Department of Health and Human Services

Filefax, Inc., a defunct Illinois medical records storage and management company, has been fined $100,000 for improperly handling medical data under an agreement with the court-appointed receiver managing the company’s assets on behalf of its creditors.  This settlement has implications for both service providers and their covered entity clients.  Fox Rothschild partners Elizabeth Litten and Michael Kline were quoted in an article by Marla Durben Hirsch entitled “Be prepared for HIPAA Issues if a business associate shuts down” in the August issue of Medical Practice Compliance Alert.

As the HHS press release stated, the consequences for HIPAA violations don’t stop when a business closes.  In this case, Filefax had been under investigation by state and federal authorities since 2015 for careless handling of medical records which had been abandoned at a shredding facility.   Medical Practice Compliance Alert notes:

This settlement shows that  a provider or business associate that has violated HIPAA can’t avoid the consequences by shutting down.  “OCR is saying that you’re still responsible if you close your doors.” Says attorney Elizabeth Litten with Fox Rothschild in Princeton, NJ.

But it also provides a cautionary tale for providers who work with business associates that go under because providers are ultimately responsible for their patients’ records.

The article suggests the following tips for a covered entity to reduce its risks when a business associate may be in shaky financial shape:

  1. Keep an inventory of your business associate relationships.
  2. Choose business associates carefully.
  3. Monitor your business associates’ compliance with HIPAA.
  4. Expect increased scrutiny if a business associate is already on the government’s radar.
  5. Watch for signs that the business associate may be running into financial trouble.
  6. Don’t sit idly if the business associate files for bankruptcy.

What should a covered entity do when it learns that a business associate may have violated its HIPAA responsibilities?  For starters, see our previous post entitled Ten Tips for Actions by a Covered Entity after a HIPAA Breach by a Business Associate.  And if that BA has ceased operations, be prepared to take control of the situation even if the BA may not have enough resources left to reimburse you for its mistakes. Remember, the buck always stops with the Covered Entity.

Harry S. Truman Library & Museum 2017

The recent criminal conviction of a Massachusetts physician provides a stark reminder that violating HIPAA can result in more than civil monetary penalties and the financial and reputational fall-out that results from a breach. In this case, perhaps the cover-up was worse than the crime, or maybe prosecutors decided that a conviction on other charges would have been harder to get. Either way, the case should alert covered entities and business associates to the fact that HIPAA violations can result in jail time and criminal fines.

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) investigates complaints and may impose civil monetary penalties (CMPs) for violations of HIPAA.   The U.S. Department of Justice (DOJ) handles criminal investigations and penalties.  This may not provide much comfort, but a CMP will not be imposed if the HIPAA violation is determined to constitute a criminal offense.

OCR will refer matters to DOJ for criminal enforcement in some cases or will work cooperatively with DOJ where a DOJ investigation on other grounds reveals a potential HIPAA violation.  HHS reported that OCR had referred 688 cases to the DOJ for criminal investigation as of June 30, 2018.

The criminal enforcement of HIPAA was described in a Memorandum Opinion issued in 2005 jointly to HHS and the Senior Counsel to the Deputy Attorney General by Steven Bradbury, then-acting Assistant Attorney General of the Office of Legal Counsel within DOJ (the DOJ Memo). The DOJ Memo explains that HIPAA allows for criminal penalties only for violations that involve the disclosure of “unique health identifiers” or “individually identifiable health information” (IIHI) that are made “knowingly” and in violation of HIPAA.   Specifically, a person may be subject to criminal penalties if he or she knowingly (and in violation of HIPAA):  (i) uses or causes to be used a unique health identifier; (ii) obtains IIHI; or (iii) discloses IIHI to another person.  Criminal penalties range from misdemeanors to felonies.  The maximum criminal penalty (a fine of up to $250,000 and imprisonment of up to 10 years) can be imposed if one of these offenses is committed “with intent to sell, transfer, or use [IIHI] for commercial advantage, personal gain, or malicious harm.”  The DOJ Memo explains that “knowingly” refers to knowledge of the facts that constitute the offense, not knowledge of the law being violated (HIPAA).

The DOJ Memo emphasizes the fact that criminal penalties are reserved for limited and specific violations of HIPAA:  “Such punishment is reserved for violations involving `unique health identifiers’ and [IIHI]…  Thus, the statute reflects a heightened concern for violations that intrude upon the medical privacy of individuals.”  The DOJ Memo focuses on violations by covered entities. It notes that when a covered entity is not an individual, but is a corporate entity, the conduct of agents may be imputed to the entity when the agents act within the scope of employment, and the criminal liability of a corporate entity may be attributed to individuals in managerial roles.

DOJ might decide to seek a conviction for a violation of HIPAA when it believes such a conviction would be easier to get than a conviction for a violation of other federal laws governing health care providers (such as the anti-kickback statute).   After all, the DOJ Memo makes it clear that “knowing” refers to the conduct, not the state of the law.  However, it should be noted, as per the DOJ Memo, that the DOJ’s interpretation of “`knowingly’ does not dispense with the mens rea requirement of section 1320d-6 [HIPAA] and create a strict liability offense; satisfaction of the ‘knowing’ element will still require proof that the defendant knew the facts that constitute the offense.”

When a health care entity (like a large hospital system or health plan) has deep pockets, the OCR may decide to pursue very high civil monetary penalties and rely on the financial and reputational implications of the civil monetary penalties to act as a deterrence.  On the other hand, the DOJ may seek to deter behavior associated with a wider range of criminal activities by pursuing jail time for a HIPAA violation.

In the case of the Massachusetts physician, it is also likely that the DOJ pursued the criminal charge because she lied about her relationship with the third party to which she disclosed patient information. My law partner Charles DeMonaco, a white collar defense attorney and former DOJ prosecutor, agrees:

It is understandable why this doctor was indicted and convicted for these offenses.  She was accused of lying to the agents, which is always a major hurdle in a criminal case.  Even if an underlying crime cannot be established, a lie of a material fact to a government agent is a stand-alone false-statement felony.  It also establishes consciousness of guilt. The doctor could have asserted her Fifth Amendment privilege against self-incrimination to avoid talking to the government agents.  It is never a good thing for a doctor to speak with agents who are investigating the doctor’s conduct without counsel and without proper protection of limited use immunity being sought prior to the interview.  The government also proved that she accepted fees from the pharma company after providing the [IIHI] in violation of HIPAA.  Under these facts, it is not surprising that this case was brought as a criminal prosecution and that a guilty verdict was returned.

Everyone subject to HIPAA should be aware that a HIPAA violation involving disclosure or breach of IIHI may be the low-hanging fruit for criminal prosecutors originally focused on other violations of law.   In particular, covered entities should carefully evaluate arrangements with third parties that involve the sharing of IIHI with those parties for commercial/personal gain or commercial harm. If the sharing of IIHI is not permitted under HIPAA and commercial gain or harm is involved, these violations could result in the most severe level of criminal penalties, including significant jail time.

My heart goes out to any family member trying desperately to get news about a loved one in the hours and days following an individual or widespread tragedy, irrespective of whether it was triggered by an act of nature, an act of terrorism, or any other violent, unanticipated, life-taking event. My mind, though, struggles with the idea that HIPAA could actually exacerbate and prolong a family member’s agony.

HIPAA is, generally speaking, intended to protect our privacy when it comes to health status, treatment, or payment and to facilitate appropriate access to our health information. But, as is typical with federal laws intersecting areas historically governed by State law, HIPAA defers to State law in some key respects.  For example, if a HIPAA provision is contrary to a similar provision of State law, it preempts State law unless the State law relates to the privacy of individually identifiable health information and is “more stringent” than the comparable HIPAA provision.  HIPAA also references “applicable law” in describing who can get information as a personal representative of an individual or act on behalf of a deceased individual.

So what does this mean in the context of family members seeking information about loved ones following the devastating Orlando, Florida night club shooting or following some other violent tragedy?

If a victim is hospitalized and a friend or family member is trying to get information about the victim, HIPAA permits the hospital to share information under the following circumstances:

*          A hospital may use protected health information (PHI) to notify or assist in the notification of a family member, personal representative or other person responsible for the patient’s care of the patient’s location, general condition or death

*          A hospital can use a facility directory to inform visitors and callers of a patient’s location and general condition

*          A hospital can release information as to the victim of a crime in response to law enforcement’s request for such information under certain circumstances, and law enforcement can notify the families

*          If the patient is competent, the patient can tell the hospital that it may release all information to their family and friends

*          If the patient is not competent to authorize release of information, a “personal representative” (a person authorized under State law to act on behalf of the patient to make health care decisions) can have all information necessary to make decisions.  That person can also authorize release of information to others

Sadly, the agony of loved ones seeking information about a patient may be prolonged if they are not viewed as family members or if State law does not recognize the loved one as a “personal representative”.  Sure, the federal Department of Health and Human Services (HHS) could amend the HIPAA regulations to deem certain individuals (for example, same-sex partners who are not legally married) to be personal representatives for purposes of access to PHI.  [Note: HHS treats legally married same-sex spouses as “family members” under HIPAA — see special topic publication available here.]

However, if the State law does not recognize these certain individuals as personal representatives, perhaps because the State law is “more stringent than” HIPAA in affording the patient greater privacy, HHS might also have to amend its HIPAA preemption regulations.

Hospitals and other health care professionals are constantly called upon to exercise discretion in dealing with requests for PHI from family members and loved ones of patients while complying with HIPAA.   HIPAA regulations may need to be modified or perhaps could be “waived” (as described yesterday’s Washington Post article) in some cases, but only when doing so furthers the fundamental HIPAA goals of privacy protection and facilitation of appropriate access.

Because of the enormity of the Orlando tragedy, some State legislatures may be expected to consider whether changes are necessary to promote information sharing in exigent circumstances while preserving the State’s interest in affording patients greater privacy protection than that afforded by HIPAA.

Daily struggles to protect personal data from hacking, phishing, theft and loss make it easy to forget that HIPAA is not just about privacy and security.  It also requires covered entities (CEs) to make an individual’s protected health information (PHI) accessible to the individual in all but a few, very limited circumstances.  Recent guidance published by the Department of Health and Human Services (HHS Guidance) emphasizes the need for covered entities to be able to respond to an individual who says “I want my PHI” in a way that complies with HIPAA and state law access requirements, even when these requirements seem confusing and contradictory.

HIPAA authorizations are, perhaps, one of the most commonly misunderstood and misused forms. The HHS Guidance helpfully reminds CEs that authorizations are not needed for a CE to share PHI for treatment, payment and health care operations, and, of course, a CE can share PHI with a business associate under a HIPAA-compliant business associate agreement.  But when an individual requests PHI, whether directly or through a third party, it’s critical that the CE understand whether it is an access request or a request for disclosure pursuant to a HIPAA-compliant authorization.

My law partner and fellow HIPAA enthusiast Beth Larkin comments on some of the difficulties a CE faces when responding to an individual’s access request, highlighting the need to distinguish between an access request and disclosure pursuant to an authorization:

The HHS guidance wants CEs to provide individuals “easy access” to their health information.  CEs still, however, have to deal with other HIPAA requirements, including verification of the identity of the requestor, securing the PHI from unauthorized access and determining breach if there is unauthorized access.  Also, it is not always clear whether a patient is exercising an access right or requesting PHI pursuant to an authorization.  The patient may not know the difference and just indicates he or she wants copies of records and may present either an access request or an authorization form.

The HHS Guidance explains that while a CE can require an individual to submit a written access request, it can’t do so in a manner that creates a barrier or would delay the individual’s access:

For example, a doctor may not require an individual: …  [t]o use a web portal for requesting access, as not all individuals will have ready access to the portal …

If a CE uses a written form for individuals to request access to records (and ensures the form is readily accessible in multiple ways), the CE should give individuals as much information as possible about each form.

For example, as illustrated in the chart included in the HHS Guidance, a HIPAA authorization permits, but does not require, a CE to disclose the PHI.  An access request requires the disclosure (and requires the CE to act on the request within 30 days).  In addition, HHS explains that fees charged by the CE are limited when the individual requests access, and not when PHI is requested pursuant to an authorization (though certain charges might be prohibited under HIPAA regulations proscribing the receipt of remuneration for the disclosure of PHI). Finally, HHS notes that PHI sent pursuant to an authorization must be sent securely, while an individual can request that PHI sent pursuant an access request can be sent through an unsecure medium (though the risks of such a choice should be communicated to the individual if feasible).  If the CE makes all of this information clear and encourages the individual to ask questions as to which form should be used, it seems reasonable for a CE to then be able to rely on the individual’s choice of form.

When a third party requests an individual’s PHI, though, it can be especially difficult for a CE to figure out whether an authorization form has been sent when an access request would have been appropriate. Here, HHS suggests the CE reach out to the individual:

Where it is unclear to a covered entity, based on the form of request sent by a third party, whether the request is an access request initiated by the individual or merely a HIPAA authorization by the individual to disclose PHI to a third party, the entity may clarify with the individual whether the request was a direction from the individual or a request from the third party.

In short, if a HIPAA authorization is really an individual’s misguided attempt to say “I want my PHI!”, the CE will need to make sure it follows the individual access right requirements in responding.

Our partner Elizabeth Litten and I were quoted by our good friend Marla Durben Hirsch in her article in Medical Practice Compliance Alert entitled “6 Compliance Trends Likely to Affect Your Practices in 2016.” Full text can be found in the January 13, 2016, issue, but a synopsis is below.

For her article, Marla asked various health law professionals to make predictions on matters such as HIPAA enforcement, the involvement of federal agencies in privacy and data security, and actions related to the Office for Civil Rights (“OCR”) of the federal Department of Health and Human Services (“HHS”).

After the interview with Marla was published, I noted that each of Elizabeth’s and my predictions described below happened to touch on our anticipation of the expansion by HHS and other federal agencies of their scope and areas of healthcare privacy regulation and enforcement. I believe that this trend is not a coincidence in this Presidential election year, as such agencies endeavor to showcase their regulatory activities and enlarge their enforcement footprints in advance of possible changes in the regulatory environment under a new administration in 2017. If an agency can demonstrate effectiveness and success during 2016 in new areas, it can make a stronger case for funding human and other resources to continue its activities in 2017 and thereafter.

Our predictions that were quoted by Marla follow.

Kline Prediction: Privacy and data enforcement actions will receive more attention from federal agencies outside of the OCR.

In light of the amount of breaches that took place in 2015, the New Year will most likely see an increase of HIPAA enforcement. However, regulators outside of healthcare –such as the Department of Homeland Security, the Securities and Exchange Commission and the Federal Communications Commission — also try to extend their foothold into the healthcare compliance realm, much in a way that the Federal Trade Commission has.

Litten Prediction: The Department of Justice (DOJ) and the OCR will focus more on individual liability

In September of 2015, the DOJ announced through the Yates Memo, that they would be shifting their strategy to hold individuals to a higher level of accountability for an entity’s wrongdoing. The OCR has also mentioned that they will focus more on individuals who violate HIPAA. “They’re trying to put the fear in smaller entities. A small breach is as important as a big one,” says Litten.

Kline Prediction: OCR will examine business associate relationships.

The HIPAA permanent audit program, which has been delayed by the OCR, will be rolled out in 2016 and will scrutinize several business associates. In turn, all business associate relationships will receive increased attention.   According to Kline, “There will be more focus on how you selected and use a business associate and what due diligence you used. People also will be more careful about reviewing the content of business associate agreements and determining whether one between the parties is needed.”

We shall continue to observe whether the apparent trend of federal agencies to grow their reach into regulation of healthcare privacy continues as we approach the Presidential election.

Our partner Elizabeth Litten and I were once again quoted by our good friend Marla Durben Hirsch in her recent articles in Medical Practice Compliance Alert entitled “Misapplication of Internet Application Triggers $218,400 Settlement” and “Protect Patient Data on the Internet with These 6 Steps.”  The three of us together were able to come up with a number of ideas to assist physicians in improving the likelihood that protected health information (“PHI”) will be more secure. The full text can be found in the August 17, 2015 issue of Medical Practice Compliance Alert, but a synopsis of our input is included below.

Internet applications and files should be included in a physician practice’s HIPAA compliance plan, or a violation may result.  As an example, St. Elizabeth’s Medical Center (“SEMC”) in Brighton, MA recently settled several potential HIPAA violations for $218,400 with the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”).  One of the incidents involved SEMC’s use of an unauthorized internet-based document. The size of this settlement highlights the concerns of OCR about misuse by healthcare providers of internet-based document sharing or other applications.

Some steps to protect patient data on the internet include the following:

  1. Review the internet applications your practice uses. Litten says, “Take steps such as encryption to protect the data when it’s shared, transmitted and stored.”
  2. Ask the application’s manufacturer about its security safeguards. “If a manufacturer claims that (its application) is HIPAA protected, ask what that means,” Litten urges.
  3. Investigate all internal and external complaints and concerns. Kline says, “Expect the government to find out about PHI exposed on the Internet from a third party.”
  4. Keep track of the steps you take to identify and fix the problem. “You do better if you have a history that you endeavored to comply with HIPAA,” says Kline.
  5. Provide a mechanism by which employees can report concerns anonymously. Kline suggests, “You need a private place where people feel they’re not being watched.”
  6. Don’t allow staff to use unauthorized public networks. “Don’t open documents in, say, a Starbucks,” warns Litten.

In summary, in order for physicians to protect their practices, they must be certain that they understand HIPAA obligations with respect to privacy and security in the context of internet application usage.

HIPAA has made an unlikely appearance twice already this month in news reports involving famous athletes.

Between the Pierre-Paul medical record tweet by ESPN reporter Adam Schefter earlier this month (discussed by my partner and fellow blogger Bill Maruca here) and the ticker-tape parade featuring confetti made of shredded (but apparently legible) medical information raining down on U.S. Women’s soccer team in New York City (reported by WFMY news here), it seems HIPAA breaches and athletes have had an uncanny affinity for one another this summer, particularly in New York City.

Setting the attenuated coincidence of these events aside, the Pierre-Paul incident provides an opportunity to review when medical information that relates to one’s employment is protected under HIPAA and when it isn’t.

In 2002, the U.S. Department of Health and Human Services (HHS), the agency responsible for enforcing HIPAA, considered a comment to a proposed HIPAA regulation suggesting that “health information related to professional athletes should qualify as an employment record,” and, thus, not be considered protected health information under HIPAA.  HHS was quite clear in responding that a professional athlete has the same HIPAA rights as any other individual:

If this comment is suggesting that the records of professional athletes should be deemed “employment records” even when created or maintained by health care providers and health plan, the Department disagrees.  No class of individuals should be singled out for reduced privacy.

HHS refused to provide a definition of “employment record”, fearing that it might “lead to the misconception that certain types of information are never protected health information, and will put the focus incorrectly on the nature of the information rather than the reasons for which” the information was obtained.

HHS went on to explain how and when protected health information might become “employment record” information:

For example, drug screening test results will be protected health information when the provider administers the test to the employee, but will not be protected health information when, pursuant to the employee’s authorization, the test results are provided to the … employer and placed in the employee’s employment record.

HHS further clarified that:

… medical information needed for an employer to carry out its obligations under FMLA, ADA, and similar laws, as well as files or records related to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty tests of employees, may be part of the employment records maintained by … an employer.

Going back to Pierre-Paul, the mere fact that his injury could affect his ability to perform as a professional athlete did not automatically turn the protected health information related to the injury (the medical record created by the hospital) into “employment records” exempt from HIPAA protection.  It isn’t unless and until protected health information is disclosed to the employer pursuant to the individual’s authorization that it becomes an “employment record” no longer subject to HIPAA.  Even if an individual’s disclosure of medical records is a condition of employment (apparently not the case in Pierre-Paul’s situation), it is the individual’s authorization that allows its disclosure, not the category or class of the individual.

Medicare beneficiaries whose healthcare providers participate in an Accountable Care Organization (ACO) under the Medicare Shared Savings Program (MSSP) may want to add the Centers for Medicare & Medicaid Services (CMS) website, “Medicare & You”, to their lists of favorite internet links if they don’t want their Medicare claims data shared.  Proposed rules published by CMS in the December 8, 2014 Federal Register (the “Proposed Rules”) tweak the data sharing “opt-out” process slightly, but significantly.

Under the current MSSP regulations, a Medicare beneficiary that is a “preliminarily prospective assigned beneficiary” (meaning the beneficiary’s primary care provider participates in the ACO, but the beneficiary has not yet sought primary care services during the ACO performance year) may get a letter from his or her provider’s ACO informing the beneficiary that the ACO “may request [from Medicare] personal health information*  about the beneficiary for purposes of its care coordination and quality improvement work… .”  The beneficiary has 30 days from the date the letter is sent “to decline having his/her claims information shared with the ACO.”

*          Interestingly, the regulation references “personal health information”, rather than “protected health information”, the term used by the Office for Civil Rights (which, like CMS, resides in the Department of Health and Human Services) in the HIPAA regulations, but the widely-used PHI acronym works for both, so what the heck?  But I digress… .

The current regulation only allows the ACO to request “identifiable claims data” (aka “personal health information” /“claims information”) from this “preliminarily prospective assigned beneficiary” if the beneficiary does not decline the data sharing within 30 days after the ACO letter is sent.

Under the Proposed Rules, Medicare fee-for-service beneficiaries will be “notified about the opportunity to decline claims data sharing through materials such as the CMS Medicare & You Handbook and through the notifications” received at the point of care.  These notifications are deemed “received” by the Medicare beneficiary when posted as signs at the ACO provider’s facility or office (and, in settings in which primary care is provided, when given to the beneficiary in writing upon request).  The beneficiary can still opt-out, but the notice itself will make it clear that data sharing may have already occurred:  “The notifications … must state that the ACO may have requested beneficiary identifiable claims data about the beneficiary for purposes of its care coordination and quality improvement work… .”

Data sharing is a key aspect of any successful ACO and can certainly be achieved in a HIPAA-compliant manner.  Notably, as CMS explains in the preamble to the Proposed Rules, care coordination and quality improvement activities, when performed by an ACO that is a covered entity or, by an ACO that is a business associate, on behalf of a covered entity, qualify as “health care operations” functions or activities under HIPAA.  The elimination of the ACO letters and 30-day opt-out period for “preliminarily prospective assigned beneficiaries” is likely to reduce beneficiary confusion and ACO administrative expense.

As noted in the preamble to the Proposed Rules, only 2% of beneficiaries have historically opted out of ACO claims data sharing, anyway.  Perhaps only 2% of Medicare beneficiaries care about claims data sharing.  If the Proposed Rules are adopted, hopefully the “preliminarily prospective assigned beneficiaries” in the (however small) pool of future opt-outs will find the “Medicare & You” website and the ACO information (currently located on page 138) buried deep within it.

The number of large breaches of Protected Health Information (PHI) under HIPAA that have been reported on the so-called “Wall of Shame” (the HHS List) maintained by the U.S. Department of Health and Human Services has jumped by 239 to 885 in less than a year.    The most common breach type is “theft” in this ever-lengthening parade on the HHS List of PHI breaches affecting 500 or more individuals (the List Breaches). Previous blog posts in this series including those discussed here and here discussed the volume of List Breaches that occurred in earlier periods.

It took nearly 3½ years between the inception of the HHS List on March 4, 2010 and August 13, 2013, to reach 646 postings, for an annualized average of approximately 189 postings per twelve-month period. In less than twelve months from August 13, 2013 to July 29, 2014, 239 more marchers have joined the parade on the HHS List.

A total of 430 or almost one-half (48.6%) of the total of 885 List Breaches reported the breach type to involve “theft” of all kinds, including laptops, other portable electronic devices, desktop computers, network servers, paper records and others. If the approximately 73 additional List Breaches that have reported the breach type as a “loss” of various types (excluding as a loss item any List Breach that also reported theft as a breach type) is added to the 430 theft events, the total for the two categories swells to approximately 503 or 56.8% of the 885 posted List Breaches. Combining the two categories appears to make some sense, as it is likely that a number of the List Breaches categorized as a “loss” event may have involved some criminal aspects.

Even more significant may be the fact that approximately 272 (30.7%) of the List Breaches reflected the cause or partial cause of the breach to be “theft” or “loss” respecting laptops or other portable electronic devices (collectively, Portable Devices). Theft or loss of Portable Devices thus constituted 54.1% of the approximately 503 List Breaches that reported theft or loss as the breach type.

As has been emphasized in the past, it may have become more a question of when a covered entity (CE), business associate (BA) or subcontractor (SC) will suffer a PHI security breach and how severe the breach will be, rather than if it will ever suffer a breach. The geometric increase in Portable Devices that can create, receive, maintain and transmit PHI requires CEs, BAs and SCs to perform adequate risk assessments and establish effective policies and procedures respecting employer-supplied and personally-owned Portable Devices.

Does your business associate agreement (BAA) reflect your business deal, or is it a bare bones HIPAA compliance document?

Now is the time to check. The HIPAA “Omnibus Rule” published in January of 2013 gave covered entities, business associates, and subcontractors until September 22, 2014 to make their business associate agreements (BAAs) compliant, so use the next few weeks to make sure your BAA complies with the law and reflects your business deal.

skeleton
Copyright: clairev / 123RF Stock Photo

HHS published a bare bones sample BAA when the Omnibus Rule came out, and a number of posts to this blog provide tips that can be used in reviewing and updating your BAA.

But don’t forget that a good BAA supports and is supported by the underlying services contract between the parties, and should be the meat on the bones of the BAA and the brain behind it. A perfectly HIPAA-compliant BAA will crumble into dust if it’s not written to reflect and support the services contract and underlying business deal. Here are two key questions to ask to make sure the business deal and BAA are working in synch:

Question 1: Who are the parties to the BAA?

  • What are the roles of the parties under HIPAA? Check definitions and what is being performed by one party “on behalf of” the other.
  • If the business associate is really a subcontractor (because the covered entity is really a business associate or subcontractor itself), does the BAA (or subcontractor agreement (SA)) recognize and describe the privacy and security obligations imposed by the BAA above it? Has such BAA or subcontractor actually reviewed the BAA or SA above it?
  • If both parties are covered entities, does the BAA clearly describe when the business associate is acting as such, and not as its own covered entity?
  • Will the covered entity ever act as a business associate in relation to the other party?

Question 2: What is the business reason for or purpose of the use and/or disclosure of protected health information (PHI)?

  • What is the reason PHI is being created, received, maintained or transmitted on behalf of the covered entity, business associate or subcontractor?
  • Do the parties have reciprocal obligations to abide by privacy and security standards, such as minimum necessary standards?
  • Will the business associate (or subcontractor) have any claim to own, de-identify, aggregate, modify or keep data derived from the PHI that is the subject of the BAA (for example, will the business associate’s activities with respect to the PHI under the BAA produce other data or data sets not subject to or contemplated by the services contract)?

The bottom line? Before the summer fades (and certainly before September 22nd), make sure your BAA meets the Omnibus Rule requirements, but also make sure it reflects and supports your business deal. The bare bones BAA may not be what you want or need.