Written by Stephen Bentfield
In the two-plus years since the enactment of the HITECH Act, the health care industry has seen a dramatic shift in federal and state HIPAA enforcement posture. Just within the last month, HHS announced a $4.3 million civil fine imposed on Cignet Health for failing to provide patients with copies of their medical records and then refusing to cooperate with HHS in its subsequent investigation, and a $1 million settlement with Massachusetts General Hospital that resulted from a privacy breach that occurred when an employee lost patient records on a subway train.
These are just the latest signals.
Starting next month, the Office of Civil Rights (“OCR”) is holding a series of two-day courses across the country to train state attorneys general on HIPAA enforcement and investigative techniques. Add to that the HITECH Act’s requirement for stepped-up audits of covered entities and business associates to ensure compliance with the HIPAA Privacy and Security Rules and the picture becomes clear: the days of relaxed HIPAA enforcement are over.
Given this new enforcement environment, HIPAA covered entities (and business associates, for that matter) should consider undertaking a comprehensive internal inventory and audit of their contractual arrangements with service providers and vendors to ensure these arrangements are HIPAA and HITECH Act compliant. But surely security breaches and compliance audits happen to other people.
Why should your organization expend the time, money, and resources to conduct a top-to-bottom review?
Find out why and how after the jump.
First, it’s the law.
With some exceptions, covered entities cannot disclose protected health information (“PHI”) to business associates that perform certain functions or provide designated services absent a business associate agreement. Maintaining a centralized inventory of your business associate agreements has several benefits. It will help you confirm that required business associate agreements are in place, and identify those contractors with whom you should execute a business associate agreement or amend an existing agreement. The inventory also will help identify those arrangements where a business associate agreement is not necessary or appropriate but where some other arrangement (e.g., data sharing agreement) should be employed. Maintaining a copy of all your business associate agreements in a single location can also help you to avoid scrambling to find a copy of the business associate agreement if and when the unthinkable occurs and a business associate experiences a security incident or breach.
Second, actively managing and monitoring your business associate relationships projects an image of compliance for your organization, and can help minimize your risk exposure.
For example, a business associate agreement is an excellent means to equitably allocate the risk associated with a breach involving PHI. Absent specific contract terms, the covered entity is saddled with the potentially immense cost of investigating and responding to a beach that may have been caused by a business associate or the business associate’s subcontractor. In addition to designating the deadline by which your business associate must notify you of an actual or suspected security incident or breach, you can use the business associate agreement to designate which party is primarily responsible for investigating the incident and, if necessary, notifying affected individuals. You can also include an indemnification provision requiring the business associate to compensate you for any costs or damages incurred that are attributable to the business associate’s HIPAA violation.
Finally, and perhaps most importantly, you can expect more aggressive HIPAA enforcement by OCR and state attorneys general.
Prior to the HITECH Act, HIPAA’s civil monetary penalties (“CMP”) were capped at $25,000 per violation, and were considered a slap on the wrist. Covered entities now face escalating CMPs of up to $1.5 million per calendar year depending on the nature and extent of the resulting harm, which provides a far greater return on investment for federal and state regulators to pursue violators. OCR’s recent civil fine against Cignet Health and its settlement with Mass. General only reinforce this point. And although roughly two-thirds of the fine imposed on Cignet Health was punitive and resulted from that company’s arguably egregious conduct in impeding HHS’s investigation, the Mass. General settlement, which stems from an employee leaving documents containing PHI on a subway train, is particularly notable because that type of breach could happen to any organization.
So what can an organization do to better manage its business associate arrangements? Here are several steps that may help your organization undertake this process.
- The first step is to conduct an audit of your current business associate agreements. This process involves compiling and maintaining a central inventory of all business associate agreements. The inventory should include a tracking protocol that lists, among other things, the effective date of the agreement, the type of data disclosed, whether the agreement has been amended to address HITECH Act requirements, and corresponding notification deadlines in the event of a security incident or breach.
- The next step is to identify other contracting partners with which you exchange data, and in particular, whether the data consist of PHI. Once compiled, you can cross-check this list against your business associate inventory to identify any contractors that may require a business associate agreement. I use a relatively straight-forward tool to analyze and identify those arrangements requiring a business associate agreement. The tool – a matrix – lists the contractor name along the left side, and across the top lists, among other things, the type of service(s) or function(s) performed, the reason(s) for the disclosure of PHI, the format of the PHI disclosed, and whether certain exceptions apply.
- Finally, amend your existing business associate agreements and revise template agreements to comply with HITECH Act requirements. As discussed above, the business associate agreement should clearly delineate each party’s rights and responsibilities in the event of a breach, and not just a reporting deadline. Also include indemnification for costs and damages incurred where a security incident or breach is the business associate’s fault (or the fault of its agent or subcontractor). The agreement also should include representations and warranties from the business associate acknowledging new direct responsibilities under HIPAA as a result of HITECH Act.
These are just a few observations and recommendations in light of stepped-up HIPAA enforcement. Covered entities and business associates should take additional proactive steps to ensure that they are prepared if and when the unthinkable (dare to say inevitable?) occurs. These include reviewing and updating current HIPAA policies and practices, providing ongoing workforce HIPAA training, monitoring overall HIPAA compliance, and tracking the latest developments with HIPAA regulations and federal and state enforcement activities.