A s a covered entity or business associate, you have

Transcription

1 Health IT Law & Industry Report VOL. 7, NO. 19 MAY 11, 2015 Reproduced with permission from Health IT Law & Industry Report, 07 HITR, 5/11/15. Copyright 2015 by The Bureau of National Affairs, Inc. ( ) COMPLIANCE CORNER Business Associates HIPAA Compliance: Should Covered Entities Be Concerned? PAULA M. STANNARD Paula M. Stannard is counsel at Alston & Bird LLP in Washington. She advises clients on regulatory questions that arise from the health-care reform effort and focuses her practice on HIPAA; health information technology, including electronic health record certification and the meaningful use program; and food and drug policy. Stannard is a former deputy general counsel and acting general counsel for the Department of Health and Human Services where she oversaw the food and drug, civil rights and legislation divisions. A s a covered entity or business associate, you have identified the vendors (current or prospective) and other entities which (1) perform the functions or activities that involve the use or disclosure of protected health information (PHI) on your behalf, or (2) provide services to you involving the use of PHI, which make them your business associates (or subcontractor business associates). 1 You have entered (or will enter) into business associate agreements with them. You may believe that, with those business associate agreements, you have met the requirements of the Health Insurance Portability and Accountability Act Pri- 1 For purposes of this article, the term business associates will be used to refer to both the business associates of covered entities and the subcontractors of business associates. COPYRIGHT 2015 BY THE BUREAU OF NATIONAL AFFAIRS, INC. ISSN

2 2 vacy, Security, and Breach Notification Rules (HIPAA Rules) with respect to your business associates (or subcontractors) and that you do not have to worry any further about those entities compliance with the HIPAA Rules. After all, they can now be held directly liable by the Department of Health and Human Services (HHS) for violations of HIPAA. And HHS has made it clear that the HIPAA Rules do not require you as a covered entity (or business associate) to actively monitor the actions of your business associates (or subcontractors) and do not hold you responsible or liable for the actions of your business associates (or subcontractors). 2 You may need to be concerned about your business associate s HIPAA compliance. The HIPAA violations of your business associates can negatively affect you in some circumstances. All of this is be true, but it is not the whole story. You may need to be concerned about your business associate s HIPAA compliance. The HIPAA violations of your business associates can negatively affect you in some circumstances. But different business associates performing different services and handling different types of PHI present different levels of risk for you. In appropriate circumstances, you may want to consider a more proactive approach to the HIPAA compliance of your business associates or potential business associates. This article examines why you may need to be concerned about your business associate s HIPAA compliance. It then explores factors that you may want to consider in determining which, if any, business associate or prospective business associate to engage with on HIPAA compliance. Finally, the article considers several potential cost effective mechanisms by which to engage with appropriate business associates on their HIPAA compliance. How Can Your Business Associate s HIPAA Violations Affect You? It is true that the HIPAA Rules do not expressly require you to actively monitor your business associate s actions or their HIPAA compliance. A business associate s failure to comply with the HIPAA Rules, however, can negatively affect you. First, the business associate agreement (BAA) requires your business associate to, among other things, use appropriate safeguards, and to comply with the HIPAA Security Rule (with respect to electronic protected health information (PHI)), to prevent the use or disclosure of the PHI other than as provided for by your BAA. 3 You are not required to actively monitor your business associate s actions Fed. Reg , (Dec. 28, 2000); 67 Fed. Reg , (Aug. 14, 2002) CFR (e)(2)(ii)(B). But if you know of a pattern of activity or a practice by your business associate that constitutes a material breach or violation of its BAA obligations, and you do not take reasonable steps to cure the breach or end the violation, or, if such steps are unsuccessful, you do not terminate the BAA if feasible, you may have committed a violation of the Privacy Rule. 4 This means that if you have or receive credible evidence of a violation for example, with respect to your business associate s failure to comply with a material provision of the Security Rule you must investigate the situation and act upon what you learn from the investigation. 5 Second, you have an obligation to take certain reasonable steps to safeguard the privacy/confidentiality of PHI of your patients, policyholders, or beneficiaries. Your business associate s HIPAA violation may harm them or compromise the privacy or confidentiality of their PHI, bring you to the attention of the HIPAA enforcement authorities at HHS, and/or damage your reputation. Not every HIPAA violation compromises the security or privacy of PHI, but some do. As you know, you are required to notify the affected individuals, HHS, and, in some instances, the media of breaches of unsecured PHI that compromise its security or privacy, 6 whether that breach occurred as a result of your actions or inactions or those of your business associate. 7 Having to provide notice to your patients, policyholders, or beneficiaries that their PHI has been compromised by a breach 8 even if the breach involved your business associate, not you can negatively affect your relationship with them. It appears, moreover, that breaches involving business associates affect a disproportionate number of individuals. Less than half of the breaches affecting 500 or more individuals, as reported to HHS, involve business associates, 9 but such breaches appear to affect a disproportionate number of individuals. 10 Thus, a breach by your business associate has the 4 45 CFR (e)(1)(ii) & (iii) Fed. Reg. at 82505, With some exceptions, the Breach Notification Rule defines a breach as the acquisition, access, use, or disclosure of [PHI] in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the [PHI] and presumes that any such improper acquisition, access, use or disclosure is a breach unless the covered entity or business associate can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment that requires consideration of at least four identified factors. 45 CFR CFR , The notice is required to include: a brief description of the breach, when it occurred and the date it was discovered; a description of the types of unsecured PHI involved in the breach; any steps individuals should take to protect themselves from potential harm resulting from the breach; a brief description of what you are doing to investigate the breach, to mitigate harm to the individuals, and to protect against any further breaches; and contact information. 45 CFR (c)(1). 9 As of early 2015, there were approximately 1185 breaches reported in the HHS breach portal; of those breaches, business associates were reported as involved in 273 of the breaches. 10 Approximately 60 percent of the individuals affected by such reported breaches were as a result of breaches involving a business associate. Studies by the Ponemon Institute studies of health care breaches support this conclusion. See, e.g., Third Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute, December COPYRIGHT 2015 BY THE BUREAU OF NATIONAL AFFAIRS, INC. HITR ISSN

3 3 potential to be more significant in terms of the number of individuals whose PHI is impacted by a breach. For breaches involving business associates, the listing on the HHS breach portal may include not only the name of the business associate, but also the name of the covered entity whose PHI was breached, so you could be associated with the breach on the HHS wall of shame. 11 HITECH Act 13402(e)(4) CFR (f). The Security Rule contains a similar mitigation requirement, applicable both to you and your business associate, with respect to the harmful effects of security incidents that are known to you or your business associate. 45 CFR (a)(6)(ii). But it is not just your relationship with your current patients, policyholders, or beneficiaries that can be affected by a breach by your business associate. If, according to the covered entity s breach notice to HHS, the breach affects 500 individuals, it is HHS s practice to undertake an investigation of the breach. This could lead to an investigation not only of your business associate s practices, but also of your practices. Furthermore, HHS is required to post information about such breaches on its website, for all to see. 11 For breaches involving business associates, the listing on the HHS breach portal may include not only the name of the business associate, but also the name of the covered entity whose PHI was breached, so you could be associated with the breach on the HHS wall of shame. In addition, if the breach affects more than 500 individuals in a particular State or other jurisdiction, you are required to provide a notice to prominent media outlets in the jurisdiction of the breach, including a brief description of the breach, when it occurred and the date it was discovered. Coupled with the fact that the report of the breach is posted on HHS s website, the resulting media attention can damage your reputation not only with current patients or policyholders, but also with prospective patients or policyholders. Third, you may be required to mitigate the harmful effects of your business associate s HIPAA violations. The Privacy Rule requires that a covered entity mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of [PHI] in violation of its policies and procedures or the requirements of [the Privacy Rule] by the covered entity or its business associate. 12 Thus, for example, if your business associate s failure to implement a reasonable and appropriate safeguard under the Security Rule leads to a violation of a Privacy Rule requirement, you will have the obligation to mitigate any known harmful effects of that failure, if practicable. The HIPAA Breach Notification Rule reinforces this: If your business associate commits a breach of PHI or electronic PHI which constitutes a violation of the Privacy Rule, you are required, among other things, to provide notice to all individuals who are affected by the breach. This notice includes a brief description of what you, as a covered entity, are doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches. 13 Fourth, in some instances, HHS can hold you liable for your business associate s HIPAA violations. HHS has made it clear that if your business associate is acting as your agent (within the scope of the agency), 14 as determined under the federal common law of agency, HHS can hold you liable, and impose civil money penalties (CMPs) upon you, for the HIPAA Rule violations of your business associate. 15 Indeed, HHS recently removed from the HIPAA Enforcement Rule even a limited exception from liability for a covered entity with respect to the acts of its business associate agents. 16 Furthermore, even if a business associate undertakes to perform certain of your obligations under the Privacy Rule and contractually agrees to comply with the Privacy Rule with respect to such obligation, you nevertheless remain directly liable for potential CMPs if your business associate fails to perform the obligation. 17 Which Business Associates, If Any, Should You Engage on HIPAA Compliance? You understand that a business associate s HIPAA compliance can present risks for you. But you are not required to actively monitor their compliance, and it may not make sense for you to do so in all cases. Further, you may have limited resources and it may not be feasible in terms of the time or resources involved for you to engage with some or all of your business associates concerning their HIPAA compliance, especially if the business associate presents low risk with respect to HIPAA compliance. Nevertheless, you may recognize that you should consider addressing such risk by proactively engaging some business associates or prospective business associates on their HIPAA compliance. But which ones? There are a number of factors or issues that you can consider in making a determination as to whether to consider engaging with a current or prospective business associate on their HIPAA compliance, or performing some type of due diligence on its HIPAA compliance. These include (but are not limited to): CFR (c)(1)(D). 14 HHS has noted that the question of agency is a factspecific analysis which takes into account the totality of the circumstances; the essential factor is the right or authority of a covered entity (or business associate) to control the business associate s (or subcontractor s) conduct in the course of performing a service for the covered entity (or business associate). 78 Fed. Reg. 5566, 5581 (Jan. 25, 2013). This agency relationship can exist even if the covered entity (1) does not retain the authority to control every aspect of its business associate s activities; (2) does not exercise such control, but holds the authority to do so; and (3) and business associate are separated by physical distance. Id. at Fed. Reg. at And HHS has rejected the argument that any deviation from the terms in a business associate agreement would put the actions of the business associate outside the scope of agency. Id. at Id Fed. Reg. at HEALTH IT LAW & INDUSTRY REPORT ISSN BNA

4 4 s Do you have a current relationship with the business associate? What has been your experience with it? What has been the experience of others with the business associate? s What is the nature of the business associate s business? s What services is the business associate performing for you? Are they services that only the business associate can perform? Are the services the type of activity/ services that the business associate usually performs? s Is the business associate in an industry or profession in which it is required to maintain the confidentiality of information communicated to it by a client? Or in a regulated industry or profession where the regulator has imposed such requirements? If not, is the business associate in a highly regulated industry in which there is a significant focus or emphasis on regulatory compliance? s What is the business associate s reputation, if any, in its industry or profession? If it is in a highly regulated industry, what is generally known, if anything, about its compliance program? s What type (paper, electronic) and quantity of PHI does/will the business associate handle on your behalf? Is any of the PHI likely to be considered sensitive PHI? s How will PHI (or electronic PHI) be transmitted to or by the business associate? Whether to engage a particular business associate on its HIPAA compliance is a decision that you may want to base on the totality of the facts and circumstances with respect to that business associate. Whether to engage any particular business associate (or prospective business associate) on its HIPAA compliance is a decision that you may want to base on the totality of the facts and circumstances with respect to that business associate. If, for example, the business associate handles a great deal of PHI for you particularly if such PHI includes sensitive PHI and/or the business associate has had privacy or breach issues in the past (especially if it has not adequately addressed such issues), you may want to consider engaging the business associate on its HIPAA compliance. How Can You Engage a Business Associate on HIPAA Compliance? If you decide to engage a business associate or prospective business associate on its HIPAA compliance, you will have to consider how to do so. There is a broad range of approaches that could be employed, and various levels of examination and detail that could be sought, with respect to a business associate s HIPAA compliance. But you may have limited time and resources to conduct any examination or review. And particularly if you are a small- or medium- sized entity, you may have limited internal expertise to evaluate the technical aspects of a vendor s compliance program, especially with respect to information security. Nevertheless, there may be cost effective approaches to engage a business associate or prospective business associate on its HIPAA compliance. These approaches may include: Due diligence. As you interview and conduct diligence on vendors (prospective business associates), include HIPAA compliance as part of your review. Ask about interviewing the personnel responsible for HIPAA compliance. For example, see if you can talk to the vendor s information technology/information security personnel to gain an understanding of the entity s approach to information security generally, and what the entity is doing to meet HIPAA Security Rule s requirements. This could include asking about the information security credentials of the relevant personnel, and/or checking them out via LinkedIn or other online resources, to consider their information security expertise. Review third party validation. In some instances, it may be difficult to determine if the measures that a (prospective) business associate has taken are sufficient for purposes of HIPAA compliance. This is especially the case with the HIPAA Security Rule. The Security Rule establishes certain general requirements, including that the confidentiality, integrity and availability of electronic PHI be ensured, by implementation of administrative, physical and technical safeguards. 18 But the Rule does not dictate particular security measures to be implemented to meet such requirements. Instead, the Rule permits an entity to determine the security measures to implement based on several factors, including the entity s size, complexity, and capabilities and its technical infrastructure, hardware, and software security capabilities. 19 It also contains certain addressable implementation specification which an entity must implement if reasonable and appropriate safeguard in its environment and considering its likely contribution to protecting electronic PHI, and if not, implement an equivalent alternative measure, if reasonable and appropriate. 20 Because of the structure of the Security Rule, it may be difficult for you to assess a vendor s compliance with the Rule especially if you lack technical expertise, or knowledge of the information security measures common in the vendor s industry, to enable you to fully evaluate the vendor s information security program. This is where a third party s assessment, or validation, of the vendor s information security program, and its compliance with the Security Rule, may be helpful. Although not required by the HIPAA Security Rule, a business associate may have retained a third party to audit or assess its information security risks, its implementation of safeguards, and/or its compliance with the Security Rule. Such an audit/assessment may provide an independent analysis of the entity s information security program and its HIPAA Security Rule compliance CFR (a)(1), , , CFR (b) CFR (d)(3) COPYRIGHT 2015 BY THE BUREAU OF NATIONAL AFFAIRS, INC. HITR ISSN

5 5 in the context of its business and technological capabilities. If a (prospective) business associate has obtained such an assessment and is willing to discuss the results of such a third party s audits/assessment, or to share such document (under a nondisclosure agreement), with you, it may permit you to make an informed decision about its HIPAA Security Rule compliance. Review polices and procedures and/or risk assessment and management plan. The HIPAA Security Rule requires business associates to develop, maintain, and/or implement certain written documents, such as HIPAA Security Rule policies and procedures, a security risk analysis/assessment and risk management plan, and a business contingency plan. 21 HHS has emphasized in its guidance documents and in its enforcement actions that an accurate and thorough security risk analysis (and risk management plan) is of key importance for Security Rule compliance. (These documents assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI, and identify security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Security Rule requirements.) If your prospective business associate does not have or is unable to provide a third party s assessment of its HIPAA compliance, you may want to consider whether it might be appropriate to discuss, and/or seek to review (under a nondisclosure or confidentiality agreement), key Security Rule documents. Given HHS guidance, you may want to focus on the business associate s risk analysis and risk management plan in such discussions and/or reviews, as a means for CFR ((a)(1),(ii), (a)(7). assessing the entity s overall HIPAA Security Rule compliance. Conclusion As a covered entity or business associate, you are not required to actively monitor the HIPAA compliance of your business associate or subcontractor. However, a compliance failure by such an entity can have a negative impact on you. Thus, you may want to consider proactively engaging on HIPAA compliance with certain business associates, based on the business associate s particular circumstances. Even for a small- or medium-sized covered entity with limited time, resources, and/or technical expertise, there are several approaches to such an inquiry that may provide you with helpful information on the business associate s compliance in a cost effective manner. The time to act is now, before issues with a business associate s HIPAA compliance causes you problems. Consider which, if any, of your business associate or prospective business associates are such that you should engage on their HIPAA compliance. Then, review the vendor s HIPAA compliance, which could involve, depending on the circumstance, interviewing the vendor s information security personnel, obtaining a copy of any third-party validation it has, or reviewing its security risk assessment and management plan (or other policies and procedures). The time and resources you devote to the effort now may be amply rewarded in problems avoided. The opinions expressed in this article are those of the author and do not necessarily reflect the views of the firm or its clients. It is intended to be informational and does not constitute legal advice regarding any specific situation. HEALTH IT LAW & INDUSTRY REPORT ISSN BNA