OCR

Subscribe to OCR

Our partner Elizabeth Litten and I were recently featured again by our good friend Marla Durben Hirsch in her article in the April 2017 issue of Medical Practice Compliance Alert entitled “Business associates who farm out work create more risks for your patients’ PHI.” Full text can be found in the April, 2017 issue, but a synopsis is below.

In her article Marla cautioned, “Fully one-third of the settlements inked in 2016 with OCR [the Office of Civil Rights of the U.S. Department of Health and Human Services] dealt with breaches involving business associates.” She pointed out that the telecommuting practices of business associates (“BAs”) and their employees with respect to protected health information (“PHI”) create heightened risks for medical practices that are the covered entities (“CEs”) — CEs are ultimately responsible not only for their own HIPAA breaches but for HIPAA breaches of their BAs as well.

Kline observed, “Telecommuting is on the rise and this trend carries over to organizations that provide services to health care providers, such as billing and coding, telehealth providers, IT support and law firms.” Litten commented, “Most business associate agreements (BAAs) merely say that the business associate will protect the infor­mation but are not specific about how a business associate will do so, let alone how it will when PHI is off site.”

Litten and Kline added, “OCR’s sample business associate agreement is no dif­ferent, using general language that the business associate will use ‘appropriate safeguards’ and will ensure that its subcontractors do so too.”

Kline continued, “You have much less control over [these] people, who you don’t even know . . . . Moreover, frequently practices don’t even know that the business associate is allowing staff or subcontractors to take patient PHI off site. This is a collateral issue that can become the fulcrum of the relationship. And one loss can be a disaster.”

Some conclusions that can be drawn from Marla’s article include the following items which a CE should consider doing  when dealing with BAs:

  1. Select BAs with due care and with references where possible.
  2. Be certain that there is an effective BAA executed and in place with a BA before transmitting any PHI.
  3. Periodically review and update BAAs to ensure that they address changes in technology such as telecommuting, mobile device expansion and PHI use and maintenance practices.
  4. Ask questions of BAs to know where they and their employees use and maintain PHI, such as on laptops, personal mobile devices or network servers, and what encryption or other security practices are in place.
  5. Ask BAs what subcontractors (“SCs”) they may use and where the BAs and SCs are located (consider including a provision in BAAs that requires BAs and their SCs to be legally subject to the jurisdiction of HIPAA, so that HIPAA compliance by the CE and enforcement of the BAA can be more effective).
  6. Transmit PHI to the BA using appropriate security and privacy procedures, such as encryption.
  7. To the extent practicable, alert the BA in advance as to when and how transmission of PHI will take place.
  8. Obtain from each BAA a copy of its HIPAA policies and procedures.
  9. Maintain a readily accessible archive of all BAAs in effect to allow quick access and review when PHI issues arise.
  10. Have a HIPAA consultant available who can be contacted promptly to assist in addressing BA issues and provide education as to best practices.
  11. Document all actions taken to reduce risk from sharing PHI with BAs, including items 1 to 10 above.

Minimizing risk of PHI breaches by a CE requires exercising appropriate control over selection of, and contracting and ongoing interaction with, a BA. While there can be no assurance that such care will avoid HIPAA breaches for the CE, evidence of such responsible activity can reduce liability and penalties should violations occur.

According to the latest HIPAA-related guidance (Guidance) published by the U.S. Department of Health and Human Services (HHS), a cloud service provider (CSP) maintaining a client’s protected health information (PHI) is a business associate even when the CSP can’t access or view the PHI. In other words, even where the PHI is encrypted and the CSP lacks the decryption key, the CSP is a business associate because it maintains the PHI and, therefore, has HIPAA-related obligations with respect to the PHI.

HHS explains:

While encryption protects ePHI by significantly reducing the risk of the information being viewed by unauthorized persons, such protections alone cannot adequately safeguard the confidentiality, integrity and availability of the ePHI, such as ensuring that the information is not corrupted by malware, or ensuring through contingency planning that the data remains available to authorized persons even during emergency or disaster situations. Further, encryption does not address other safeguards that are also important to maintaining confidentiality, such as administrative safeguards to analyze the risks to the ePHI or physical safeguards for systems and services that may house the ePHI.”

It makes sense to treat a CSP as a business associate if it holds PHI, even if it cannot view or access that PHI. After all, a business associate is a person or entity that performs a function or service on behalf of a covered entity (or another business associate) that requires it to create, receive, maintain, or transmit PHI.

Still, HHS’s explanation is less than satisfying, perhaps because it rather crudely mixes together very distinct HIPAA obligations:  protecting the confidentiality of PHI, on one hand, and protecting the integrity and availability of PHI, on the other.

Under the HIPAA regulations, a business associate is only required to provide notice to the covered entity following the discovery of a breach of unsecured PHI. “Unsecured” PHI is defined as PHI that is “not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary [of HHS]…” – in other words, PHI that is not encrypted at a level that meets HHS’s standards. The HIPAA regulations also say that a breach excludes a “disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.” Obviously, a disclosure of PHI that cannot be viewed will also not be able to be retained.

HHS contends that encryption “alone cannot adequately safeguard the confidentiality” of the PHI, but, later in the Guidance, concedes that if the PHI is encrypted at a level that meets HHS’s standards, an unauthorized incident would fall within the breach “safe harbor” and would not need to be reported to the CSP’s customer. In such a case, the confidentiality of the PHI would be adequately safeguarded by encryption alone and the CSP arguably would not have an obligation to do anything else under HIPAA to protect the confidentiality of the PHI.  The CSP would have an ongoing obligations, however, to protect the integrity and accessibility of the encrypted PHI under HIPAA. The encryption “blindfold” will simplify the CSP’s obligations under HIPAA.

A CSP is in a tricky position if it holds encrypted PHI for a customer, but does not know that it holds it. The Guidance emphasizes that if a CSP maintains PHI for a customer that is a covered entity or business associate, it must execute a business associate agreement with the customer, and risks enforcement action (such as reported here) by the Office of Civil Rights (OCR) within HHS if it doesn’t have one.

“OCR recognizes that there may, however, be circumstances where a CSP may not have actual or constructive knowledge that a covered entity or another business associate is using its services to create, receive, maintain, or transmit ePHI.  The HIPAA Rules provide an affirmative defense in cases where a CSP takes action to correct any non-compliance within 30 days … of the time that it knew or should have known of the violation… This affirmative defense does not, however, apply in cases where the CSP was not aware of the violation due to its own willful neglect.”

Two key takeaways from the Guidance for a CSP? If you are blindfolded from viewing the data you maintain or transmit on behalf of a customer, or otherwise do not know whether the data might bring HIPAA obligations along with it, take reasonable steps to find out if the customer is a covered entity or business associate and whether the data includes PHI.  If so, execute a business associate agreement. Then, make sure the blindfold (i.e., encryption level) meets HHS’s standards and do NOT accept or have access to the decryption key.  This way, you can focus your HIPAA compliance efforts on protecting the integrity and accessibility of the data, not on protecting its confidentiality.

Last week, I blogged about a recent U.S. Department of Health and Human Services Office of Civil Rights (OCR) announcement on its push to investigate smaller breaches (those involving fewer than 500 individuals).   The week before that, my partner and fellow blogger Michael Kline wrote about OCR’s guidance on responding to cybersecurity incidents.  Today, TechRepublic Staff Writer Alison DeNisco addresses how a small or medium sized business (MSB) can deal with the heightened threat of OCR investigations or lawsuits emanating from a security breach.  Alison’s piece, “Security breaches:  How small businesses can avoid a HIPAA lawsuit”, is must-read for MSBs struggling to understand and prioritize their cybersecurity needs.

Michael and I spoke with Alison about the recent OCR pronouncements, and she pulled several of our comments together to create a list of tips for an SMB to consider to minimize HIPAA security breach headaches. The following 6 tips are excerpted from the full article:

  1. Hire a credible consultant to help you approach the issue, and how you would respond in the event of a breach. [In other words, perform your own security risk assessment, or, if impractical, hire an expert to perform one.]
  2. Document that you have policies and procedures in place to fight cyber crime. “If you didn’t document it, it didn’t happen,” Kline said.
  3. Stay informed of cybersecurity news in your industry, or join an association. Be aware of what other companies in your space are doing to protect themselves.
  4. Update your security settings on a regular basis, perhaps every time you add new employees or change systems, or on an annual basis.
  5. Present annually to your company board on where the company is in terms of cybersecurity protection, and where it needs to be to remain as safe as possible in the future.
  6. If you’re an IT consultant working with a healthcare organization, be clear with your client what you need to access and when, Litten said. “A client that has protected health information in its software should carefully delineate who has access to that software,” she added.

The article also quotes Ebba Blitz, CEO of Alertsec, who offers an equally important tip for the SMB dealing with employees’ use of mobile devices that contain or are used to transmit PHI:

You need a good plan for mitigating BYOD,” Blitz said. She further recommends asking employees to document their devices, so businesses can keep track of them and install security tools.

In summary, confronting ever-growing and evolving challenges of cybersecurity for SMBs is dependent upon serious planning, development and implementation of current policies and procedures, documentation of cybersecurity measures taken and entity-wide commitment to the efforts.

What you might have thought was not a big breach (or a big deal in terms of HIPAA compliance), might end up being a big headache for covered entities and business associates. In fact, it’s probably a good idea to try to find out what “smaller” breaches your competitors are reporting (admittedly not an easy task, since the “Wall of Shame” only details breaches affecting the protected health information (PHI) of 500 or more individuals).

Subscribers to the U.S. Department of Health and Human Services Office of Civil Rights (OCR) listserv received an announcement a couple of weeks ago that OCR would begin to “More Widely Investigate Breaches Affecting Fewer than 500 Individuals”. The announcement states that the OCR Regional Offices investigate all reported breaches involving PHI of 500 or more individuals and, “as resources permit”, investigate breaches involving fewer than 500.  Then the announcement warns that Regional Offices will increase efforts “to identify and obtain corrective action to address entity and systemic noncompliance” related to these “under-500” breaches.

Regional Offices will still focus these investigations on the size of the breach (so perhaps an isolated breach affecting only one or two individuals will not raise red flags), but now they will also focus on small breaches that involve the following factors:

*          Theft or improper disposal of unencrypted PHI;

*          Breaches that involve unwanted intrusions to IT systems (for example, by hacking);

*          The amount, nature and sensitivity of the PHI involved; and

*          Instances where numerous breach reports from a particular covered entity or business associate raise similar concerns

If any of these factors are involved in the breach, the reporting entity should not assume that, because the PHI of fewer than 500 individuals was compromised in a single incident, OCR is not going to pay attention. Instead, whenever any of these factors relate to the breach being reported, the covered entity (or business associate involved with the breach) should double or triple its efforts to understand how the breach occurred and to prevent its recurrence.  In other words, don’t wait for the OCR to contact you – promptly take action to address the incident and to try to prevent it from happening again.

So if an employee’s smart phone is stolen and it includes the PHI of a handful of individuals, that’s one thing. But if you don’t have or quickly adopt a mobile device policy following the incident and, worse yet, another employee’s smart phone or laptop is lost or stolen (and contains unencrypted PHI, even if it only contains that of a small handful of individuals), you may be more likely to be prioritized for investigation and face potential monetary penalties, in addition to costly reporting and compliance requirements.

This list of factors really should come as no surprise to covered entities and business associates, given the links included in the announcement to recent, well-publicized OCR settlements of cases involving smaller breaches.  But OCR’s comment near the very end of the announcement, seemingly made almost in passing, is enough to send chills down the spines of HIPAA compliance officers, if not induce full-blown headaches:

Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.”

In other words, if the hospital across town is regularly reporting hacking incidents involving fewer than 500 individuals, but your hospital only reported one or two such incidents in the past reporting period, your “small breach” may be the next Regional Office target for investigation. It will be the covered entity’s (or business associate’s) problem to figure out what their competitors and colleagues are reporting to OCR by way of the “fewer than 500” notice link.

In a recent Guidance, the Office of Civil Rights of the U.S. Department of Health and Human Services (“OCR”) appears to have attempted to reverse an impression that its emphasis is more on privacy of protected health information (“PHI”) than on security of PHI. Its July 2016 article draws attention to the need by covered entities and business associates for equal attention to PHI security.

Relative to this OCR initiative, our partner Elizabeth Litten and I were recently featured again by our good friend Marla Durben Hirsch in her article in the August 29, 2016 issue of Environment of Care Leader entitled “OCR: Providers need to assess cybersecurity response.” Full text can be found in the August 29, 2016 issue, but a synopsis is below.

Litten and Kline observed that the Guidance provided less specificity than prior guidance releases in the HIPAA area and seemed to be  more geared to large providers and managed healthcare systems. Nonetheless, Litten observed, “The bar [for PHI security] is higher than what some providers thought, especially if you read this with the [contemporaneous OCR] guidance on ransomware. So you may need [to take more steps] to protect your software.” Kline added, “OCR is going to say that if we tell you to do this and you don’t, tough on you.”

Some of the tips provided by Litten and Kline in the article include the following:

  1. Litten: Protect your electronic patient information if you haven’t done so already, taking into account your particular resources and limitations. “You don’t need a forensic analyst on staff, but you may want the contact information of one in your address book. If you’re not sure how to proceed or even where to start, you may need to hire a consultant to help you.”
  2. Kline: Develop policies and procedures to address cybersecurity. “The fact that you’ve done something constructive and documented that you’ve tried to comply, you’re so much better off [if you get audited by OCR].”
  3. Kline and Litten: Review your cybersecurity response policies, plans and procedures annually.
  4. Litten: Ask your electronic health record and other health IT vendors about the cybersecurity capabilities of their systems. “You want to make use of tools you have or at least know what you don’t have.”
  5. Kline: Understand that OCR considers a cybersecurity incident, not just a breach and not just ransomware, a reportable breach that must be put through the four-part risk analysis to determine whether that presumption can be refuted. “It’s not just [clear] breaches that need a HIPAA risk analysis.”
  6. Kline and Litten: Document all of your plans, policies and pro­cedures your facility has to respond to a cybersecurity incident and what you have done if you have been subject to one.
  7. Litten: Use free or easily available resources when you can. For instance, OCR has tools on its website, such as a sample risk analysis to determine vulnerabilities of electronic patient data. Your local medical societies may also offer tools, webinars and training.
  8. Litten: Make sure that your business associates also have cybersecurity protections in place. “The [G]uidance specifies that business associates as well as covered entities need to have this capability. Because it’s the covered entity that’s ultimately responsible for protecting its patient data and for reporting security breaches, it falls to the entity to ensure that the business associate complies.” So you need to ask business associates what their cybersecurity response plans entail and make sure that they’re adequate, include the fact that they have such a plan in the representa­tions and warranties of your business associate agreement, require swift reporting to you of any cybersecurity incidents suffered by a business associate and make sure that business associates limit access to your patients’ data. “You don’t want seepage of patient protected health information.”

In light of the clear concerns of OCR that covered entities and business associates, both large and small, pay sufficient attention to security of PHI, current compliance efforts should evidence relevant concrete policies and procedures that cover not only privacy but also security. Documentation of such efforts should specifically address current issues such as ransomware and risk analysis to demonstrate that the covered entity or business associate is staying current on areas deemed to be of high risk by OCR.

We blogged on this back in early May, but compliance with individuals’ rights to access their PHI under HIPAA is even more critical now that OCR has announced that its current HIPAA audits will focus on an audited Covered Entity’s documentation and process related to these access rights.

In an email sent to listserv participants on July 12, 2016 from OCR-SECURITY-LIST@LIST.NIH.GOV, the U.S. Department of Health and Human Services (HHS) included the following list of areas of focus for the desk audits:

Requirements Selected for Desk Audit Review
Privacy Rule
Notice of Privacy Practices & Content Requirements  [§164.520(a)(1) & (b)(1)]
Provision of Notice – Electronic Notice   [§164.520(c)(3)]
Right to Access  [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]
Breach Notification Rule
Timeliness of Notification  [§164.404(b)]
Content of Notification  [§164.404(c)(1)]
Security Rule
Security Management Process —  Risk Analysis  [§164.308(a)(1)(ii)(A)]
Security Management Process — Risk Management  [§164.308(a)(1)(ii)(B)]

As discussed in our prior post, HHS issued guidance regarding individuals’ rights to access PHI earlier this year. Here is a link to this PHI access guidance:  Individuals’ Right under HIPAA to Access their Health Information | HHS.gov

The HHS access guidance stresses that Covered Entities should provide individuals with “easy access” to their PHI and cannot impose “unreasonable measures” on the individuals with respect to this right to access. The HHS access guidance provides important information regarding the different rules that apply when an individual provides a signed authorization for release of their PHI versus when an individual is really making a request for access to his or her PHI.

If an individual is asking for the PHI to be provided to him or her, this is really a request for access even if the individual is providing a signed authorization for release of the PHI.

If the individual is asking the PHI to be directed to a third party, this can be either a situation when a signed authorization is needed or can be an access request, depending on who is really originating the request (the individual or the third party). A Covered Entity cannot require an individual to provide a signed authorization to make an access request.  A Covered Entity can require that the access request be in writing and can require use of a form as long as it does not impose undue burden on the individual’s right to access.

The HHS access guidance also indicates that if an individual requests that his or her PHI be provided by email, the Covered Entity is required to do so and further, if the individual requests in writing that the PHI be provided by unsecure, unencrypted email, the Covered Entity is required to do so after notifying the individual in writing of the risks of this method of transmission. (This notice can be included on the access request form.)

As a result of the HHS access guidance, a Covered Entity may need to review and amend its HIPAA Privacy Policies and Procedures governing individual rights with respect to access to PHI, the form it uses for individual access requests, and its employee training protocols to be sure employees aren’t requiring a patient  (or member, in the case of a health plan Covered Entity) to sign an authorization form when the patient is requesting access to PHI.

Jessica Forbes Olson and T.J. Lang write:

In Part 1, we noted that on March 21, 2016, the Office of Civil Rights (“OCR”) announced it will launch a second round of HIPAA audits this year. As with the first round of audits, in round two OCR will be reviewing compliance with HIPAA Privacy, Security and Breach Notification rules. New for this round, the 2016 audits will focus on covered entities, including health care providers and health insurers, and their business associates.

A HIPAA compliance checklist for health care providers and insurers follows:

  • Determine whether for HIPAA purposes you are a hybrid entity, an affiliated covered entity or part of an organized health care arrangement. Document that status.
  • Appoint a HIPAA privacy official.
  • Appoint a HIPAA security official.
  • Appoint a HIPAA privacy contact person who will handle complaints and respond to the exercise of patient or participant rights.
  • Determine where PHI is located, whether hard copy, electronic, or spoken.
  • Determine the reasons why PHI is used or disclosed (e.g., treatment, payment, health care operations, public health reasons, public policy reasons, to government agencies or officials).
  • Determine which departments and workforce members have access to PHI, why they have such access and the level of access needed.
  • Identify and document the routine requests, uses and disclosures of PHI and the minimum necessary for those requests, uses and disclosures.
  • Identify all business associates: vendors that create, maintain, use or disclose PHI when performing services for your entity.
  • Have executed business associate agreements with all business associates.
  • Have and follow written HIPAA privacy, security and breach notification policies and procedures.
  • Train all workforce members who have access to PHI on the policies and procedures and document the training.
  • Have and use a HIPAA-compliant authorization form.
  • Have and follow process for verifying the status of personal representatives.
  • Distribute a notice of privacy practices and providers must attempt to obtain acknowledgment of receipt of notice from patients and post one in each facility where patients can view it.
  • Establish and document reasonable administrative, technical and physical safeguards for all PHI, including hard copy and spoken PHI.
  • Conduct and document a HIPAA security risk analysis for all electronic PHI (e.g., PHI on desktops, laptops, mobile phones, iPads and other electronic notebooks, copy machines, printers, discs and thumb drives).
  • Address risks to ePHI that are identified in the HIPAA security risk analysis.
  • Update your HIPAA security risk analysis periodically or when there is a material change in your environment that does or could impact PHI or if there are changes in the law impacting PHI.
  • Encrypt PHI to fall within the breach safe harbor.
  • Have written disaster recovery and contingency plans.
  • Prepare for and respond to security incidents and breaches.
  • Comply with HIPAA standard transactions and code set rules related to electronic billing and payment.
  • Although it will not be covered by the audits, comply with more stringent state privacy and security laws (e.g., document retention; patient consent; breach reporting).
  • Maintain HIPAA compliance documentation in written or electronic form for at least 6 years from the date the document was created or last in effect.

For more information about OCR audits or assistance in conducting a HIPAA compliance review, please contact any member of the Fox Rothschild Health Law practice group.

Jessica Forbes Olson is a partner and TJ Lang is an associate, both resident in the firm’s Minneapolis office.

Jessica Forbes Olson and T.J. Lang write:

HIPAA and Health Records
Copyright: zimmytws / 123RF Stock Photo

On March 21, 2016, the Office of Civil Rights (“OCR”) announced it will launch a second round of HIPAA audits during 2016. As with the first round of audits, in round two OCR will be reviewing compliance with HIPAA Privacy, Security and Breach Notification rules. New for this round, the 2016 audits will focus on covered entities, including health care providers and health insurers, and their business associates.

The round two audits will occur in three phases: desk audits of covered entities, desk audits of business associates, and finally, follow-up onsite reviews. It is reported OCR will conduct about 200 total audits; the majority of which will be desk audits.

OCR has already begun the process of identifying the audit pool by contacting covered entities and business associates via email.  Health care providers,   insurers and their business associates should be on the lookout for automated emails from OCR which are being sent to confirm contact information. A response to the OCR email is required within 14 days. OCR instructed covered entities and business associates to check their spam or junk email folders to verify that emails from OCR are not erroneously identified as spam.

After the initial email, OCR will send a pre-audit questionnaire to entities it may choose to audit. Receiving a pre-audit questionnaire does not guarantee your entity will be audited. The purpose of the questionnaire is to gather information about entities and their operations, e.g., number of employees, level of revenue, etc. The questionnaire will also require covered entities to identify all of their business associates. Health care providers and insurers who have not inventoried business associates should do so now.

Entities who fail to respond to the initial OCR email or questionnaire will still be eligible for audit. OCR will use publicly available information for unresponsive entities to create its audit pool.

OCR will then, in the “coming months,” randomly select entities to audit and notify them via email that they have been selected for audit.

Health care providers, health insurers and business associates should check their HIPAA compliance status before they are contacted by OCR. Once selected for an audit, entities will only have 10 business days to provide the requested information to OCR.

Recent OCR enforcement activity has shown that noncompliance with HIPAA can be costly:

  • A Minnesota-based hospital entered into a $1.55 million settlement for failure to implement one business associate agreement and failure to conduct a HIPAA security risk analysis;
  • A teaching hospital of a university in Washington entered into a $750,000 settlement for failure to conduct an enterprise-wide HIPAA security risk analysis;
  • An insurance holding company based in Puerto Rico entered into a $3.5 million settlement for failure to implement a business associate agreement, conduct a HIPAA security risk analysis, implement security safeguards and for an improper disclosure of protected health information (“PHI”);
  • A radiation oncology physician practice in Indiana entered into a $750,000 settlement for failure to conduct a HIPAA security risk analysis and implement security policies and procedures.

If you receive any communications from OCR, please contact a member of the Fox Rothschild Health Law practice group immediately. A proactive review of your HIPAA compliance status can identify potential gaps and minimize the risk of potential penalties.

In Part 2, we’ll provide a HIPAA compliance checklist for healthcare providers and insurers. Stay tuned!

Jessica Forbes Olson is a partner and TJ Lang is an associate, both resident in the firm’s Minneapolis office.

“Maybe” is the take-away from recent guidance posted on OCR’s mHealth Developer Portal, making me wonder whether the typical health app user will know when her health information is or is not subject to HIPAA protection.

The guidance is clear and straightforward and contains no real surprises to those of us familiar with HIPAA, but it highlights the reality that HIPAA, originally enacted close to 20 years ago, often becomes murky in the context of today’s constantly developing technology. Here’s an excerpt from the guidance that illustrates this point:

Consumer downloads to her smart phone a mobile PHR app offered by her health plan that offers users in its network the ability to request, download and store health plan records. The app also contains the plan’s wellness tools for members, so they can track their progress in improving their health.  Health plan analyzes health information and data about app usage to understand the effectiveness of its health and wellness offerings.  App developer also offers a separate, direct-to-consumer version of the app that consumers can use to store, manage, and organize their health records, to improve their health habits and to send health information to providers.

Is the app developer a business associate under HIPAA, such that the app user’s information is subject to HIPAA protection?

Yes, with respect to the app offered by the health plan, and no, when offering the direct-to-consumer app. Developer is a business associate of the health plan, because it is creating, receiving, maintaining, or transmitting protected health information (PHI) on behalf of a covered entity.  Developer must comply with applicable HIPAA Rules requirements with respect to the PHI involved in its work on behalf of the health plan.  But its “direct-to-consumer” product is not provided on behalf of a covered entity or other business associate, and developer activities with respect to that product are not subject to the HIPAA Rules.  Therefore, as long as the developer keeps the health information attached to these two versions of the app separate, so that information from the direct-to-consumer version is not part of the product offering to the covered entity health plan, the developer does not need to apply HIPAA protections to the consumer information obtained through the “direct-to-consumer” app.

So if I download this app because my health plan offers it, my PHI should be HIPAA-protected, but what if I inadvertently download the “direct-to-consumer” version? Will it look different or warn me that my information is not protected by HIPAA?  Will the app developer have different security controls for the health plan-purchased app versus the direct-to-consumer app?

HIPAA only applies to (and protects) individually identifiable health information created, received, maintained or transmitted by a covered entity or business associate, so perhaps health app users should be given a “Notice of Non-(HIPAA) Privacy Practices” before inputting health information into an app that exists outside the realm of HIPAA protection.

Matthew Redding contributed to this post.

It’s a familiar story: a HIPAA breach triggers an investigation which reveals systemic flaws in HIPAA compliance, resulting in a seven-figure settlement.  A stolen laptop, unencrypted data, a missing business associate agreement, and an aggressive, noncompliant contractor add to the feeling of déjà vu.

North Memorial Health Care of Minnesota, a not-for-profit health care system, settled with the Office of Civil Rights for the Department of Health and Human Services (OCR) for $1.55 million resulting from allegations that it violated HIPAA by failing to timely implement a Business Associate Agreement with Accretive Health, Inc., a major contractor, and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.

The OCR’s investigation arose following North Memorial’s reporting of a HIPAA breach on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a workforce member of a business associate’s (BA’s) locked vehicle, impacting the ePHI of almost 10,000 individuals. The investigation further revealed that, North Memorial began providing Accretive with access to its PHI on March 21, 2011, and the parties did not enter into a business associate agreement until October 14, 2011

In addition to the fine, North Memorial is required to develop policies and procedures specific to documenting the BA relationship, modify its existing risk analysis process, and develop and implement an organization-wide risk management plan. The Resolution Agreement is available here.

In a press release, OCR director Jocelyn Samuel said:

“Two major cornerstones of the HIPAA Rules were overlooked by this entity.  Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

Accretive Health, Inc. may be a familiar name to readers of this blog.  In 2012, the Minnesota Attorney General’s office filed suit against Accretive for allegedly mining, analyzing and using their hospital clients’ data for purposes that were not disclosed to patients and which may adversely affect their access to care.  This suit was subsequently settled for $2.5 million under an agreement under which Accretive agreed to cease operations in Minnesota.  The AG’s lawsuit was triggered by the same laptop theft which compromised the healthcare data of North Memorial and another facility, Fairview Health  Services.  One stolen, unencrypted laptop of a BA has resulted in over $4 million in aggregate liabilities to three covered entities.

The lessons for covered entities from this continuing saga are clear:

  • Encrypt your electronic data. All of it, everywhere it resides and whenever it is transmitted, and pay particular attention to laptops, mobile devices and media.  (While you’re at it, be sure to protect paper data as well and shred it when it is no longer needed  — it can be easily exploited by thieves and dumpster-divers).
  • Make sure you have Business Associate Agreements with all business associates, and review them to make sure they are current and require appropriate safeguards and indemnify you from the costs of the BA’s breaches.
  • Know your BAs and control what they do with your data.  Accretive’s alleged aggressive collection efforts, such as accosting patients on gurneys in the emergency department or while recovering from surgery, did not reflect well on their hospital clients.
  • Do not take your HIPAA obligations lightly.  North Memorial’s incomplete HIPAA implementation and lack of attention to risk analysis may have contributed to the severity of the result.