This blog recently discussed tips for a covered entity (CE) in dealing with a HIPAA business associate (BA). Now, even though you have adopted all of the tips and more, in this dangerous and ever more complex data security world, one of your BAs suffers a breach and it becomes your responsibility as the victim CE to respond. What should you do?

Our partner Elizabeth Litten and I discussed aspects of this issue with our good friend Marla Durben Hirsch who included some of our discussion in her article in the June 2017 issue of Medical Practice Compliance Alert entitled “6 ways practices can reduce the risk of delegating breach-notification duties.” Full text of the article can be found in the June, 2017 issue, but a number of the items included below are drawn from the article.

  1. Locate the most recent Business Associate Agreement (BAA) with the BA who experienced the breach, and see what it says about the post-breach obligations of the CE and the BA. Two important threshold issues are whether the BA complied with the time period for reporting breaches to the CE contained in the BAA and the remaining time, if any, available to the CE for complying with any reporting requirements under HIPAA and state law, remediation and limitation of loss requirements, and notification requirements to affected individuals (collectively, the Requirements).
  2. Determine promptly what are the time deadlines for notification to insurance carriers if cybersecurity or general liability insurance may be available to the BA and/or the CE for payment of expenses of the breach and its remediation.
  3. Spell out any circumstances where the BA will handle the consequences of a breach that occurred on its watch, and the scope of its responsibilities vs. that of the CE. These can range from delegating to the BA the entire range of Requirements to assumption by the CE of complying with the Requirements with payment by the BA of the costs thereof.
  4.  Make sure that the required reporting and notification Requirements are sent on CE stationery or, if such Requirements are being delegated to the BA (especially where the breach affected a number of different CEs), the notifications make it clear that the breach was attributable to the acts of the BA and not the CE. As CE, insist that the final wording of the required reporting and notification documents be subject to your approval.
  5.  Ensure that your staff is familiar with the circumstances of the breach so that they will be able to answer questions from affected individuals and the media intelligently. It may be advisable to designate a single trained and articulate person to be referred all inquiries, so that the responses are uniform, accurate and clear.
  6.  Assess whether the BA handled the breach adequately and whether you want to retain your relationship with the BA. Did the BA comply with HIPAA and the BAA in the post-breach period? Did the BA cooperate with the CE? What is the likelihood of a repeat breach by the BA? Is the CE assuming the risk of potential repeat HIPAA breaches if the BA relationship is continued?
  7. If you determine as CE that you will continue your relationship with the breaching BA, consider whether the BAA with the BA requires changes based upon the experience of the breach and its aftermath.
  8. As CE, consider modifying, updating and/or strengthening all of your BAAs as a result of your experience.
  9. As CE, you may require improving and/or changing your cybersecurity insurance coverage as a result of experience with the breach.
  10.  As CE, document all activities and decisions respecting HIPAA made in the post-breach period to defend your actions as reasonable and to provide concrete planning steps for future HIPAA compliance.

While all the precautions in the universe by a CE cannot eliminate a HIPAA breach by a BA, a CE that is victimized by such a HIPAA breach can do many things to reduce its liability and image damage and strengthen its own HIPAA compliance and risk avoidance efforts for the future by adopting the steps described above.

Our partner Elizabeth Litten and I were recently featured again by our good friend Marla Durben Hirsch in her article in the April 2017 issue of Medical Practice Compliance Alert entitled “Business associates who farm out work create more risks for your patients’ PHI.” Full text can be found in the April, 2017 issue, but a synopsis is below.

In her article Marla cautioned, “Fully one-third of the settlements inked in 2016 with OCR [the Office of Civil Rights of the U.S. Department of Health and Human Services] dealt with breaches involving business associates.” She pointed out that the telecommuting practices of business associates (“BAs”) and their employees with respect to protected health information (“PHI”) create heightened risks for medical practices that are the covered entities (“CEs”) — CEs are ultimately responsible not only for their own HIPAA breaches but for HIPAA breaches of their BAs as well.

Kline observed, “Telecommuting is on the rise and this trend carries over to organizations that provide services to health care providers, such as billing and coding, telehealth providers, IT support and law firms.” Litten commented, “Most business associate agreements (BAAs) merely say that the business associate will protect the infor­mation but are not specific about how a business associate will do so, let alone how it will when PHI is off site.”

Litten and Kline added, “OCR’s sample business associate agreement is no dif­ferent, using general language that the business associate will use ‘appropriate safeguards’ and will ensure that its subcontractors do so too.”

Kline continued, “You have much less control over [these] people, who you don’t even know . . . . Moreover, frequently practices don’t even know that the business associate is allowing staff or subcontractors to take patient PHI off site. This is a collateral issue that can become the fulcrum of the relationship. And one loss can be a disaster.”

Some conclusions that can be drawn from Marla’s article include the following items which a CE should consider doing  when dealing with BAs:

  1. Select BAs with due care and with references where possible.
  2. Be certain that there is an effective BAA executed and in place with a BA before transmitting any PHI.
  3. Periodically review and update BAAs to ensure that they address changes in technology such as telecommuting, mobile device expansion and PHI use and maintenance practices.
  4. Ask questions of BAs to know where they and their employees use and maintain PHI, such as on laptops, personal mobile devices or network servers, and what encryption or other security practices are in place.
  5. Ask BAs what subcontractors (“SCs”) they may use and where the BAs and SCs are located (consider including a provision in BAAs that requires BAs and their SCs to be legally subject to the jurisdiction of HIPAA, so that HIPAA compliance by the CE and enforcement of the BAA can be more effective).
  6. Transmit PHI to the BA using appropriate security and privacy procedures, such as encryption.
  7. To the extent practicable, alert the BA in advance as to when and how transmission of PHI will take place.
  8. Obtain from each BAA a copy of its HIPAA policies and procedures.
  9. Maintain a readily accessible archive of all BAAs in effect to allow quick access and review when PHI issues arise.
  10. Have a HIPAA consultant available who can be contacted promptly to assist in addressing BA issues and provide education as to best practices.
  11. Document all actions taken to reduce risk from sharing PHI with BAs, including items 1 to 10 above.

Minimizing risk of PHI breaches by a CE requires exercising appropriate control over selection of, and contracting and ongoing interaction with, a BA. While there can be no assurance that such care will avoid HIPAA breaches for the CE, evidence of such responsible activity can reduce liability and penalties should violations occur.

I posed a question in Part 1 of this post which I will summarize here:  is personal health information provided to a Patient Assistance Program (PAP) in order to help with covering the cost of prescription drugs protected as “protected health information” (PHI) under HIPAA?

Let’s use two examples.  Say Patient A, who knows he can’t afford the out-of-pocket costs for a branded drug prescribed by his doctor, goes to the pharmaceutical manufacturer’s website where he sees that the company has a PAP and on-line application form into which he enters his personal information to see if he qualifies for assistance.  Patient B is also concerned about the cost of a non-formulary drug prescribed for her, but the hospital where Patient B’s physician works has an arrangement with the PAP whereby the PAP will work with a patient’s insurance carrier to get coverage for drugs not included on the carrier’s formulary.  What happens if the PAP’s system is hacked and the personal health information of both Patient A and Patient B is compromised?  Does HIPAA apply and will the PAP notify Patient A and Patient B of the breach?

The answer is a qualified “yes”, because HIPAA would be applicable only if the PAP is functioning as a covered entity or business associate as those terms are defined under HIPAA when it receives and maintains the personal health information.  It’s the role the PAP plays with respect to the patient (and his or her information) that matters when trying to figure out whether the patient’s information is HIPAA-protected as PHI, rather than just the type of information the PAP receives and maintains.

Generally speaking, a pharmaceutical manufacturer (and its PAP) will be a “covered entity” under the HIPAA regulations if it is a “health care provider who transmits any health information in electronic form in connection with a transaction . . . .” (italics added).  The term “health care provider” is defined very broadly under the HIPAA regulations, and a “transaction” is defined (in relevant part) as “the transmission of information … to carry out financial or administrative activities related to health care.”  The manufacturer (and its PAP) is a “business associate” if it performs functions on behalf of a covered entity that require it to create, receive, maintain or transmit PHI.

The same mini-analysis can be applied to other business entities that “create, receive, maintain or transmit” PHI as a useful first step to understanding whether and how the personal health information may be protected.

(Part III continues Part I and Part II of this series on privacy of health information in the domestic relations context, which may be found here and here. Capitalized words not defined in this Part III shall have the meanings assigned in Part I or Part II.)

6. The situation can be further complicated by the fact that the Affordable Care Act requires Insurers that offer dependent coverage to make the coverage available until the adult child reaches the age of 26 to avoid loss of health insurance for students after they graduate from college. Most Insurers permit adult children of 18 or over (e.g., those emancipated under state law) to block access to claims information by their parents, regardless of the fact the parent is paying for the coverage. Such an adult child is typically not a party to divorce settlements or decrees. In some states even minor children below the age of 18 may be permitted to block access to claims information by their parents.

7. HIPAA permits an individual to require a Provider to agree to the request of such individual to restrict disclosure of protected health information (“PHI, as defined in HIPAA) about such individual to an Insurer if:

a. The disclosure is for the purpose of carrying out payment or health care operations (but not treatment) and is not otherwise required by law; and

b. The PHI pertains solely to a health care item or service for which the individual, or person other than the Insurer on behalf of the individual, has paid the Provider in full.

Adopting this payment approach may allow an individual to prevent his/her spouse from learning about specific events of diagnosis and treatment relating to such individual or his/her custodial children that would otherwise be available by access to claims information through an Insurer.

8. HIPAA provides that individuals have the right to request restrictions on how a Provider will use and disclose PHI about them for treatment, payment, and health care operations. A Provider is not required to agree to an individual’s request for a restriction, but is bound by any restrictions to which it agrees. This type of self-help initiative may enhance efforts to block access by a spouse or former spouse, either alone or in aid of other measures.

9. HIPAA also provides that individuals may request receiving confidential communications from a Provider, either at alternative locations or by alternative means. For example, an individual may request that her Provider call her at her office, rather than her home. A Provider must accommodate an individual’s reasonable request for such confidential communications. An Insurer must accommodate an individual’s reasonable request for confidential communications, if the individual clearly states that not doing so could endanger him or her. Again, as in item 8, this type of self-help initiative may enhance efforts to block access by a spouse or former spouse, either alone or in aid of other measures.

10. A wide range of changes in circumstances, such as a change in employment and/or Insurer, obtaining services from a new Provider, relocation to a different state, changes in state law, reaching of majority age by children and/or life event changes that relate to provisions in a divorce or separation agreement or decree warrants revisiting these tips from time to time. HIPAA rights and responsibilities must be re-evaluated regularly in the context of the facts and circumstances involved at any given time.

Conclusion

The foregoing discussion refers to only a few of the many permutations of issues that may arise regarding IHI in the domestic relations context. It is intended to indicate the wide diversity of challenges and opportunities that spouses and domestic partners may encounter regarding access and blocking access to IHI. Individuals who need advice regarding legal aspects of their domestic relationships and/or disputes should seek counsel of professionals who have familiarity with the ramifications, complexities and continuous changes involving HIPAA, state privacy laws and IHI.

Health-related technology has developed light-years faster than health information privacy and security protection laws and policies, and consumers can find new mobile health applications for a wide range of purposes ranging from diabetes management to mole or rash evaluation to fitness tracking.  Smart mobile app developers wondering when and how HIPAA privacy and security requirements affect their products need to take a step back and ask that most basic of HIPAA questions:  What am I?

The question one that has been posed on this blog in the past, and one worth returning to on a regular basis because the answer is not always obvious, but is critical for HIPAA compliance.

The Secretary of Health and Human Services (HHS) recently released a letter written to U.S. Representative Peter DeFazio regarding development and use of mobile health apps and HIPAA compliance reminding him (and anyone reading the letter) that:

“The first question for any entity … is whether it is a covered entity or a business associate within the meaning of the HIPAA rules.” 

The Secretary then helpfully provides links to the Office for Civil Rights (OCR) website’s “frequently asked questions” tools (see here for examples of “Who are Business Associates” and here for information on Covered Entities) and points out that OCR works closely with the Office of the National Coordinator for Health Information Technology (ONC) developing guidance and tools (a tool specific to mobile device privacy and security is available here) for securing health information technology.   However, there’s no quick and easy way to figure out whether HIPAA applies to a specific mobile health application.  The inquiry must always go back to the beginning:  are you a Business Associate (or subcontractor of a Business Associate) or a Covered Entity?  If not, while there may be other state and federal laws that require you protect individually identifiable information (of which protected health information, or PHI, is a subset), HIPAA does not apply.

Bear in mind that your HIPAA identity will change depending on who is using you and for what purpose.  If you develop a mobile health app allowing an individual to create, receive, maintain or transmit information about herself, it is likely the app is not covered by HIPAA because the individual is not acting as a Business Associate or Covered Entity when using the app.  Even if the individual uses the app to send her PHI to her health care provider, the app most likely will not be subject to HIPAA, just as the patient herself is not subject to HIPAA with respect to information about herself she chooses to share with her provider. However, if you develop the app for use by the health care provider, you very well may be a Business Associate to the Covered Entity health care provider.  In this scenario, if you are providing a service on behalf of the provider that involves your access to PHI (whether sent by the individual patient herself or not), you must comply with HIPAA.

So while the basic “What am I?” question sounds simple, the answer requires consideration of who is downloading and using the mobile health app you create, and the purpose for which it is being used.

As she had done in 2014, Marla Durben Hirsch interviewed my partner Elizabeth Litten and me for her annual Medical Practice Compliance Alert article on compliance trends for the New Year.  While the article, which was entitled “6 Compliance Trends That Will Affect Physician Practices in 2015,” was published in the January 5, 2015 issue of Medical Practice Compliance Alert, a synopsis of the article can be found here. As we have previously pointed out, we always enjoy our talks with Marla because she never fails to direct our thinking to new areas.   We look forward to the opportunity for further encounter sessions with her.

While the article discussed a diverse range of topics affecting physician practices, including accountable care organizations (ACOs) and telemedicine, this blog post will focus on HIPAA-related areas.

Even more HIPAA and related enforcement activities can be expected in 2015.

The article observed that providers will not see a reprieve in this area. Breaches of patient and consumer data continue to proliferate; the tremendous publicity that breaches outside of the HIPAA area have received, such as the hacking of Home Depot and Sony, will create more pressure on HHS’ Office for Civil Rights (OCR) to enforce HIPAA breaches.  The article quotes us as saying “It’s [A HIPAA privacy breach is] very personal to people when their health data is filched; it’s creepy.”  

The article also quotes Elizabeth, who warns that practices also should expect increased activity by the Federal Trade Commission in the area of healthcare data breaches through its enforcement of consumer protection laws and from the Food and Drug Administration’s protection of the integrity of medical devices, even though those federal agencies do not have the same comprehensive standards and clear regulations that OCR does to enforce HIPAA.

Additionally, there is likely to be more private litigation using HIPAA compliance as the standard of care, even though HIPAA itself does not give patients the right to sue for violations. The November 2014 ruling in the Connecticut Supreme Court discussed on this blog here and here recognized HIPAA’s requirements as a standard of care in a state breach of privacy lawsuit. Elizabeth and I observed that the Connecticut case will spawn copycat lawsuits using HIPAA the same way for state breaches of privacy, negligence and other causes of action.

Covered entities and business associates will refine their agreements, all as they come under more scrutiny.

Many practices and their business associates scrambled to sign business associate agreements (BAAs), often using model forms from OCR and professional societies, to ensure that they had them in place by the September 2013 effective date — and for those who needed only to update an existing BAA, September 2014. However, as discussed in the article, covered entities and business associates now are negotiating the language in BAAs and customizing them to their individual needs, such as choice of law and indemnification requirements.

One provision that may become more prevalent in newer BAAs would allow a business associate that deals with large amounts of data — such as a cloud electronic health records vendor — to use covered entity’s de-identified patient data for the business associates’ own uses. An industry is developing around the aggregation of data for purposes such as research or predicting patient outcomes, and some business associates are moving to capitalize on that data and use it or market it to others. According to Elizabeth, covered entities will need to determine whether they want to grant such business associates permission to use the data that way.

Business Associates Can Expect Audits by OCR in 2015.

The activities of business associates also will be under the microscope. The permanent HIPAA audit program, slated to begin in 2015, is expected to audit business associates as well as covered entities. Elizabeth observed that the use of subcontractors by business associates also will be examined more carefully, especially those who use off-shore subcontractors.

Again, to read more, click here and see the full article in the January 5, 2015 issue of Medical Care Compliance Alert.

The Connecticut Supreme Court handed down a decision in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C., — A.3d —-, 2014 WL 5507439 (2014) that

[a]ssuming, without deciding, that Connecticut’s common law recognizes a negligence cause of action arising from health care providers’ breaches of patient privacy in the context of complying with subpoenas, we agree with the plaintiff and conclude that such an action is not preempted by HIPAA and, further, that the HIPAA regulations may well inform the applicable standard of care in certain circumstances.

Interestingly, the decision is dated November 11, 2014, the federal holiday of Veterans Day, but was available on Westlaw on November 7, 2014.  The Court’s decision was rendered 20 months after the date that the case was argued on March 12, 2013.

The decision adds the Connecticut Supreme Court to a growing list of courts that have found that HIPAA’s lack of a private right of action does not necessarily foreclose action under state statutory and common law.  The Byrne case, however, has added significance, as it appears to be the first decision by the highest court of a state that says that state statutory and judicial causes of action for negligence, including invasion of privacy and infliction of emotional distress, are not necessarily preempted by HIPAA.  Moreover, it recognized that HIPAA may be the appropriate standard of care to determine whether negligence is present.

The Byrne case has important implications for HIPAA matters beyond the rights of individuals to sue under state tort law, using HIPAA regulations as the standard of care.  For example, in the area of business associate agreements (“BAAs”) and subcontractor agreements (“SCAs”), as was discussed in a posting in October 2013 on this blog relating to indemnification provisions,

there should be a negation of potential third party beneficiary rights under the BAA or SCA. For example, HIPAA specifically excludes individual private rights of action for a breach of HIPAA – a [p]arty does not want to run a risk of creating unintentionally a separate contractual private right of action in favor of a third party under a[n indemnification] [p]rovision.

A party should, therefore, endeavor to limit the number of persons that may assert a direct right to sue for indemnification resulting from a breach of a BAA.  Failing to limit the number of persons that may assert a direct right to sue for indemnification resulting from a breach of a BAA or SCA can be costly indeed, especially if the number of states that follow the Byrne case principles increases.

Efforts to use HIPAA regulations as standards for causes of action under state law can be expected to rise as a result of the Byrne decision.  Covered entities, business associates and subcontractors should consider acquiring sufficient cybersecurity insurance with expanded coverage and limits.

I was recently asked whether the sending of an unencrypted group email to participants in a health-related support group violated HIPAA.  Faithful blog readers can guess my first question:  “Was the sender a covered entity, business associate, or subcontractor?”  Many support group entities are non-profit organizations staffed by volunteers and do not meet the definition of a covered entity “health care provider” (or other type of covered entity) under the HIPAA regulations (see 45 CFR 160.103).  Participants in support groups may expect the fact that they participate in the group and the information they disclose to be held in confidence by the organizers and other participants, but HIPAA may or may not protect that information.  (Whether other federal laws, state laws, or codes of ethics may protect the privacy of the information is beyond the scope of this post.)

When HIPAA applies, support group organizers (and other providers) should remember to use caution when sending group emails.  Does the group email list the email addresses of other participants?  Not only does this listing of participant email addresses, by itself, potentially constitute protected health information (PHI), but a participant’s inadvertent “reply all” message (intended for a support group therapist alone, for example) raises sticky HIPAA issues.  Health information disclosed by the individual to another support group participant falls outside the definition of “individually identifiable health information” under the HIPAA regulations and so is not HIPAA-protected PHI.  Still, a covered entity should be very careful to limit how and when email and social media are used to communicate with both individual patients and members of a support group.  While it does not solve the problem, perhaps all messages sent to more than one participant by a support group organizer should be sent as a “bcc” to limit disclosure.

The U.S. Department of Health and Human Services addressed whether covered entities have a “duty to warn” individuals that agree to receive unencrypted emails as a means of communication in the Omnibus Rule adoption:

“We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.  We disagree [with some commenters] that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome … We do not expect covered entities to educate individuals about encryption technology and the information security.  Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party … .”  [78 Fed. Reg. 5566, 5634]

Covered entities, business associates and subcontractors that get an individual’s permission to communicate via unecrypted email might want to include some type of bold warning as to limits of HIPAA protection.  Although voluntary participants in support groups may seem most likely to understand and have agreed to disclosure and use of their PHI within the group, it’s important to set ground rules and remind participants as to when (or whether) HIPAA applies – particularly if email or social media is involved.  Before accepting email addresses or allowing individuals to participate in any other unencrypted means of electronic communication, a covered entity might want to put its HIPAA warning — or disclaimer — in big, bold, easy-to-understand writing.

Recent news articles regarding a New Jersey elementary school’s handling of the enrollment of two new students from Rwanda provided another glimpse of Ebola hysteria and the opportunity for me to follow up on Bill Maruca’s blog about Ebola and HIPAA with yet another (fairly obscure) statutory acronym.  When it comes to protecting the privacy of students, HIPAA often does not even apply and it’s the Family Educational Rights and Privacy Act, known as FERPA, that matters.

The New Jersey elementary school apparently recognized that it had overreacted when it first announced that the Rwanda students’ parents would keep their children at home for 21 days.  The school posted a revised website notice stating that it would “welcome the new students whose parents graciously offered to keep them close this week.”  Setting aside the fact that Rwanda is located in East Africa, more than 2,500 miles away from the West African countries that have been reported to be affected by the Ebola virus, and is reportedly now screening all visitors to Rwanda who have been in the United States during the past 22 days, this elementary school incident offers a teachable moment.

If the school nurse at a public elementary school takes it upon himself or herself to identify students at risk for developing Ebola and decides to take twice-daily temperature readings of the students and record the information in student health records, the information would be protected under FERPA and parental consent would be required prior to its release.  “Frequently Asked Questions” posted on the website of the U.S. Department of Health and Human Services (HHS) address the interplay between HIPAA and FERPA and a “Joint Guidance” document issued by HHS and the U.S. Department of Education provides even more detail on the relationship between HIPAA and FERPA.  To the extent FERPA applies to the school nurse’s activities and information contained in the students’ health records, FERPA trumps HIPAA in one key privacy protection respect.

Under HIPAA, protected health information (PHI) can be used or disclosed without an authorization from the appropriate individual for certain public health activities.  For example, a covered entity, such as a health care provider, may disclose PHI to a public health authority that is authorized by law to collect or receive the information for the purpose of preventing or controlling disease.  A covered entity may also disclose PHI to a person who may have been exposed to a communicable disease, under specific circumstances.  However, FERPA generally does not allow this type of disclosure (without parental authorization or authorization of a student over the age of 18) of identifiable student information, even when it is for public health purposes, other than in “emergency” situations. Note that under both HIPAA and FERPA, withholding names but releasing other information that makes it possible to identify the  individuals (ie, “students from Rwanda”) risks privacy violations.

The bottom line for public schools?  Check your FERPA obligations, your possible HIPAA obligations, and, when it comes to Ebola fears, your geography.

The deadline for executing a HIPAA Omnibus Rule-compliant Business Associate Agreement (BAA) looms just 2 short weeks from today.  What can a busy covered entity (CE) or business associate (BA) do quickly to show HHS (let alone its business partners/contractors) that it wants and fully intends to comply with the new requirements?  Here are  3 shortcuts that might help you squeak that new BAA in before the deadline:

  • Review and update or prepare an Omnibus Rule-compliant BAA; consider changing opening language to state that you and/or your contractor “may be” a CE, BA, or subcontractor as those terms are defined under HIPAA and that the services “may” involve or require to use or disclosure of protected health information (“PHI”).  This way, the BAA can be executed, but will only apply to HIPAA-covered arrangements.
  • If you know you are CE, BA, or subcontractor of a BA and know (or expect) the arrangement will involve or require the use or disclosure of PHI, but you aren’t sure your existing BAAs are up-to-date, send a generic letter to your contractors via email letting them know that, to the extent HIPAA applies to your business arrangement, you share their responsibility and desire to comply with HIPAA.  Attach or send a link to a website where your updated or new BAA can be accessed by the contractor.
  • Encourage your contractor to sign the new BAA and email or print and fax a signed copy back to you (again, time is running out!).

HIPAA compliance is more than BAA documentation, of course, but these shortcuts can help you jumpstart (or wrap up) this aspect of compliance.