Are Your Vendors Violating HIPAA? Why Internal HIPAA Compliance May Not Be Enough

We have recently assisted several healthcare provider clients that have discovered that their business associates had allowed protected health information of the provider's patients to be improperly disclosed in violation of the Health Insurance Portability and Accountability Act of 1996. Specifically, the providers entrusted their patients' PHI to a business associate, and the business associate did not appropriately protect it. In at least one case, the provider was forced to conclude that a PHI breach had occurred and was required to report the breach to affected individuals and HHS.


These providers were not bad actors. They had taken protective measures that most providers would consider appropriate to protect their patients' PHI (i.e., they had entered into business associate agreements with companies that they believed were worthy custodians of the PHI). Unfortunately, these trusted business associates violated their contractual and statutory duties and in doing so, among other things, jeopardized the confidentiality of patient information and the reputation of the provider.

What is a breach?

HHS defines "breach" as the "acquisition, access, use, or disclosure" of PHI in violation of the Privacy Rule that "compromises the security or privacy" of the PHI. There is a presumption that a breach has occurred unless, through the analysis of a series of four factors, it is determined that there is a low probability that PHI has been compromised by the unauthorized use or disclosure. Upon discovery of an unpermitted use or disclosure of PHI, a determination must be made by the covered entity or business associate, as applicable, as to whether or not a breach has occurred. This determination must be documented, and if a breach has occurred, necessary notifications must be made.

The Health Information Technology for Economic and Clinical Health Act requires notice to affected individuals, HHS and, in certain circumstances, the media following a breach of unsecured PHI.

Is a business associate agreement sufficient protection?

A covered entity is required to enter into a contract or other written arrangement with each of its business associates that meets specific requirements under HIPAA (set forth at 45 CFR 164.504(e)). According to HHS, covered entities are not required to monitor or oversee the means by which their business associates carry out privacy safeguards or the extent to which the business associate abides by the privacy requirements of the contract. Additionally, HHS has stated that a covered entity is not liable for the actions of its business associates unless otherwise specified by the parties in their contract. However, upon a determination by a covered entity that its business associate has violated a material term of the business associate agreement, the covered entity is required to take "reasonable steps" to cure the breach or end the violation, and, if unsuccessful, terminate the contract with the business associate.

Even though it is not required under HIPAA, a covered entity may want to take further protective measures against conduct of its business associates that could result in a breach. A breach of patient PHI can be devastating to both the finances and the reputation of a provider. Not only must all affected patients be informed of the breach, but HHS is also notified and may elect to investigate, and in the case of a breach involving 500 or more individuals, notification must also be provided to a prominent media outlet. In addition, a breach of PHI can shatter the trust of patients, which in a competitive environment can be damaging to business. Further, business associates may have less concern with the privacy and security of a covered entity’s PHI than the covered entity because the business associate is further removed from patients and covered entity’s business interests.

How can a covered entity further protect itself?

Following are potential strategies to protect against a breach caused by a business associate:

1. Precontract diligence. Before agreeing to share PHI with a business associate, a covered entity can perform diligence on the business associate. We often see business associates that have taken no steps toward HIPAA compliance (i.e., no privacy policies and procedures, no employee training, etc). A diligence process could be as simple as asking the potential business associate targeted questions regarding its privacy and security practices or as complex as fully inspecting the potential business associate's policies and procedures and seeking references from other clients. In general, a few pointed questions to key leadership quickly reveal the extent to which a company is able to comply with HIPAA. Additionally, the covered entity can require a third-party review of the business associate's compliance with HIPAA.

2. Audit rights. The covered entity can insist that the business associate agreement include the right for the covered entity to audit the business associate's compliance with HIPAA. We see many agreements that include this right. However, in reality, a covered entity is likely not in the best place to audit a business associate for HIPAA compliance. If audit rights are desired, the business associate agreement should include the right for the covered entity to delegate this audit right to a third party. Alternatively, a covered entity could require the business associate to have an audit performed by a third party and provide the results to the covered entity. This would allow the covered entity to shift the costs of the audit onto the business associate. Audits are useful both when initially entering into an arrangement with a business associate and as a way to ensure ongoing compliance. For example, the business associate agreement could require the business associate to obtain an annual or biannual HIPAA compliance audit and provide the results of such audits to the covered entity.

3. Require consent for downstream subcontractors. Ideally, a business associate agreement will include the right for a covered entity to approve, at its sole discretion, any downstream subcontractor that will create, receive, maintain or transmit any PHI of the covered entity. Where the business associate has many covered entity clients, such as in the case of an electronic medical records vendor, it is unlikely that the business associate will agree to this, especially where the vendor regularly uses subcontractors to perform crucial functions. As an alternative, the covered entity could require advanced notice and the ability to terminate the agreement with the business associate without penalty if the covered entity disagrees with the use of a particular subcontractor, or the covered entity could require assurances from the business associate that the subcontractor has been vetted for HIPAA compliance purposes. We have seen instances where a business associate, unknown to the covered entity, delegates certain functions to one or more subcontractors where the subcontractor subsequently causes an unpermitted disclosure of the covered entity's PHI. The covered entity should also include in the business associate agreement the requirement that the business associate notify the covered entity of any unauthorized use or disclosure of PHI by a subcontractor and that any subcontractor agreement require reporting directly to the covered entity.

4. Indemnification; Insurance. The business associate should be prepared to indemnify a covered entity for any losses or damages to the covered entity or its patients resulting from a breach of the business associate agreement by the business associate or any of its agents or subcontractors. The broader the indemnification, the better. Additionally, we have seen covered entities require a business associate to arrange for insurance related to a violation of HIPAA and include the covered entity as a beneficiary. The insurance obligation is one that most business associates push hard to negotiate out of agreements, especially where they have already agreed to indemnification.

5. Covenant to encrypt PHI. The covered entity could require the business associate to ensure that any PHI it creates, receives, maintains or transmits on behalf of the covered entity is encrypted at rest and in motion. While not expressly required under HIPAA, both internal and external IT systems that will be creating, receiving, maintaining or transmitting PHI should be encrypted in accordance with HHS guidance. By encrypting PHI, covered entities and business associates fall within the so-called “encryption safe harbor.” This means that an unauthorized disclosure will not be considered a breach and therefore will not trigger the HITECH Act breach notification requirements if the disclosed PHI is encrypted in accordance with HHS guidance.

6. Return or destruction of PHI. In the event the relationship between the covered entity and business associate is terminated, the business associate should be required to return to the covered entity or destroy all copies (both hard copies and electronic copies) of PHI it created, received, maintained or transmitted on behalf of the covered entity. To ensure PHI or any media on which PHI is stored is properly destroyed or cleared, the covered entity could require the business associate to provide a certification of destruction or, alternatively, could require the business associate to provide a detailed account of the destruction process. HHS has provided guidance related to the destruction of media on which PHI is stored.

Several factors should be considered when selecting business associates and negotiating for the measures discussed above, including the contract value and the leverage of the respective parties. In addition, what the business associate will be doing with the PHI and the frequency that the business associate will access the PHI is also relevant. For example, a business associate that is an EMR vendor may be tasked with storing a high volume of PHI that will involve frequent access and transmission of such PHI, and thus, more of the measures discussed above may be appropriate as compared to a help desk that does not store or transmit PHI.

More Articles on Protecting PHI:

HIPAA Compliance: What Providers Should Know About HITECH Act Mandatory Audits
Stark Law, False Claims and HIPAA: Key Risk Areas for Hospitals

© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months