Posted on October 23, 2009 by Elizabeth Litten

Covered Entity Liability for Business Associate Ignorance of Breach under HITECH -- Really?

For covered entities (CEs) who have tight privacy and security measures in place, the breach notification requirements under HITECH (amending HIPAA) might not seem especially onerous.  But what about breaches the CE doesn't know about?  What if the CE's business associate (BA) fails to report a breach of unsecured health information?  What if the BA doesn't even know about the breach? 
 
The Interim Final Rule published by the Office of Civil Rights (OCR), Department of Health and Human Services (HHS) on August 24, 2009 confirms what others doubted when I raised the paranoid-sounding possibility:  "yes, a CE must meet the breach notification requirements and timeline, even when the CE is not responsible for, and does not even know about, a breach." The Interim Final Rule explains that the Secretary of HHS will "attribute knowledge of a breach by a workforce member or other agent (other than the person committing the breach), which may include certain business associates, to the covered entity itself." 
 
The date a breach is discovered is extremely important (triggering the 60-day notice requirement).  The fact that a CE has no actual knowledge of a BA's breach, and might not even know whether the BA is exercising diligence in detecting possible breaches, will not protect the CE from liability for failing to find out about and provide required notice of the breach.  The clock starts running when the BA knew, or should have known, about the breach.  According to OCR, "covered entities should ensure their workforce members and other agents [such as BAs, depending on whether they count as "agents" under federal common laws of agency] are adequately trained and aware of the importance of timely reporting of privacy and security incidents and the consequences of failing to do so." 
 
Tags: ,
Posted on March 28, 2008 by Helen Oscislawski

One Man's Scrap Paper .... (part 2)

 

On my previous post, I left open the question of whether UPS is on the hook under HIPAA for the box of medical records that ended up in a paper scrap resale warehouse.  The brief response is not under HIPAA. 

The federal government has expressly stated that mail carriers are not considered business associates under the HIPAA Privacy Rule when they handle protected health information on behalf of a covered entity provider.  The federal government addressed this exact issue in its guidance document published on December 3, 2002.  There, the question posed and government's answer were as follows:

Q:  Are the following entities considered "business associates" under the HIPAA Privacy Rule:  US Postal Service, United Parcel Service, delivery truck line employees and/or their management?

A:  No, the Privacy Rule does not require a covered entity to enter into business associate contracts with organizations, such as the US Postal Service, certain private couriers and their electronic equivalents that act merely as conduits for protected health information.  A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law.  Since no disclosure is intended by the covered entity, and the probability of exposure of any particular protected health information to a conduit is very small, a conduit is not a business associate of the covered entity.

As such, UPS had no direct legal obligation under HIPAA or as a Business Associate to safeguard the medical records in the hospital's box.  A covered entity may, however, attempt to impose additional obligations on its delivery service carriers through contract terms, if possible.

Tags: