HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017 Presenters: Isaac M. Willett & Doriann H. Cain
Business Associates & HIPAA in 2017 Increasing focus on business associates and business associate relationships Phase II audits includes business associates OCR settlements re: failure to have BAAs in place Major settlements with record fines for security violations OCR guidance on topical security issues
What/who is a Business Associate? Providers of certain covered functions Person or organization who on behalf of a Covered Entity creates, receives, maintains or transmits PHI for a function or activity regulated by HIPAA Claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management and re-pricing 3
What/who is a Business Associate? Providers of Professional Services Involves disclosure of PHI Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services 4
Business Associates & the HITECH ACT Post HITECH Final Rule Expanded definition of Business Associate Now includes Subcontractors of Business Associate Definition applies even without a written contract In sum, a Subcontractor is a Business Associate of a Business Associate 5
OCR Guidance on Cloud Computing Makes clear that when a cloud service provider (CSP) creates, receives, maintains or transmits ephi it s a business associate CSPs are business associates even if PHI is encrypted & CSP doesn t have encryption key CSPs rarely fall within the conduit exception Involves temporary storage while transmitting PHI
Business Associate Obligations Execute and comply with the terms of the BAA with Covered Entity Must contain certain terms required by HIPAA Comply with the Security Rule Appoint security officer Perform and document a risk assessment Implement required safeguards written policies and procedures Train personnel Comply with minimum necessary standard Report breaches of unsecured PHI to covered entity
Business Associate Obligations Business associates directly liable under HIPAA for: Use and disclosures in violation of the BAA or the Privacy Rule, including minimum necessary standard Failing to comply with the Security Rule Failing to notify covered entity of a reportable breach Failing to disclose PHI to HHS in response to investigation Failing to disclose PHI in response to an individual s request for e-phi Failing to execute agreements with subcontractors Failing to address breach by subcontractor
Enforcement Government Sanctions Past Law Civil Money Penalties ( CMP ) limited to $100 per HIPAA violation, with a maximum of $25,000 for all violations of identical nature in single year HITECH (Effective 2/17/09) CMPs are now tiered and increase for different levels of HIPAA violations Fines range from $100 to a maximum of $1.5 million cap for all violations per year The Office for Civil Rights maintains discretion to use corrective action without penalty where person did not know of violation 9
Enforcement Government Sanctions Violation Type Amount Per Violation Identical Violations /Calendar Year Did not know $100 - $50,000 $1.5M Reasonable Cause $1,000 - $50,000 $1.5M Willful neglect - Corrected $10,000 - $50,000 $1.5M Willful neglect Not Corrected $50,000 $1.5M 10 10
Business Associate Agreements BAA before disclosing PHI or authorizing business associate to create or receive PHI for covered entity Limits BA s use of PHI Need BAA with subcontractor Match scope of BAA between CE and BA Must comply with terms of BAA Breach of contract with covered entity HIPAA penalties imposed by OCR Must comply with HIPAA even if no BAA
Business Associate Agreement: Required Terms Establish permitted uses Allowance for use and disclosure for management or administration Implementation of safeguards Comply with Security Rule Report breaches Cooperate in allowing access, amendment or accounting of disclosures of PHI Execution of BAAs with Subcontractors Termination destroy/return PHI
Pro Business Associate Terms Covered Entity: Not disclose PHI unless necessary Notify Business Associate of all restrictions Right to cure a breach Limitation or cap on damages
Business Associate Agreement Negotiation Contractor is not a business associate Playing it safe Not clear on definition of business associate Execution of confidentiality agreement Some terms may exceed those required No assumption of liability unless required
Hot Topics Negotiated Definitions Timing for Breach Notification Indemnity/Limitations on Liability Insurance Audit Rights Right to Cure Before Termination Use of the Cloud Offshoring Compliance with other laws Security protections
Catholic Health Care Services Settlement CHCS provides management and IT services to SNFs First ever settlement with business associate June 30, 2016 CHCS issued phone stolen from employee Not encrypted or password protected Contained PHI of over 440 individuals $650,000 fine & 2 year corrective action plan
Care New England Health System (September 23, 2016) Parent company of Woman & Infants Hospital Provides information security & technical support for WIH so business associate WIH notified OCR of the loss of unencrypted backup tapes including PHI of 14,000 individuals BAA between WIH and CNE was effective March 2005 Didn t comply with HIPAA Final Rule $400,000 fine and corrective action plan
Advocate Health Care Network (August 4, 2016) Three HIPAA breaches involving 4 million individuals Failed to conduct accurate and thorough risk assessments Lacked adequate security polices and procedures Lacked BAAs to protect ephi $5.55 million fine & 2 year corrective action plan Due in part to extent & duration of the non-compliance
Privacy & Security Challenges
Harnessing Health Data Electronic format makes analysis easy Promote population health Improve outcomes Better allocate resources Predict trends and prevent illness/outbreaks Increase sales 20
Examples Optum Labs joint venture of UnitedHealth and Mayo Clinic Links 5 million Mayo records + 100 million UH claim records Examine outcomes and cost CMS Basic Stand Alone Claims Public Use Files (de-identified) and Limited Data Sets (partially de-identified) 21
Examples Professional society data registries NCDR American College of Cardiology FDA post-market surveillance registries IMS Health vendor of physician prescribing data Business associates of all varieties 22
Related HIPAA Issues Data aggregation De-identification and limited data sets 23
Data Aggregation Combining of PHI of one covered entity with that of another Can be done only by business associate Must further health care operations of the respective covered entities Must be authorized by BAA 24
Data Aggregation Challenges BA wants to aggregate data and CE refuses CE wants benefit of data aggregation but says its PHI cannot be used for other CEs CE wants to be able to remove its data BA wants to use aggregated data for purpose other than health care operations of CEs 25
De-Identification De-identified data is not PHI and can be used and disclosed for any purpose De-identification standards are strict Person with appropriate knowledge applies statistical principles, determines risk is very small that information could be used to identify the individual & documents that 18 specific identifiers removed (safe harbor) 26
De-Identification Challenges BAA does not address de-identification CE and BA do not agree on whether/when permitted Parties misunderstand de-identification standard common to think removal of limited direct identifiers is sufficient CE and BA do not agree on use of de-identified data 27
Limited Data Sets Partially de-identified data that removes direct identifiers Can retain dates, zip codes Must have data use agreement Use only for health care operations of CE, research, public health purposes 28
LDS Challenges BAA does not provide for creation/use of LDS BA wants to use LDS for purposes other than those permitted Confusion over use of LDS to meet minimum necessary requirements and use of LDS for public health, research, HCO Failure to recognize this is still PHI 29
Best Practices Think through data aggregation, de-identification, LDS on front end Be sure underlying agreement/baa address these issues Educate clients on requirement/limitations of each 30
Security Breaches BAs must give notice of breaches of unsecured PHI BA must give notice to CE of a breach Subcontractor BAs must give notice to primary BA BAA must address security breaches 31
Security Breach Challenges Requests that BA provides notice directly to individuals rather than CE Works in some cases (TPA of health plan), but not in others Unrealistic time frames for breach reporting Downstream BAAs that are not as restrictive as primary BAA 32
Security Breach Challenges Content of notice involving BA Allocation of responsibility, use of name/trademarks Managing foreign subcontractors Liquidated damages clauses for violations State law notification obligations Implementation 33
Contact Information Isaac M. Willett isaac.willett@faegrebd.com 317-569-4640 Doriann H. Cain I doriann.cain@faegrebd.com I 317-569-4837 34