Archives: HIPAA Business Associates

Jessica Forbes Olson and T.J. Lang write:

In Part 1, we noted that on March 21, 2016, the Office of Civil Rights (“OCR”) announced it will launch a second round of HIPAA audits this year. As with the first round of audits, in round two OCR will be reviewing compliance with HIPAA Privacy, Security and Breach Notification rules. New for this round, the 2016 audits will focus on covered entities, including health care providers and health insurers, and their business associates.

A HIPAA compliance checklist for health care providers and insurers follows:

  • Determine whether for HIPAA purposes you are a hybrid entity, an affiliated covered entity or part of an organized health care arrangement. Document that status.
  • Appoint a HIPAA privacy official.
  • Appoint a HIPAA security official.
  • Appoint a HIPAA privacy contact person who will handle complaints and respond to the exercise of patient or participant rights.
  • Determine where PHI is located, whether hard copy, electronic, or spoken.
  • Determine the reasons why PHI is used or disclosed (e.g., treatment, payment, health care operations, public health reasons, public policy reasons, to government agencies or officials).
  • Determine which departments and workforce members have access to PHI, why they have such access and the level of access needed.
  • Identify and document the routine requests, uses and disclosures of PHI and the minimum necessary for those requests, uses and disclosures.
  • Identify all business associates: vendors that create, maintain, use or disclose PHI when performing services for your entity.
  • Have executed business associate agreements with all business associates.
  • Have and follow written HIPAA privacy, security and breach notification policies and procedures.
  • Train all workforce members who have access to PHI on the policies and procedures and document the training.
  • Have and use a HIPAA-compliant authorization form.
  • Have and follow process for verifying the status of personal representatives.
  • Distribute a notice of privacy practices and providers must attempt to obtain acknowledgment of receipt of notice from patients and post one in each facility where patients can view it.
  • Establish and document reasonable administrative, technical and physical safeguards for all PHI, including hard copy and spoken PHI.
  • Conduct and document a HIPAA security risk analysis for all electronic PHI (e.g., PHI on desktops, laptops, mobile phones, iPads and other electronic notebooks, copy machines, printers, discs and thumb drives).
  • Address risks to ePHI that are identified in the HIPAA security risk analysis.
  • Update your HIPAA security risk analysis periodically or when there is a material change in your environment that does or could impact PHI or if there are changes in the law impacting PHI.
  • Encrypt PHI to fall within the breach safe harbor.
  • Have written disaster recovery and contingency plans.
  • Prepare for and respond to security incidents and breaches.
  • Comply with HIPAA standard transactions and code set rules related to electronic billing and payment.
  • Although it will not be covered by the audits, comply with more stringent state privacy and security laws (e.g., document retention; patient consent; breach reporting).
  • Maintain HIPAA compliance documentation in written or electronic form for at least 6 years from the date the document was created or last in effect.

For more information about OCR audits or assistance in conducting a HIPAA compliance review, please contact any member of the Fox Rothschild Health Law practice group.


Jessica Forbes Olson is a partner and TJ Lang is an associate, both resident in the firm’s Minneapolis office.

Jessica Forbes Olson and T.J. Lang write:

HIPAA and Health Records
Copyright: zimmytws / 123RF Stock Photo

On March 21, 2016, the Office of Civil Rights (“OCR”) announced it will launch a second round of HIPAA audits during 2016. As with the first round of audits, in round two OCR will be reviewing compliance with HIPAA Privacy, Security and Breach Notification rules. New for this round, the 2016 audits will focus on covered entities, including health care providers and health insurers, and their business associates.

The round two audits will occur in three phases: desk audits of covered entities, desk audits of business associates, and finally, follow-up onsite reviews. It is reported OCR will conduct about 200 total audits; the majority of which will be desk audits.

OCR has already begun the process of identifying the audit pool by contacting covered entities and business associates via email.  Health care providers,   insurers and their business associates should be on the lookout for automated emails from OCR which are being sent to confirm contact information. A response to the OCR email is required within 14 days. OCR instructed covered entities and business associates to check their spam or junk email folders to verify that emails from OCR are not erroneously identified as spam.

After the initial email, OCR will send a pre-audit questionnaire to entities it may choose to audit. Receiving a pre-audit questionnaire does not guarantee your entity will be audited. The purpose of the questionnaire is to gather information about entities and their operations, e.g., number of employees, level of revenue, etc. The questionnaire will also require covered entities to identify all of their business associates. Health care providers and insurers who have not inventoried business associates should do so now.

Entities who fail to respond to the initial OCR email or questionnaire will still be eligible for audit. OCR will use publicly available information for unresponsive entities to create its audit pool.

OCR will then, in the “coming months,” randomly select entities to audit and notify them via email that they have been selected for audit.

Health care providers, health insurers and business associates should check their HIPAA compliance status before they are contacted by OCR. Once selected for an audit, entities will only have 10 business days to provide the requested information to OCR.

Recent OCR enforcement activity has shown that noncompliance with HIPAA can be costly:

  • A Minnesota-based hospital entered into a $1.55 million settlement for failure to implement one business associate agreement and failure to conduct a HIPAA security risk analysis;
  • A teaching hospital of a university in Washington entered into a $750,000 settlement for failure to conduct an enterprise-wide HIPAA security risk analysis;
  • An insurance holding company based in Puerto Rico entered into a $3.5 million settlement for failure to implement a business associate agreement, conduct a HIPAA security risk analysis, implement security safeguards and for an improper disclosure of protected health information (“PHI”);
  • A radiation oncology physician practice in Indiana entered into a $750,000 settlement for failure to conduct a HIPAA security risk analysis and implement security policies and procedures.

If you receive any communications from OCR, please contact a member of the Fox Rothschild Health Law practice group immediately. A proactive review of your HIPAA compliance status can identify potential gaps and minimize the risk of potential penalties.

In Part 2, we’ll provide a HIPAA compliance checklist for healthcare providers and insurers. Stay tuned!


Jessica Forbes Olson is a partner and TJ Lang is an associate, both resident in the firm’s Minneapolis office.

Congratulations!  You have a HIPAA-compliant business associate (or subcontractor) agreement in place – now what? How can you implement the agreement without becoming a HIPAA guru?

There are many resources available that offer detailed guidance on risk analysis and implementation protocols (such as the Guide to Privacy and Security of Electronic Health Information published by the Office of the National Coordinator for Health Information Technology and numerous “Special Publications” issued by the National Institute of Standards and Technology (NIST)).

These are terrific resources and can keep a team of IT professionals and Privacy and Security Officers reading and scratching their heads for weeks, but here are a few simple and practical steps you can take to avoid the security incident that may result in a protected health information (PHI) breach.

  1. Make sure the covered entity knows which individual(s) is authorized to receive PHI at the business associate. If neither the services agreement nor the business associate agreement specifies the person to whom PHI is to be disclosed, make sure the name, title and contact information of any designated recipient is communicated to the covered entity in writing.
  2. Include a provision in the business associate agreement (or subcontractor agreement) or develop a process whereby the covered entity (or business associate) provides notice, when feasible, prior to transmitting PHI to the designated recipient. Particularly when the transmission of PHI is sporadic or infrequent, provision of advance notice helps heighten awareness of the parties’ HIPAA obligations with respect to particular data being transmitted.
  3. Establish an agreed-upon means of PHI transmission – for example, specify whether transmission will be made via encrypted email, portable device, hard copy, etc. – and document the chain of custody from covered entity to business associate and after receipt by business associate.
  4. Create a “vault” for PHI received by the business associate that is secured by access codes that are changed periodically and can be deactivated when personnel leave the employ of the business associate.
  5. Maintain a perpetual inventory of PHI repositories, delegating responsibility to the Security Officer to oversee or authorize repository access rights, review activity, and conduct regular audits.

Our partner Bill Maruca, who is the Editor and a frequent contributor to this blog, was recently interviewed by PracticeSuite as part of their Expert Interview program.  In the course of his interview, Bill discusses patient confidentiality, keeping records safe and private, and trends in the medical billing industry. 

One important recommendation by Bill is taken from his earlier post on this blog: encrypt all electronic protected health information (ePHI), especially when transferring it via email, cloud storage or FTP sites or saving it to mobile devices.  The loss of properly-encrypted PHI may not be a HIPAA breach even if a device is lost or stolen, or an email or electronic file is sent to the wrong recipient.  

I recommend that his entire PracticeSuite interview be read here.

 

 

As she had done in 2014, Marla Durben Hirsch interviewed my partner Elizabeth Litten and me for her annual Medical Practice Compliance Alert article on compliance trends for the New Year.  While the article, which was entitled “6 Compliance Trends That Will Affect Physician Practices in 2015,” was published in the January 5, 2015 issue of Medical Practice Compliance Alert, a synopsis of the article can be found here. As we have previously pointed out, we always enjoy our talks with Marla because she never fails to direct our thinking to new areas.   We look forward to the opportunity for further encounter sessions with her.

While the article discussed a diverse range of topics affecting physician practices, including accountable care organizations (ACOs) and telemedicine, this blog post will focus on HIPAA-related areas.

Even more HIPAA and related enforcement activities can be expected in 2015.

The article observed that providers will not see a reprieve in this area. Breaches of patient and consumer data continue to proliferate; the tremendous publicity that breaches outside of the HIPAA area have received, such as the hacking of Home Depot and Sony, will create more pressure on HHS’ Office for Civil Rights (OCR) to enforce HIPAA breaches.  The article quotes us as saying “It’s [A HIPAA privacy breach is] very personal to people when their health data is filched; it’s creepy.”  

The article also quotes Elizabeth, who warns that practices also should expect increased activity by the Federal Trade Commission in the area of healthcare data breaches through its enforcement of consumer protection laws and from the Food and Drug Administration’s protection of the integrity of medical devices, even though those federal agencies do not have the same comprehensive standards and clear regulations that OCR does to enforce HIPAA.

Additionally, there is likely to be more private litigation using HIPAA compliance as the standard of care, even though HIPAA itself does not give patients the right to sue for violations. The November 2014 ruling in the Connecticut Supreme Court discussed on this blog here and here recognized HIPAA’s requirements as a standard of care in a state breach of privacy lawsuit. Elizabeth and I observed that the Connecticut case will spawn copycat lawsuits using HIPAA the same way for state breaches of privacy, negligence and other causes of action.

Covered entities and business associates will refine their agreements, all as they come under more scrutiny.

Many practices and their business associates scrambled to sign business associate agreements (BAAs), often using model forms from OCR and professional societies, to ensure that they had them in place by the September 2013 effective date — and for those who needed only to update an existing BAA, September 2014. However, as discussed in the article, covered entities and business associates now are negotiating the language in BAAs and customizing them to their individual needs, such as choice of law and indemnification requirements.

One provision that may become more prevalent in newer BAAs would allow a business associate that deals with large amounts of data — such as a cloud electronic health records vendor — to use covered entity’s de-identified patient data for the business associates’ own uses. An industry is developing around the aggregation of data for purposes such as research or predicting patient outcomes, and some business associates are moving to capitalize on that data and use it or market it to others. According to Elizabeth, covered entities will need to determine whether they want to grant such business associates permission to use the data that way.

Business Associates Can Expect Audits by OCR in 2015.

The activities of business associates also will be under the microscope. The permanent HIPAA audit program, slated to begin in 2015, is expected to audit business associates as well as covered entities. Elizabeth observed that the use of subcontractors by business associates also will be examined more carefully, especially those who use off-shore subcontractors.

Again, to read more, click here and see the full article in the January 5, 2015 issue of Medical Care Compliance Alert.

Nearly a year ago, as described in an earlier blog post, one of my favorite health industry journalists, Marla Durben Hirsh, published an article in Medical Practice Compliance Alert predicting physician practice compliance trends for 2014.  Marla quoted Michael Kline’s prescient prediction that HIPAA would increasingly be used as “best practice” in actions brought in state court:  “People will [learn] that they can sue [for privacy and security] breaches,” despite the lack of a private right of action under HIPAA itself.  Now, peering ahead into 2015 and hoping to surpass Michael’s status as Fox Rothschild’s HIPAA soothsayer, I thought I would take a stab at predicting a few HIPAA hurdles that covered entities, business associates, and their advisors are likely to face in 2015.

1.         More sophisticated and detailed (and more frequently negotiated) Business Associate Agreement (BAA) terms.   For example, covered entities may require business associates to implement very specific security controls (which may relate to particular circumstances, such as limitations on the ability to use or disclose protected health information (PHI) outside of the U.S. and/or the use of cloud servers), comply with a specific state’s (or states’) law privacy and security requirements, limit the creation or use of de-identified data derived from the covered entity’s PHI, or purchase cybersecurity insurance.  The BAA may describe the types of security incidents that do not require per-incident notification (such as pings or attempted firewall attacks), but also identify or imply the many types of incidents, short of breaches, that do.  In short, the BAA will increasingly be seen as the net (holes, tangles, snags and all) through which the underlying business deal must flow.  As a matter of fact, the financial risks that can flow from a HIPAA breach can easily dwarf the value of the deal itself.

2.         More HIPAA complaints – and investigations.  As the number and scope of hacking and breach incidents increases, so will individual concerns about the proper use and disclosure of their PHI.  Use of the Office for Civil Rights (OCR) online complaint system will continue to increase (helping to justify the $2 million budgeted increase for OCR for FY 2015), resulting in an increase in OCR compliance investigations, audits, and enforcement actions.

3.         More PHI-Avoidance Efforts.  Entities and individuals who do not absolutely require PHI in order to do business will avoid it like the plague (or transmissible disease of the day), and business partners that in the past might have signed a BAA in the quick hand-shake spirit of cooperation will question whether it is necessary and prudent to do so in the future.  “I’m Not Your Business Associate” or “We Do Not Create, Receive, Maintain or Transmit PHI” notification letters may be sent and “Information You Provide is not HIPAA-Protected” warnings may appear on “Terms of Use” websites or applications.

The overall creation, receipt, maintenance and transmission of data will continue to grow exponentially and globally, and efforts to protect the privacy and security of one small subset of that data, PHI, will undoubtedly slip and sputter, tangle and trip.  But we will also undoubtedly repair and recast the HIPAA privacy and security net (and blog about it) many times in 2015.

Have a Happy and Healthy HIPAA New Year!

The Connecticut Supreme Court handed down a decision in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C., — A.3d —-, 2014 WL 5507439 (2014) that

[a]ssuming, without deciding, that Connecticut’s common law recognizes a negligence cause of action arising from health care providers’ breaches of patient privacy in the context of complying with subpoenas, we agree with the plaintiff and conclude that such an action is not preempted by HIPAA and, further, that the HIPAA regulations may well inform the applicable standard of care in certain circumstances.

Interestingly, the decision is dated November 11, 2014, the federal holiday of Veterans Day, but was available on Westlaw on November 7, 2014.  The Court’s decision was rendered 20 months after the date that the case was argued on March 12, 2013.

The decision adds the Connecticut Supreme Court to a growing list of courts that have found that HIPAA’s lack of a private right of action does not necessarily foreclose action under state statutory and common law.  The Byrne case, however, has added significance, as it appears to be the first decision by the highest court of a state that says that state statutory and judicial causes of action for negligence, including invasion of privacy and infliction of emotional distress, are not necessarily preempted by HIPAA.  Moreover, it recognized that HIPAA may be the appropriate standard of care to determine whether negligence is present.

The Byrne case has important implications for HIPAA matters beyond the rights of individuals to sue under state tort law, using HIPAA regulations as the standard of care.  For example, in the area of business associate agreements (“BAAs”) and subcontractor agreements (“SCAs”), as was discussed in a posting in October 2013 on this blog relating to indemnification provisions,

there should be a negation of potential third party beneficiary rights under the BAA or SCA. For example, HIPAA specifically excludes individual private rights of action for a breach of HIPAA – a [p]arty does not want to run a risk of creating unintentionally a separate contractual private right of action in favor of a third party under a[n indemnification] [p]rovision.

A party should, therefore, endeavor to limit the number of persons that may assert a direct right to sue for indemnification resulting from a breach of a BAA.  Failing to limit the number of persons that may assert a direct right to sue for indemnification resulting from a breach of a BAA or SCA can be costly indeed, especially if the number of states that follow the Byrne case principles increases.

Efforts to use HIPAA regulations as standards for causes of action under state law can be expected to rise as a result of the Byrne decision.  Covered entities, business associates and subcontractors should consider acquiring sufficient cybersecurity insurance with expanded coverage and limits.

The deadline for executing a HIPAA Omnibus Rule-compliant Business Associate Agreement (BAA) looms just 2 short weeks from today.  What can a busy covered entity (CE) or business associate (BA) do quickly to show HHS (let alone its business partners/contractors) that it wants and fully intends to comply with the new requirements?  Here are  3 shortcuts that might help you squeak that new BAA in before the deadline:

  • Review and update or prepare an Omnibus Rule-compliant BAA; consider changing opening language to state that you and/or your contractor “may be” a CE, BA, or subcontractor as those terms are defined under HIPAA and that the services “may” involve or require to use or disclosure of protected health information (“PHI”).  This way, the BAA can be executed, but will only apply to HIPAA-covered arrangements.
  • If you know you are CE, BA, or subcontractor of a BA and know (or expect) the arrangement will involve or require the use or disclosure of PHI, but you aren’t sure your existing BAAs are up-to-date, send a generic letter to your contractors via email letting them know that, to the extent HIPAA applies to your business arrangement, you share their responsibility and desire to comply with HIPAA.  Attach or send a link to a website where your updated or new BAA can be accessed by the contractor.
  • Encourage your contractor to sign the new BAA and email or print and fax a signed copy back to you (again, time is running out!).

HIPAA compliance is more than BAA documentation, of course, but these shortcuts can help you jumpstart (or wrap up) this aspect of compliance.

Michael J. Coco writes:

If you have ever bought or sold a business, or you have experience with the process, you are aware of the due diligence efforts and multiple agreements required to close the deal. Transactions involving the sale or purchase of health care related business, such as a medical practice, often take the form of asset purchases, set in motion by executing an asset purchase agreement (“APA”). The APA can be a voluminous document written by the purchaser to protect the purchaser. APAs have been known to cover every conceivable circumstance that may reflect negatively on the purchaser after the acquisition. APAs have been known to cover everything from the seller’s violation of a local ordinance to more serious violations, including violations of federal law. With a novelette of protective provisions, a well-written APA seems to cover everything. But like all legal documents, a typical APA needs to keep up with evolving law and, in the case of health care, the law evolves quickly.

Major and fairly recent changes in healthcare law include the clear requirement under applicable HIPAA provisions for covered entities to have business associate agreements in place and for business associates to have subcontractor agreements in place. Breach notification rules and penalties have also been created or refined under HIPAA. The typical APA requires the seller to represent that it has not violated any law, and often expands this representation to its employees. However, few APAs discuss potential HIPAA breaches by employees, or breaches by business associates. More importantly, there may be no specific representation that the seller has in place all of the appropriate business associate agreements.

Although a good due diligence review should evaluate business associate agreements, the purchaser should consider adding specific business associate agreement and breach representations, along with the corresponding indemnification provisions. Buyers should request copies of all business associate agreements currently in place, as well as any subcontractor agreements. In addition, the buyer should ask a seller to disclose any circumstance in which it discovered a potential breach, but determined the breach was not reportable based on an internal risk assessment conducted by the seller. Because the buyer is ordinarily acquiring the good will of the medical practice as an essential element, a past breach by the seller or the seller’s business associate could seriously reduce the value of the buyer’s investment. For this reason, buyers should consider adding specific breach and business associate representations to their APAs.

[Michael Coco handles a range of corporate matters, focusing his practice primarily in the area of health law. As a former ER staff nurse and chemist, Michael has in-depth insight into such topics as FDA approval of medical devices as well as hospital compliance with federal and state laws and regulations, including privacy and security of health information and professional standards.]

My partner Elizabeth Litten and I were interviewed by Marla Durben Hirsch for her recent article in Medical Practice Compliance Alert entitled “Evaluate Relationships Before Signing Business Associate Agreements.” While the full text can be found in the February 3, 2014 issue of Medical Practice Compliance Alert, the following considerations are based upon points discussed in the article.   (Elizabeth has written several earlier entries on this blog related to the topic of the article, including those that may be found here and here.)

Often a relationship that a physician (or another professional such as a lawyer or other vendor) has with a covered entity (“CE”), including a hospital, regarding individual health information (“IHI”) may not rise to the level of a business associate (“BA”) under HIPAA which would necessitate a signed business associate agreement (“BAA”). Signing a BAA when it is not required could result in the unnecessary giving up of certain rights and the avoidable creation of some HIPAA compliance issues in the future for both parties to the BAA.

Some CEs may assume that other persons including physicians are, as a matter of course, their BAs when they are sharing IHI and may pressure them to sign BAAs without understanding that a physician’s ability to access, use or disclose his or her patient’s IHI does not automatically make such a physician a BA, and many times he or she is not.  Physicians require information on their patients for treatment, payment and healthcare operations as CEs and as allowed and contemplated by HIPAA. Just because two CEs are sharing IHI does not make one a BA of the other.

Signing a BAA could, depending on its language, require a purported BA (the “Purported BA”) to succumb to obligations under HIPAA and tie the hands of the Purported BA, thereby potentially impeding its right to use the IHI appropriately for its own purposes.  One should not assume the need for a BAA without sufficiently assessing why the PHI is being shared.   For example, if a physician is sharing the use of a hospital’s servers and accessing its electronic health records system for common patient information, a data use and access agreement between the parties may be the appropriate document, as a BAA may not be necessary.  In that regard an underlying agreement may describe why the physician needs the IHI of the other CE’s patients and clarify whether a BA relationship exists. Moreover, in some cases, even an existing CE/BA relationship with a BAA in place that was appropriate when signed could evolve over time, causing a need for the BAA to be updated or even terminated.

Finally, in the event that a party, which may be under pressure by a counterparty to sign a BAA when such party believes that it may not be necessary, should point out that signing the BAA could put both parties at additional compliance risk by acknowledging a BA relationship under HIPAA and the regulatory aspects flowing therefrom when such relationship does not in fact exist.