HIPAA Business Associates

Congratulations!  You have a HIPAA-compliant business associate (or subcontractor) agreement in place – now what? How can you implement the agreement without becoming a HIPAA guru?

There are many resources available that offer detailed guidance on risk analysis and implementation protocols (such as the Guide to Privacy and Security of Electronic Health Information published by the Office of the National Coordinator for Health Information Technology and numerous “Special Publications” issued by the National Institute of Standards and Technology (NIST)).

These are terrific resources and can keep a team of IT professionals and Privacy and Security Officers reading and scratching their heads for weeks, but here are a few simple and practical steps you can take to avoid the security incident that may result in a protected health information (PHI) breach.

  1. Make sure the covered entity knows which individual(s) is authorized to receive PHI at the business associate. If neither the services agreement nor the business associate agreement specifies the person to whom PHI is to be disclosed, make sure the name, title and contact information of any designated recipient is communicated to the covered entity in writing.
  2. Include a provision in the business associate agreement (or subcontractor agreement) or develop a process whereby the covered entity (or business associate) provides notice, when feasible, prior to transmitting PHI to the designated recipient. Particularly when the transmission of PHI is sporadic or infrequent, provision of advance notice helps heighten awareness of the parties’ HIPAA obligations with respect to particular data being transmitted.
  3. Establish an agreed-upon means of PHI transmission – for example, specify whether transmission will be made via encrypted email, portable device, hard copy, etc. – and document the chain of custody from covered entity to business associate and after receipt by business associate.
  4. Create a “vault” for PHI received by the business associate that is secured by access codes that are changed periodically and can be deactivated when personnel leave the employ of the business associate.
  5. Maintain a perpetual inventory of PHI repositories, delegating responsibility to the Security Officer to oversee or authorize repository access rights, review activity, and conduct regular audits.

Our partner Bill Maruca, who is the Editor and a frequent contributor to this blog, was recently interviewed by PracticeSuite as part of their Expert Interview program.  In the course of his interview, Bill discusses patient confidentiality, keeping records safe and private, and trends in the medical billing industry. 

One important recommendation by Bill is taken from his earlier post on this blog: encrypt all electronic protected health information (ePHI), especially when transferring it via email, cloud storage or FTP sites or saving it to mobile devices.  The loss of properly-encrypted PHI may not be a HIPAA breach even if a device is lost or stolen, or an email or electronic file is sent to the wrong recipient.  

I recommend that his entire PracticeSuite interview be read here.

 

 

As she had done in 2014, Marla Durben Hirsch interviewed my partner Elizabeth Litten and me for her annual Medical Practice Compliance Alert article on compliance trends for the New Year.  While the article, which was entitled “6 Compliance Trends That Will Affect Physician Practices in 2015,” was published in the January 5, 2015 issue of Medical Practice Compliance Alert, a synopsis of the article can be found here. As we have previously pointed out, we always enjoy our talks with Marla because she never fails to direct our thinking to new areas.   We look forward to the opportunity for further encounter sessions with her.

While the article discussed a diverse range of topics affecting physician practices, including accountable care organizations (ACOs) and telemedicine, this blog post will focus on HIPAA-related areas.

Even more HIPAA and related enforcement activities can be expected in 2015.

The article observed that providers will not see a reprieve in this area. Breaches of patient and consumer data continue to proliferate; the tremendous publicity that breaches outside of the HIPAA area have received, such as the hacking of Home Depot and Sony, will create more pressure on HHS’ Office for Civil Rights (OCR) to enforce HIPAA breaches.  The article quotes us as saying “It’s [A HIPAA privacy breach is] very personal to people when their health data is filched; it’s creepy.”  

The article also quotes Elizabeth, who warns that practices also should expect increased activity by the Federal Trade Commission in the area of healthcare data breaches through its enforcement of consumer protection laws and from the Food and Drug Administration’s protection of the integrity of medical devices, even though those federal agencies do not have the same comprehensive standards and clear regulations that OCR does to enforce HIPAA.

Additionally, there is likely to be more private litigation using HIPAA compliance as the standard of care, even though HIPAA itself does not give patients the right to sue for violations. The November 2014 ruling in the Connecticut Supreme Court discussed on this blog here and here recognized HIPAA’s requirements as a standard of care in a state breach of privacy lawsuit. Elizabeth and I observed that the Connecticut case will spawn copycat lawsuits using HIPAA the same way for state breaches of privacy, negligence and other causes of action.

Covered entities and business associates will refine their agreements, all as they come under more scrutiny.

Many practices and their business associates scrambled to sign business associate agreements (BAAs), often using model forms from OCR and professional societies, to ensure that they had them in place by the September 2013 effective date — and for those who needed only to update an existing BAA, September 2014. However, as discussed in the article, covered entities and business associates now are negotiating the language in BAAs and customizing them to their individual needs, such as choice of law and indemnification requirements.

One provision that may become more prevalent in newer BAAs would allow a business associate that deals with large amounts of data — such as a cloud electronic health records vendor — to use covered entity’s de-identified patient data for the business associates’ own uses. An industry is developing around the aggregation of data for purposes such as research or predicting patient outcomes, and some business associates are moving to capitalize on that data and use it or market it to others. According to Elizabeth, covered entities will need to determine whether they want to grant such business associates permission to use the data that way.

Business Associates Can Expect Audits by OCR in 2015.

The activities of business associates also will be under the microscope. The permanent HIPAA audit program, slated to begin in 2015, is expected to audit business associates as well as covered entities. Elizabeth observed that the use of subcontractors by business associates also will be examined more carefully, especially those who use off-shore subcontractors.

Again, to read more, click here and see the full article in the January 5, 2015 issue of Medical Care Compliance Alert.

Nearly a year ago, as described in an earlier blog post, one of my favorite health industry journalists, Marla Durben Hirsh, published an article in Medical Practice Compliance Alert predicting physician practice compliance trends for 2014.  Marla quoted Michael Kline’s prescient prediction that HIPAA would increasingly be used as “best practice” in actions brought in state court:  “People will [learn] that they can sue [for privacy and security] breaches,” despite the lack of a private right of action under HIPAA itself.  Now, peering ahead into 2015 and hoping to surpass Michael’s status as Fox Rothschild’s HIPAA soothsayer, I thought I would take a stab at predicting a few HIPAA hurdles that covered entities, business associates, and their advisors are likely to face in 2015.

1.         More sophisticated and detailed (and more frequently negotiated) Business Associate Agreement (BAA) terms.   For example, covered entities may require business associates to implement very specific security controls (which may relate to particular circumstances, such as limitations on the ability to use or disclose protected health information (PHI) outside of the U.S. and/or the use of cloud servers), comply with a specific state’s (or states’) law privacy and security requirements, limit the creation or use of de-identified data derived from the covered entity’s PHI, or purchase cybersecurity insurance.  The BAA may describe the types of security incidents that do not require per-incident notification (such as pings or attempted firewall attacks), but also identify or imply the many types of incidents, short of breaches, that do.  In short, the BAA will increasingly be seen as the net (holes, tangles, snags and all) through which the underlying business deal must flow.  As a matter of fact, the financial risks that can flow from a HIPAA breach can easily dwarf the value of the deal itself.

2.         More HIPAA complaints – and investigations.  As the number and scope of hacking and breach incidents increases, so will individual concerns about the proper use and disclosure of their PHI.  Use of the Office for Civil Rights (OCR) online complaint system will continue to increase (helping to justify the $2 million budgeted increase for OCR for FY 2015), resulting in an increase in OCR compliance investigations, audits, and enforcement actions.

3.         More PHI-Avoidance Efforts.  Entities and individuals who do not absolutely require PHI in order to do business will avoid it like the plague (or transmissible disease of the day), and business partners that in the past might have signed a BAA in the quick hand-shake spirit of cooperation will question whether it is necessary and prudent to do so in the future.  “I’m Not Your Business Associate” or “We Do Not Create, Receive, Maintain or Transmit PHI” notification letters may be sent and “Information You Provide is not HIPAA-Protected” warnings may appear on “Terms of Use” websites or applications.

The overall creation, receipt, maintenance and transmission of data will continue to grow exponentially and globally, and efforts to protect the privacy and security of one small subset of that data, PHI, will undoubtedly slip and sputter, tangle and trip.  But we will also undoubtedly repair and recast the HIPAA privacy and security net (and blog about it) many times in 2015.

Have a Happy and Healthy HIPAA New Year!

The Connecticut Supreme Court handed down a decision in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C., — A.3d —-, 2014 WL 5507439 (2014) that

[a]ssuming, without deciding, that Connecticut’s common law recognizes a negligence cause of action arising from health care providers’ breaches of patient privacy in the context of complying with subpoenas, we agree with the plaintiff and conclude that such an action is not preempted by HIPAA and, further, that the HIPAA regulations may well inform the applicable standard of care in certain circumstances.

Interestingly, the decision is dated November 11, 2014, the federal holiday of Veterans Day, but was available on Westlaw on November 7, 2014.  The Court’s decision was rendered 20 months after the date that the case was argued on March 12, 2013.

The decision adds the Connecticut Supreme Court to a growing list of courts that have found that HIPAA’s lack of a private right of action does not necessarily foreclose action under state statutory and common law.  The Byrne case, however, has added significance, as it appears to be the first decision by the highest court of a state that says that state statutory and judicial causes of action for negligence, including invasion of privacy and infliction of emotional distress, are not necessarily preempted by HIPAA.  Moreover, it recognized that HIPAA may be the appropriate standard of care to determine whether negligence is present.

The Byrne case has important implications for HIPAA matters beyond the rights of individuals to sue under state tort law, using HIPAA regulations as the standard of care.  For example, in the area of business associate agreements (“BAAs”) and subcontractor agreements (“SCAs”), as was discussed in a posting in October 2013 on this blog relating to indemnification provisions,

there should be a negation of potential third party beneficiary rights under the BAA or SCA. For example, HIPAA specifically excludes individual private rights of action for a breach of HIPAA – a [p]arty does not want to run a risk of creating unintentionally a separate contractual private right of action in favor of a third party under a[n indemnification] [p]rovision.

A party should, therefore, endeavor to limit the number of persons that may assert a direct right to sue for indemnification resulting from a breach of a BAA.  Failing to limit the number of persons that may assert a direct right to sue for indemnification resulting from a breach of a BAA or SCA can be costly indeed, especially if the number of states that follow the Byrne case principles increases.

Efforts to use HIPAA regulations as standards for causes of action under state law can be expected to rise as a result of the Byrne decision.  Covered entities, business associates and subcontractors should consider acquiring sufficient cybersecurity insurance with expanded coverage and limits.

The deadline for executing a HIPAA Omnibus Rule-compliant Business Associate Agreement (BAA) looms just 2 short weeks from today.  What can a busy covered entity (CE) or business associate (BA) do quickly to show HHS (let alone its business partners/contractors) that it wants and fully intends to comply with the new requirements?  Here are  3 shortcuts that might help you squeak that new BAA in before the deadline:

  • Review and update or prepare an Omnibus Rule-compliant BAA; consider changing opening language to state that you and/or your contractor “may be” a CE, BA, or subcontractor as those terms are defined under HIPAA and that the services “may” involve or require to use or disclosure of protected health information (“PHI”).  This way, the BAA can be executed, but will only apply to HIPAA-covered arrangements.
  • If you know you are CE, BA, or subcontractor of a BA and know (or expect) the arrangement will involve or require the use or disclosure of PHI, but you aren’t sure your existing BAAs are up-to-date, send a generic letter to your contractors via email letting them know that, to the extent HIPAA applies to your business arrangement, you share their responsibility and desire to comply with HIPAA.  Attach or send a link to a website where your updated or new BAA can be accessed by the contractor.
  • Encourage your contractor to sign the new BAA and email or print and fax a signed copy back to you (again, time is running out!).

HIPAA compliance is more than BAA documentation, of course, but these shortcuts can help you jumpstart (or wrap up) this aspect of compliance.

Michael J. Coco writes:

If you have ever bought or sold a business, or you have experience with the process, you are aware of the due diligence efforts and multiple agreements required to close the deal. Transactions involving the sale or purchase of health care related business, such as a medical practice, often take the form of asset purchases, set in motion by executing an asset purchase agreement (“APA”). The APA can be a voluminous document written by the purchaser to protect the purchaser. APAs have been known to cover every conceivable circumstance that may reflect negatively on the purchaser after the acquisition. APAs have been known to cover everything from the seller’s violation of a local ordinance to more serious violations, including violations of federal law. With a novelette of protective provisions, a well-written APA seems to cover everything. But like all legal documents, a typical APA needs to keep up with evolving law and, in the case of health care, the law evolves quickly.

Major and fairly recent changes in healthcare law include the clear requirement under applicable HIPAA provisions for covered entities to have business associate agreements in place and for business associates to have subcontractor agreements in place. Breach notification rules and penalties have also been created or refined under HIPAA. The typical APA requires the seller to represent that it has not violated any law, and often expands this representation to its employees. However, few APAs discuss potential HIPAA breaches by employees, or breaches by business associates. More importantly, there may be no specific representation that the seller has in place all of the appropriate business associate agreements.

Although a good due diligence review should evaluate business associate agreements, the purchaser should consider adding specific business associate agreement and breach representations, along with the corresponding indemnification provisions. Buyers should request copies of all business associate agreements currently in place, as well as any subcontractor agreements. In addition, the buyer should ask a seller to disclose any circumstance in which it discovered a potential breach, but determined the breach was not reportable based on an internal risk assessment conducted by the seller. Because the buyer is ordinarily acquiring the good will of the medical practice as an essential element, a past breach by the seller or the seller’s business associate could seriously reduce the value of the buyer’s investment. For this reason, buyers should consider adding specific breach and business associate representations to their APAs.

[Michael Coco handles a range of corporate matters, focusing his practice primarily in the area of health law. As a former ER staff nurse and chemist, Michael has in-depth insight into such topics as FDA approval of medical devices as well as hospital compliance with federal and state laws and regulations, including privacy and security of health information and professional standards.]

My partner Elizabeth Litten and I were interviewed by Marla Durben Hirsch for her recent article in Medical Practice Compliance Alert entitled “Evaluate Relationships Before Signing Business Associate Agreements.” While the full text can be found in the February 3, 2014 issue of Medical Practice Compliance Alert, the following considerations are based upon points discussed in the article.   (Elizabeth has written several earlier entries on this blog related to the topic of the article, including those that may be found here and here.)

Often a relationship that a physician (or another professional such as a lawyer or other vendor) has with a covered entity (“CE”), including a hospital, regarding individual health information (“IHI”) may not rise to the level of a business associate (“BA”) under HIPAA which would necessitate a signed business associate agreement (“BAA”). Signing a BAA when it is not required could result in the unnecessary giving up of certain rights and the avoidable creation of some HIPAA compliance issues in the future for both parties to the BAA.

Some CEs may assume that other persons including physicians are, as a matter of course, their BAs when they are sharing IHI and may pressure them to sign BAAs without understanding that a physician’s ability to access, use or disclose his or her patient’s IHI does not automatically make such a physician a BA, and many times he or she is not.  Physicians require information on their patients for treatment, payment and healthcare operations as CEs and as allowed and contemplated by HIPAA. Just because two CEs are sharing IHI does not make one a BA of the other.

Signing a BAA could, depending on its language, require a purported BA (the “Purported BA”) to succumb to obligations under HIPAA and tie the hands of the Purported BA, thereby potentially impeding its right to use the IHI appropriately for its own purposes.  One should not assume the need for a BAA without sufficiently assessing why the PHI is being shared.   For example, if a physician is sharing the use of a hospital’s servers and accessing its electronic health records system for common patient information, a data use and access agreement between the parties may be the appropriate document, as a BAA may not be necessary.  In that regard an underlying agreement may describe why the physician needs the IHI of the other CE’s patients and clarify whether a BA relationship exists. Moreover, in some cases, even an existing CE/BA relationship with a BAA in place that was appropriate when signed could evolve over time, causing a need for the BAA to be updated or even terminated.

Finally, in the event that a party, which may be under pressure by a counterparty to sign a BAA when such party believes that it may not be necessary, should point out that signing the BAA could put both parties at additional compliance risk by acknowledging a BA relationship under HIPAA and the regulatory aspects flowing therefrom when such relationship does not in fact exist.

Michael J. Coco writes:

The expanded requirements under the HIPAA Omnibus Rule for a Business Associate Agreement (“BAA”) has created an increase in volume and the need for analysis of such agreements, as individuals in industries traditionally unrelated to health care – such as IT vendors –find themselves confronting issues respecting a BAA. The increase in BAA’s has also generated an increase in articles and commentators opining on advisable BAA provisions. Most of these articles focus, as one would expect, on the functional aspects of the BAA. This “meaty” part of the BAA, however, is not the only important part of the agreement. Less frequently have commentators discussed “boilerplate” or “standard” provisions found in most contracts, including BAA’s.

In spite of the seemingly self-explanatory term given to these provisions, they are not always standard and, more importantly, not advisable in all circumstances. The BAA is similar to other contracts in that certain boilerplate provisions sometimes work in the favor of both parties, whereas other provisions may be unduly limiting or even detrimental to both parties, while some provisions favor the party that is the covered entity (“CE”) over the business associate (“BA”), or vice versa. In reviewing BAA’s, I have noticed that certain standard provisions, often tacked on to the end of the BAA, may be detrimental to both parties, and other standard provisions that should have been included were absent. Below is a list of some standard contract provisions and how they might operate in a BAA:

Choice of Law: This provision allows the parties to choose what law governs the contract. Although federal law governs the required content of a BAA, the actual interpretation of the contract, damage awards, and other substantive issues are governed by state law. As such, each party should request to use an applicable state law that will favor its position.

Jurisdiction and Venue: This standard provision requires the parties to litigate any claims under the BAA in a specific state and county. In most cases, as a matter of convenience and economy, each party to an agreement will want jurisdiction and venue to be in its respective home county. CE’s, however, should be mindful that a large HIPAA breach would be likely to reflect negatively on it within the community, even if the breach is legally attributable to actions or inactions of the BA. A CE should take this into consideration, along with its reputation in the community, when deciding to assign venue to its home county.

Force Majeure: Under contemporary contract law, a party is liable for a breach (in most cases) regardless of fault. A Force Majeure provision alleviates the harshness of this rule by eliminating liability for a breach where the action or omission that caused the breach was beyond the reasonable control of the breaching entity. Examples typically include floods, earthquakes, terror attacks and other events beyond the parties’ control. In a typical BAA arrangement, the BA has more obligations than the CE (often because the BAA was originally drafted by the CE). A CE, therefore, should carefully consider whether a Force Majeure provision will advance its interest. BA’s, on the other hand, will often benefit from a Force Majeure provision.

Indemnification: An indemnification provision requires the breaching party to act as an indemnitor to the non-breaching party, covering liability, costs and damages as a result of the breach. This provision often requires negligence on the part of the breaching party and may or may not be reciprocal. Because the CE more likely than not has more to lose than the BA, a reciprocal indemnity provision favors a CE more than a BA.  (A prior posting on this blog provided a list of ten items to contemplate if an indemnification provision is being considered for a BAA.)

Third Party Beneficiaries: A Third Party Beneficiary (“TPB”) is a person or group that claims rights under a contract to which the TPB is not a party. Because HIPAA does not create a private right of action, patients and other injured parties cannot use HIPAA directly to sue for damages. A BAA could, potentially, create a “backdoor” right to enable patients and other third parties to sue the CE and/or BA under a TPB theory. For that reason, both parties to the BAA should agree on and include a standard provision that excludes TPB from the contract.

These are just a few of the standard provisions in contracts, and parties should carefully consider including them in their BAA. Certain facts, updated regulations, state law peculiarities or other circumstances might alter the general rules discussed here.

[Michael Coco handles a range of corporate matters, focusing his practice primarily in the area of health law. As a former ER staff nurse and chemist, Michael has in-depth insight into such topics as FDA approval of medical devices as well as hospital compliance with federal and state laws and regulations, including privacy and security of health information and professional standards.]

BananaPeelWhat do you do if you have signed a Business Associate Agreement (BAA) with a covered entity, but are getting protected health information (PHI) from the covered entity in conjunction with health care treatment you provide to the individual? What if another covered entity provider has contracted with you to provide services to that provider’s patients? What if you are a covered entity health plan that wants to share PHI with a health care provider, such as a clinical laboratory, in conjunction with an employee wellness program? These are just a few of the situations that come up where the need for a BAA may be questionable and/or the roles of the parties to that BAA are not entirely clear.

Rather than protecting health information, the unnecessary or sloppy BAA may actually just create a HIPAA headache.
The “Springing BAA” is the term I’ll use for a situation in which the parties routinely create, receive, maintain, or transmit information that is not PHI in the course of one party’s performance of services on behalf of the other party, but the parties realize that, at some point in the future, the services may involve information that is PHI. So as to avoid having to address their HIPAA obligations by entering a BAA down the road, they enter a BAA that will apply (“spring to life”) when and if the services involve PHI.

The “Shifting BAA” is the term I’ll use for a situation in which the parties provide services on each other’s behalf that involve the creation, receipt, maintenance, or transmission of PHI from time to time throughout the services contract. This situation will involve two parties that are both covered entities, where the contracted services involve the use or disclosure of PHI on behalf of the other party. At any given time during the contract, one party might be functioning as a covered entity and the other a business associate, or vice versa. If a hospital contracts with a radiology practice to read scans performed on hospital patients, and the radiology practice contracts with the hospital to provide billing or other services in connection patients seen in the radiology practice’s private office location (i.e., to patients of the practice), for example, each party will be acting as a business associate of the other with respect to the other party’s patients and PHI.

The “Slip-Sliding BAA” is the one to watch out for.  This is the BAA that shouldn’t have been entered in the first place, and turns a simple contractual arrangement into a muddy, slippery mess (thus, the HIPAA headache).  I’ve written about the importance of figuring out whether a party is acting as a business associate (see here and here), but it’s worth emphasizing again. If you’re the covered entity asking a contractor to sign a BAA, make sure the BAA is creating, receiving, maintaining or transmitting PHI in connection with services it is providing on your behalf. If it’s not, the contractor’s breaches could be attributed to you. If you’re the contractor being asked to sign the BAA as a business associate, analyze the services agreement to make sure you need to create, receive, maintain or transmit PHI in order to provide services on the other party’s behalf. If PHI is required from the covered entity for the business associate to provide the required services, such an analysis may have an additional ancillary value of having the parties focus on the minimum necessary level of PHI needed.