Our partner Elizabeth Litten and I were recently featured again by our good friend Marla Durben Hirsch in her article in the April 2017 issue of Medical Practice Compliance Alert entitled “Business associates who farm out work create more risks for your patients’ PHI.” Full text can be found in the April, 2017 issue, but a synopsis is below.
In her article Marla cautioned, “Fully one-third of the settlements inked in 2016 with OCR [the Office of Civil Rights of the U.S. Department of Health and Human Services] dealt with breaches involving business associates.” She pointed out that the telecommuting practices of business associates (“BAs”) and their employees with respect to protected health information (“PHI”) create heightened risks for medical practices that are the covered entities (“CEs”) — CEs are ultimately responsible not only for their own HIPAA breaches but for HIPAA breaches of their BAs as well.
Kline observed, “Telecommuting is on the rise and this trend carries over to organizations that provide services to health care providers, such as billing and coding, telehealth providers, IT support and law firms.” Litten commented, “Most business associate agreements (BAAs) merely say that the business associate will protect the information but are not specific about how a business associate will do so, let alone how it will when PHI is off site.”
Litten and Kline added, “OCR’s sample business associate agreement is no different, using general language that the business associate will use ‘appropriate safeguards’ and will ensure that its subcontractors do so too.”
Kline continued, “You have much less control over [these] people, who you don’t even know . . . . Moreover, frequently practices don’t even know that the business associate is allowing staff or subcontractors to take patient PHI off site. This is a collateral issue that can become the fulcrum of the relationship. And one loss can be a disaster.”
Some conclusions that can be drawn from Marla’s article include the following items which a CE should consider doing when dealing with BAs:
- Select BAs with due care and with references where possible.
- Be certain that there is an effective BAA executed and in place with a BA before transmitting any PHI.
- Periodically review and update BAAs to ensure that they address changes in technology such as telecommuting, mobile device expansion and PHI use and maintenance practices.
- Ask questions of BAs to know where they and their employees use and maintain PHI, such as on laptops, personal mobile devices or network servers, and what encryption or other security practices are in place.
- Ask BAs what subcontractors (“SCs”) they may use and where the BAs and SCs are located (consider including a provision in BAAs that requires BAs and their SCs to be legally subject to the jurisdiction of HIPAA, so that HIPAA compliance by the CE and enforcement of the BAA can be more effective).
- Transmit PHI to the BA using appropriate security and privacy procedures, such as encryption.
- To the extent practicable, alert the BA in advance as to when and how transmission of PHI will take place.
- Obtain from each BAA a copy of its HIPAA policies and procedures.
- Maintain a readily accessible archive of all BAAs in effect to allow quick access and review when PHI issues arise.
- Have a HIPAA consultant available who can be contacted promptly to assist in addressing BA issues and provide education as to best practices.
- Document all actions taken to reduce risk from sharing PHI with BAs, including items 1 to 10 above.
Minimizing risk of PHI breaches by a CE requires exercising appropriate control over selection of, and contracting and ongoing interaction with, a BA. While there can be no assurance that such care will avoid HIPAA breaches for the CE, evidence of such responsible activity can reduce liability and penalties should violations occur.