  LabMD argued, in part, that the FTC does not have the authoritiy to bring actions under the “unfairness” prong of Section 5 of the FTC Act.  LabMD further argued that there should only be one sheriff in town – not both HHS and the FTC.  Not surprisingly, in January 2014, the FTC denied the motion to dismiss, finding that HIPAA requirements are “largely consistent with the data security duties” of the FTC under the FTC Act.The opinion speaks of “data security duties” and “requirements” of the FTC Act, but these “duties” and “requirements” are not spelled out (much less even mentioned) in the FTC Act.  As a result, how can anyone arrive at the determination that the standards are consistent?  Instead, entities that suffer a data security incident must comply with the detailed analysis under HIPAA, as well as the absence of any clear guidance under the FTC Act.

In a March 10th ruling, the judge ruled that he would permit LabMD to depose an FTC designee regarding consumers harmed by LabMD’s allegedly inadequate security practices.  However, the judge also ruled that LabMD could not “inquire into why, or how, the factual bases of the allegations … justify the conclusion that [LabMD] violated the FTC Act.”  So while the LabMD case may eventually provide some guidance as to the factual circumstances involved in an FTC determination that data security practices are “unfair” and have caused, or are likely to cause, consumer harm, the legal reasoning behind the FTC’s determinations is likely to remain a mystery.

HHS Enforces Against County Government in Washington State

Posted in HIPAA Enforcement, Security Breach Notification

Last week’s Resolution Agreement between the US Department of Health and Human Services, Office for Civil Rights (“HHS”) and a small county in Washington State marks the first time HHS has settled an action against a county government for noncompliance with the Privacy and Security Rules under HIPAA (the “HIPAA Rules”). The Resolution Order with Skagit County, Washington requires the county to pay $215,000 and institute a detailed Corrective Action Plan.

HHS’s action results from an incident in 2011 where the ePHI of 1,581 individuals was disclosed over a two-week period on a public web server maintained by the county. According to the HSS Press Release, the original breach report stated that the ePHI of only seven individuals was at issue, but HHS’s investigation revealed a far broader disclosure and also found that many of the accessible files contained sensitive information pertaining to testing and treatment of infectious diseases. HHS also found that the county failed to provide appropriate notifications after the breach. The investigation further revealed a period of noncompliance with the HIPAA Rules going back to 2005, including failures to implement and maintain Policies and Procedures and to train workforce members appropriately. The Resolution Agreement demonstrates HHS’s commitment to enforcement when it discovers a party has committed the twin sins of long-term noncompliance and inappropriate action after a breach. (Curiously, HHS has yet to include this breach on its list of breaches of unsecured protected health information affecting 500 or more individuals).

The Resolution Agreement with Skagit County serves as a useful reminder that HHS will take action against parties of any size, whether public or private, and is especially inclined to do so when a party shows a history of noncompliance and reacts inappropriately to a breach. Two simple things can help Covered Entities (of any size) avoid these situations: an up-to-date set of HIPAA Policies and Procedures and a well-trained workforce. Covered Entities should confirm that their Policies and Procedures are current (the Omnibus Rule changed the HIPAA landscape last year and requires updates to existing Policies and Procedures) and that members of their workforce with access to PHI have received specific training related to the Policies and Procedures.


More on Considerations for Entering into or Revising Business Associate Agreements

Posted in HIPAA Business Associates

My partner Elizabeth Litten and I were interviewed by Marla Durben Hirsch for her recent article in Medical Practice Compliance Alert entitled “Evaluate Relationships Before Signing Business Associate Agreements.” While the full text can be found in the February 3, 2014 issue of Medical Practice Compliance Alert, the following considerations are based upon points discussed in the article.   (Elizabeth has written several earlier entries on this blog related to the topic of the article, including those that may be found here and here.)

Often a relationship that a physician (or another professional such as a lawyer or other vendor) has with a covered entity (“CE”), including a hospital, regarding individual health information (“IHI”) may not rise to the level of a business associate (“BA”) under HIPAA which would necessitate a signed business associate agreement (“BAA”). Signing a BAA when it is not required could result in the unnecessary giving up of certain rights and the avoidable creation of some HIPAA compliance issues in the future for both parties to the BAA.

Some CEs may assume that other persons including physicians are, as a matter of course, their BAs when they are sharing IHI and may pressure them to sign BAAs without understanding that a physician’s ability to access, use or disclose his or her patient’s IHI does not automatically make such a physician a BA, and many times he or she is not.  Physicians require information on their patients for treatment, payment and healthcare operations as CEs and as allowed and contemplated by HIPAA. Just because two CEs are sharing IHI does not make one a BA of the other.

Signing a BAA could, depending on its language, require a purported BA (the “Purported BA”) to succumb to obligations under HIPAA and tie the hands of the Purported BA, thereby potentially impeding its right to use the IHI appropriately for its own purposes.  One should not assume the need for a BAA without sufficiently assessing why the PHI is being shared.   For example, if a physician is sharing the use of a hospital’s servers and accessing its electronic health records system for common patient information, a data use and access agreement between the parties may be the appropriate document, as a BAA may not be necessary.  In that regard an underlying agreement may describe why the physician needs the IHI of the other CE’s patients and clarify whether a BA relationship exists. Moreover, in some cases, even an existing CE/BA relationship with a BAA in place that was appropriate when signed could evolve over time, causing a need for the BAA to be updated or even terminated.

Finally, in the event that a party, which may be under pressure by a counterparty to sign a BAA when such party believes that it may not be necessary, should point out that signing the BAA could put both parties at additional compliance risk by acknowledging a BA relationship under HIPAA and the regulatory aspects flowing therefrom when such relationship does not in fact exist.

Puerto Rico Raises a High Bar for Fines Levied for PHI Breaches

Posted in HIPAA Enforcement

My partner Bill Maruca was quoted in Jeff Overley’s article “Historic HIPAA Fine Will Push Feds To Get Tougher” published in Law360 on Friday, February 20, 2014.   The article reports on the nearly $7 million fine imposed by the Puerto Rico Health Insurance Administration on a contractor, health plan Triple-S Salud Inc. (“Triple-S”).  Bill’s quote sums it up:  “This is a shocking fine, given the circumstances.”  The breach affected roughly 13,000 individuals eligible for both Medicare and Medicaid (“dual eligibles”), but what were the circumstances that made this fine so large as to be shocking to my esteemed colleague and other observers? 

Here’s my take.  First, the fine was imposed by Puerto Rico, not the Office of Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”), which is the federal agency generally associated with penalties for breaches involving protected health information (“PHI”), and is significantly higher than fines that have been reported by OCR as having been levied for breaches affecting many more individuals than the 13,000 affected here.  OCR has created training tools for state attorneys general and states that it “welcomes” collaborations with state attorneys general seeking to bring civil actions to enforce HIPAA, but no state has imposed such a large penalty for a HIPAA violation, either on its own or in collaboration with OCR. 

Second, the breach was not the result of a sophisticated hacking incident or careless laptop loss or theft capable of exposing thousands of individuals’ information in a single view.  Here, the breach resulted from Triple-S’s inclusion of individual Medicare health insurance claim numbers in plain sight on mailings addressed to the individuals.  This PHI would only have been viewed by those delivering or otherwise physically handling the mail addressed to the individuals, thereby subjecting the PHI to a relatively limited scope of potential viewers (presumably, the postal service and anyone retrieving a specific individual’s mail, with or without permission).    

Finally, while the disclosure of an individual’s Medicare health insurance claim number is a disclosure of PHI (and potentially might be used in an attempt to improperly claim health care benefits), it is not the type of PHI that most people are likely to consider sensitive and private.

More information about Triple-S and this incident (and perhaps past incidents involving HIPAA violations, such as the 2010 incident reported to HHS) is likely to surface in the coming weeks and months.

“Boilerplate” Provisions in Business Associate Agreements Warrant Attention

Posted in HIPAA Business Associates

Michael J. Coco writes:

The expanded requirements under the HIPAA Omnibus Rule for a Business Associate Agreement (“BAA”) has created an increase in volume and the need for analysis of such agreements, as individuals in industries traditionally unrelated to health care – such as IT vendors –find themselves confronting issues respecting a BAA. The increase in BAA’s has also generated an increase in articles and commentators opining on advisable BAA provisions. Most of these articles focus, as one would expect, on the functional aspects of the BAA. This “meaty” part of the BAA, however, is not the only important part of the agreement. Less frequently have commentators discussed “boilerplate” or “standard” provisions found in most contracts, including BAA’s.

In spite of the seemingly self-explanatory term given to these provisions, they are not always standard and, more importantly, not advisable in all circumstances. The BAA is similar to other contracts in that certain boilerplate provisions sometimes work in the favor of both parties, whereas other provisions may be unduly limiting or even detrimental to both parties, while some provisions favor the party that is the covered entity (“CE”) over the business associate (“BA”), or vice versa. In reviewing BAA’s, I have noticed that certain standard provisions, often tacked on to the end of the BAA, may be detrimental to both parties, and other standard provisions that should have been included were absent. Below is a list of some standard contract provisions and how they might operate in a BAA:

Choice of Law: This provision allows the parties to choose what law governs the contract. Although federal law governs the required content of a BAA, the actual interpretation of the contract, damage awards, and other substantive issues are governed by state law. As such, each party should request to use an applicable state law that will favor its position.

Jurisdiction and Venue: This standard provision requires the parties to litigate any claims under the BAA in a specific state and county. In most cases, as a matter of convenience and economy, each party to an agreement will want jurisdiction and venue to be in its respective home county. CE’s, however, should be mindful that a large HIPAA breach would be likely to reflect negatively on it within the community, even if the breach is legally attributable to actions or inactions of the BA. A CE should take this into consideration, along with its reputation in the community, when deciding to assign venue to its home county.

Force Majeure: Under contemporary contract law, a party is liable for a breach (in most cases) regardless of fault. A Force Majeure provision alleviates the harshness of this rule by eliminating liability for a breach where the action or omission that caused the breach was beyond the reasonable control of the breaching entity. Examples typically include floods, earthquakes, terror attacks and other events beyond the parties’ control. In a typical BAA arrangement, the BA has more obligations than the CE (often because the BAA was originally drafted by the CE). A CE, therefore, should carefully consider whether a Force Majeure provision will advance its interest. BA’s, on the other hand, will often benefit from a Force Majeure provision.

Indemnification: An indemnification provision requires the breaching party to act as an indemnitor to the non-breaching party, covering liability, costs and damages as a result of the breach. This provision often requires negligence on the part of the breaching party and may or may not be reciprocal. Because the CE more likely than not has more to lose than the BA, a reciprocal indemnity provision favors a CE more than a BA.  (A prior posting on this blog provided a list of ten items to contemplate if an indemnification provision is being considered for a BAA.)

Third Party Beneficiaries: A Third Party Beneficiary (“TPB”) is a person or group that claims rights under a contract to which the TPB is not a party. Because HIPAA does not create a private right of action, patients and other injured parties cannot use HIPAA directly to sue for damages. A BAA could, potentially, create a “backdoor” right to enable patients and other third parties to sue the CE and/or BA under a TPB theory. For that reason, both parties to the BAA should agree on and include a standard provision that excludes TPB from the contract.

These are just a few of the standard provisions in contracts, and parties should carefully consider including them in their BAA. Certain facts, updated regulations, state law peculiarities or other circumstances might alter the general rules discussed here.

[Michael Coco handles a range of corporate matters, focusing his practice primarily in the area of health law. As a former ER staff nurse and chemist, Michael has in-depth insight into such topics as FDA approval of medical devices as well as hospital compliance with federal and state laws and regulations, including privacy and security of health information and professional standards.]

HIPAA Compliance Trends for 2014

Posted in HIPAA Enforcement

My partner Elizabeth Litten and I were interviewed by Marla Durben Hirsch for her Medical Practice Compliance Alert article “HIPAA, ICD-10 Among 6 Compliance Trends That Will Affect You in 2014.” While the full text can be found in the January 6, 2014 issue of Medical Practice Compliance Alert, a synopsis is noted below. As we have earlier stated, it is always a pleasure for us to talk with Marla because she provokes our thinking in new areas.   We look forward to the opportunity of further encounter sessions with her.

The article discussed the fact that medical practices will face several compliance challenges in 2014. We expressed the view that HIPAA enforcement activities and litigation will increase because the Office for Civil Rights has stated that it will aggressively enforce HIPAA, especially since the rule implementing much of the HITECH Act went into effect September 23, 2013. This increase in enforcement coincides with the jump in mobile device use, electronic health record adoption and online scheduling, which will cause digital protected health information (PHI) to be less secure since providers may have less control over it.

Complying with HIPAA requirements can be expected to be used increasingly as a “best practice” in state courts, and patients are winning damages. The article states that “People [will] learn that they can sue [for privacy and security breaches]. This area is growing.”

We also believe that whistleblower activity will increase.  The article points out, “[Former National Security Agency contractor Edward] Snowden will encourage people to whistle blow. A trusted consultant can have an employee that decides whistleblowing is the right thing as a matter of public policy,”  

The Affordable Care Act (ACA) will create billing compliance difficulties.  Elizabeth warned, “The ACA loophole that allows for unpaid care for health exchange patients gives patients a three-month grace period before the insurance policy is canceled. It is still unclear when and how practices can bill patients directly once insurers determine the patients are no longer covered, putting practices at risk of not only revenue loss but violating debt-collection practice.”

Finally, the article observed that meaningful use audits respecting initiatives in electronic health records (EHR) will increase. The federal government has paid more than $1.7 billion in incentives regarding EHR to providers under the Medicare and Medicaid meaningful use program. The article concluded, “The government will start audits to get a lot of this money back.”


Springing, Shifting, and Slip-Sliding Business Associate Agreements

Posted in HIPAA Business Associates

BananaPeelWhat do you do if you have signed a Business Associate Agreement (BAA) with a covered entity, but are getting protected health information (PHI) from the covered entity in conjunction with health care treatment you provide to the individual? What if another covered entity provider has contracted with you to provide services to that provider’s patients? What if you are a covered entity health plan that wants to share PHI with a health care provider, such as a clinical laboratory, in conjunction with an employee wellness program? These are just a few of the situations that come up where the need for a BAA may be questionable and/or the roles of the parties to that BAA are not entirely clear.

Rather than protecting health information, the unnecessary or sloppy BAA may actually just create a HIPAA headache.
The “Springing BAA” is the term I’ll use for a situation in which the parties routinely create, receive, maintain, or transmit information that is not PHI in the course of one party’s performance of services on behalf of the other party, but the parties realize that, at some point in the future, the services may involve information that is PHI. So as to avoid having to address their HIPAA obligations by entering a BAA down the road, they enter a BAA that will apply (“spring to life”) when and if the services involve PHI.

The “Shifting BAA” is the term I’ll use for a situation in which the parties provide services on each other’s behalf that involve the creation, receipt, maintenance, or transmission of PHI from time to time throughout the services contract. This situation will involve two parties that are both covered entities, where the contracted services involve the use or disclosure of PHI on behalf of the other party. At any given time during the contract, one party might be functioning as a covered entity and the other a business associate, or vice versa. If a hospital contracts with a radiology practice to read scans performed on hospital patients, and the radiology practice contracts with the hospital to provide billing or other services in connection patients seen in the radiology practice’s private office location (i.e., to patients of the practice), for example, each party will be acting as a business associate of the other with respect to the other party’s patients and PHI.

The “Slip-Sliding BAA” is the one to watch out for.  This is the BAA that shouldn’t have been entered in the first place, and turns a simple contractual arrangement into a muddy, slippery mess (thus, the HIPAA headache).  I’ve written about the importance of figuring out whether a party is acting as a business associate (see here and here), but it’s worth emphasizing again. If you’re the covered entity asking a contractor to sign a BAA, make sure the BAA is creating, receiving, maintaining or transmitting PHI in connection with services it is providing on your behalf. If it’s not, the contractor’s breaches could be attributed to you. If you’re the contractor being asked to sign the BAA as a business associate, analyze the services agreement to make sure you need to create, receive, maintain or transmit PHI in order to provide services on the other party’s behalf. If PHI is required from the covered entity for the business associate to provide the required services, such an analysis may have an additional ancillary value of having the parties focus on the minimum necessary level of PHI needed.