New Guidance Clarifies BA’s Responsibility to Safeguard PHI
Federal regulators have issued new guidance clarifying when a business associate can be held directly liable for compliance with the HIPAA privacy, security and breach notification rules.
In 2013, as required under the HITECH Act, the Department of Health and Human Services’ Office for Civil Rights issued a final rule – frequently referred to the HIPAA Omnibus Rule – that, among other things, identified provisions of the HIPAA rules for which business associates are directly liable for compliance.
Because of confusion about the issue, OCR has issued a fact sheet and a compilation of frequently asked questions about the HIPAA compliance requirements for business associates. “We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law,” says OCR Director Roger Severino.
OCR’s guidance reiterates that the agency has authority to take HIPAA enforcement action against business associates. For example, the office can take action for BAs’ failure to:
- Meet the broad requirements of the security rule, including the mandate to conduct a comprehensive risk assessment;
- Provide breach notification to a covered entity or another business associate;
- Refrain from impermissible uses and disclosures of PHI;
- Provide HHS with records and compliance reports, cooperate with complaint investigations and compliance reviews, or permit HHS to access information, including PHI pertinent to determining compliance;
- Disclose a copy of electronic PHI to either the covered entity, the individual or the individual’s designee – whichever is specified in the business associate agreement – to satisfy a covered entity’s HIPAA obligations;
- Make reasonable efforts to limit use of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.;
- Provide an accounting of certain PHI disclosures.
- Enter into business associate agreements with subcontractors that create or receive PHI on their behalf;
- Take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
OCR also can take enforcement action if a BA retaliates against any individual for filing a HIPAA complaint, participating in an investigation or other enforcement process or opposing an act or practice that is unlawful under the HIPAA rules.
Business associates have been involved in many of the largest health data breaches, including several large breaches posted to the HHS HIPAA Breach Reporting Tool website so far in 2019.
Commonly called the “wall of shame,” the website lists health data breaches impacting 500 or more individuals.
“Some BAs fail to understand the full scope of their compliance responsibilities.”
—Kate Borten, The Marblehead Group
As of Tuesday, some 39 incidents affecting a total of nearly 1.1 million individuals that have been added to the tally so far in 2019 were reported as incidents involving a business associate, or where a business associate was reported as being “present.” Those incidents represent about 20 percent of all breaches added to the tally so far this year.
“Business associates still struggle with their HIPAA Security Rule obligations, in many of the same ways as do covered entities, including with regard to risk analysis, risk management and encryption, for example,” says privacy attorney Iliana Peters of the law firm Polsinelli. “Business associates struggle with understanding their obligations to flow down the requirements of their business associate agreements with their own vendors that have access to protected health information.”
Covered entities and business associates alike must understand the lifecycle of their data so that appropriate HIPAA-required security safeguards are applied, Peters adds. And business associates should periodically conduct “mini-audits” of their security practices to ensure they are meeting obligations spelled out in their BA agreements, she says.
Even though business associates became directly liable for HIPAA compliance nearly six years ago, confusion about their duties persists.
“Some BAs fail to understand the full scope of their compliance responsibilities,” says Kate Borten, president of privacy and security consultancy The Marblehead Group.
“For example, some tech companies may claim compliance based on implementing security technologies, such as strong encryption. But we know that technology is only a part of a full-blown information security program as required.”
Peters adds: “There may still be some confusion in the regulated community about not only what potential violations for which business associate are directly liable, but also the purposes of ensuring that covered entities and business associate have good business associate agreements in place, given that liability for other potential violations stem from those business associate agreements.”
For example, Peters says that anything that a business associate is not directly liable for under HIPAA – but is nonetheless required by a covered entity – should be addressed in the business associate agreement. “So, not only is understanding the direct liability piece important for business associates, it’s also important for covered entities to make sure their business associate agreements are appropriately comprehensive.”
Privacy attorney Kirk Nahra of the law firm WilmerHale says the guidance from OCR shines a spotlight on BA’s longstanding HIPAA compliance requirements.
“The only thing that might be considered a little new – although it mainly makes something clear that is already in the rules – is that business associates don’t have a compliance obligation to follow the administrative requirements of the privacy rule,” he notes. “They probably should do a lot of those things anyways – like training and policies and procedures – but they aren’t compliance obligations because they aren’t in a business associate agreement. “
Managing Vendor Risk
Some covered entities have taken steps to raise the bar on their expectations of vendors that handle PHI.
For instance UPMC, a large healthcare system based in Pittsburgh, along with a half dozen other larger healthcare delivery organizations last year launched the Provider Third Party Risk Management Council. Members of the council are requiring their vendors – including cloud services providers – to become certified in the HITRUST Common Security Framework by summer 2020. That framework cross-references standards, regulations and business requirements, including HIPAA.
“What we’re pushing as a group is that if you want to do business with us … you want to deliver services to us through the cloud, you have to be HITRUST-certified,” says John Houston, UPMC’s vice president of information security and privacy and associate counsel.