A s a covered entity or business associate, you have

Reproduced with permission from Health IT Law & Industry Report, 07 HITR , 5/11/15. Copyright姝 2015 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

COMPLIANCE CORNER

Business Associates’ HIPAA Compliance: Should Covered Entities Be Concerned?

P

AULA

M. S

TANNARD

A

s a covered entity or business associate, you have identified the vendors (current or prospective) and other entities which (1) perform the functions or activities that involve the use or disclosure of protected health information (PHI) on your behalf, or (2) provide services to you involving the use of PHI, which make them your business associates (or subcontractor busi- ness associates).¹You have entered (or will enter) into business associate agreements with them.

You may believe that, with those business associate agreements, you have met the requirements of the Health Insurance Portability and Accountability Act Pri-

1For purposes of this article, the term ‘‘business associ- ates’’ will be used to refer to both the business associates of covered entities and the subcontractors of business associates.

Paula M. Stannard is counsel at Alston & Bird LLP in Washington. She advises clients on regulatory questions that arise from the health-care reform effort and focuses her practice on HIPAA; health information tech- nology, including electronic health record cer- tification and the meaningful use program;

and food and drug policy. Stannard is a for- mer deputy general counsel and acting general counsel for the Department of Health and Human Services where she oversaw the food and drug, civil rights and legislation divi- sions.

VOL. 7, NO. 19 MAY 11, 2015

Health IT Law

& Industry Report ^™

vacy, Security, and Breach Notification Rules (HIPAA Rules) with respect to your business associates (or sub- contractors) and that you do not have to worry any fur- ther about those entities’ compliance with the HIPAA Rules.

After all, they can now be held directly liable by the Department of Health and Human Services (HHS) for violations of HIPAA.

And HHS has made it clear that the HIPAA Rules do not require you as a covered entity (or business associ- ate) to actively monitor the actions of your business as- sociates (or subcontractors) and do not hold you re- sponsible or liable for the actions of your business asso- ciates (or subcontractors).²

You may need to be concerned about your

business associate’s HIPAA compliance. The HIPAA

violations of your business associates can

negatively affect you in some circumstances.

All of this is be true, but it is not the whole story. You may need to be concerned about your business associ- ate’s HIPAA compliance.

The HIPAA violations of your business associates can negatively affect you in some circumstances.

But different business associates performing differ- ent services and handling different types of PHI present different levels of risk for you. In appropriate circum- stances, you may want to consider a more proactive ap- proach to the HIPAA compliance of your business asso- ciates or potential business associates.

This article examines why you may need to be con- cerned about your business associate’s HIPAA compli- ance. It then explores factors that you may want to con- sider in determining which, if any, business associate or prospective business associate to engage with on HIPAA compliance.

Finally, the article considers several potential cost ef- fective mechanisms by which to engage with appropri- ate business associates on their HIPAA compliance.

How Can Your Business Associate’s HIPAA

Violations Affect You?

It is true that the HIPAA Rules do not expressly re- quire you to actively monitor your business associate’s actions or their HIPAA compliance. A business associ- ate’s failure to comply with the HIPAA Rules, however, can negatively affect you.

First, the business associate agreement (BAA) re- quires your business associate to, among other things, use appropriate safeguards, and to comply with the HIPAA Security Rule (with respect to electronic pro- tected health information (PHI)), to prevent the use or disclosure of the PHI other than as provided for by your BAA.³ You are not required to actively monitor your business associate’s actions.

But if you know of a pattern of activity or a practice by your business associate that constitutes a material breach or violation of its BAA obligations, and you do not take reasonable steps to cure the breach or end the violation, or, if such steps are unsuccessful, you do not terminate the BAA if feasible, you may have committed a violation of the Privacy Rule.⁴This means that if you have or receive credible evidence of a violation—for ex- ample, with respect to your business associate’s failure to comply with a material provision of the Security Rule—you must investigate the situation and act upon what you learn from the investigation.⁵

Second, you have an obligation to take certain rea- sonable steps to safeguard the privacy/confidentiality of PHI of your patients, policyholders, or beneficiaries.

Your business associate’s HIPAA violation may harm them or compromise the privacy or confidentiality of their PHI, bring you to the attention of the HIPAA en- forcement authorities at HHS, and/or damage your reputation.

Not every HIPAA violation compromises the security or privacy of PHI, but some do. As you know, you are required to notify the affected individuals, HHS, and, in some instances, the media of breaches of unsecured PHI that compromise its security or privacy,⁶whether that breach occurred as a result of your actions or inac- tions or those of your business associate.⁷

Having to provide notice to your patients, policyhold- ers, or beneficiaries that their PHI has been compro- mised by a breach⁸—even if the breach involved your business associate, not you—can negatively affect your relationship with them. It appears, moreover, that breaches involving business associates affect a dispro- portionate number of individuals. Less than half of the breaches affecting 500 or more individuals, as reported to HHS, involve business associates,⁹but such breaches appear to affect a disproportionate number of individu- als.¹⁰Thus, a breach by your business associate has the

265 Fed. Reg. 82462, 82505 (Dec. 28, 2000); 67 Fed. Reg.

53182, 53252 (Aug. 14, 2002).

345 CFR § 164.504(e)(2)(ii)(B).

445 CFR § 164.504(e)(1)(ii) & (iii).

565 Fed. Reg. at 82505, 82641.

6With some exceptions, the Breach Notification Rule de- fines a ‘‘breach’’ as ‘‘the acquisition, access, use, or disclosure of [PHI] in a manner not permitted under [the Privacy Rule]

which compromises the security or privacy of the [PHI]’’ and presumes that any such improper acquisition, access, use or disclosure is a breach unless the covered entity or business as- sociate can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment that re- quires consideration of at least four identified factors. 45 CFR

§ 164.402.

745 CFR § § 164.404, 164.410.

8The notice is required to include: a brief description of the breach, when it occurred and the date it was discovered; a de- scription of the types of unsecured PHI involved in the breach;

any steps individuals should take to protect themselves from potential harm resulting from the breach; a brief description of what you are doing to investigate the breach, to mitigate harm to the individuals, and to protect against any further breaches;

and contact information. 45 CFR § 164.404(c)(1).

9As of early 2015, there were approximately 1185 breaches reported in the HHS breach portal; of those breaches, business associates were reported as involved in 273 of the breaches.

10Approximately 60 percent of the individuals affected by such reported breaches were as a result of breaches involving a business associate. Studies by the Ponemon Institute studies of health care breaches support this conclusion. See, e.g., Third Annual Benchmark Study on Patient Privacy & Data Se- curity, Ponemon Institute, December 2012.

potential to be more significant in terms of the number of individuals whose PHI is impacted by a breach.

For breaches involving business associates, the

listing on the HHS breach portal may include not

only the name of the business associate, but

also the name of the covered entity whose PHI was

breached, so you could be associated with the

breach on the HHS ‘‘wall of shame.’’

But it is not just your relationship with your current patients, policyholders, or beneficiaries that can be af- fected by a breach by your business associate. If, ac- cording to the covered entity’s breach notice to HHS, the breach affects 500 individuals, it is HHS’s practice to undertake an investigation of the breach. This could lead to an investigation not only of your business asso- ciate’s practices, but also of your practices. Further- more, HHS is required to post information about such breaches on its website, for all to see.¹¹For breaches in- volving business associates, the listing on the HHS breach portal may include not only the name of the business associate, but also the name of the covered en- tity whose PHI was breached, so you could be associ- ated with the breach on the HHS ‘‘wall of shame.’’

In addition, if the breach affects more than 500 indi- viduals in a particular State or other jurisdiction, you are required to provide a notice to prominent media outlets in the jurisdiction of the breach, including a brief description of the breach, when it occurred and the date it was discovered. Coupled with the fact that the report of the breach is posted on HHS’s website, the resulting media attention can damage your reputation not only with current patients or policyholders, but also with prospective patients or policyholders.

Third, you may be required to mitigate the harmful effects of your business associate’s HIPAA violations.

The Privacy Rule requires that a covered entity ‘‘miti- gate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of [PHI] in violation of its policies and procedures or the requirements of [the Privacy Rule] by the covered entity or its business associate.’’¹²Thus, for example, if your business associate’s failure to implement a reasonable and appropriate safeguard under the Security Rule leads to a violation of a Privacy Rule requirement, you will have the obligation to mitigate any known harmful effects of that failure, if practicable.

The HIPAA Breach Notification Rule reinforces this:

If your business associate commits a breach of PHI or electronic PHI which constitutes a violation of the Pri- vacy Rule, you are required, among other things, to pro-

vide notice to all individuals who are affected by the breach. This notice includes a brief description of what you, as a covered entity, are doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches.¹³

Fourth, in some instances, HHS can hold you liable for your business associate’s HIPAA violations. HHS has made it clear that if your business associate is act- ing as your agent (within the scope of the agency),¹⁴as determined under the federal common law of agency, HHS can hold you liable, and impose civil money pen- alties (CMPs) upon you, for the HIPAA Rule violations of your business associate.¹⁵

Indeed, HHS recently removed from the HIPAA En- forcement Rule even a limited exception from liability for a covered entity with respect to the acts of its busi- ness associate agents.¹⁶Furthermore, even if a business associate undertakes to perform certain of your obliga- tions under the Privacy Rule and contractually agrees to comply with the Privacy Rule with respect to such obli- gation, you nevertheless remain directly liable for po- tential CMPs if your business associate fails to perform the obligation.¹⁷

Which Business Associates, If Any, Should

You Engage on HIPAA Compliance?

You understand that a business associate’s HIPAA compliance can present risks for you. But you are not required to actively monitor their compliance, and it may not make sense for you to do so in all cases. Fur- ther, you may have limited resources and it may not be feasible—in terms of the time or resources involved—

for you to engage with some or all of your business as- sociates concerning their HIPAA compliance, especially if the business associate presents low risk with respect to HIPAA compliance.

Nevertheless, you may recognize that you should consider addressing such risk by proactively engaging some business associates or prospective business asso- ciates on their HIPAA compliance. But which ones?

There are a number of factors or issues that you can consider in making a determination as to whether to consider engaging with a current or prospective busi- ness associate on their HIPAA compliance, or perform- ing some type of due diligence on its HIPAA compli- ance. These include (but are not limited to):

11HITECH Act § 13402(e)(4).

1245 CFR § 164.530(f). The Security Rule contains a similar mitigation requirement, applicable both to you and your busi- ness associate, with respect to the harmful effects of security incidents that are known to you or your business associate. 45 CFR § 164.308(a)(6)(ii).

1345 CFR § 164.404(c)(1)(D).

14HHS has noted that the question of agency is a fact- specific analysis which takes into account the totality of the circumstances; the ‘‘essential factor’’ is the right or authority of a covered entity (or business associate) to control the busi- ness associate’s (or subcontractor’s) conduct in the course of performing a service for the covered entity (or business asso- ciate). 78 Fed. Reg. 5566, 5581 (Jan. 25, 2013). This agency re- lationship can exist even if the covered entity (1) does not re- tain the authority to control every aspect of its business asso- ciate’s activities; (2) does not exercise such control, but holds the authority to do so; and (3) and business associate are sepa- rated by physical distance. Id. at 5582.

1578 Fed. Reg. at 5580-81. And HHS has rejected the argu- ment that any deviation from the terms in a business associate agreement would put the actions of the business associate out- side the scope of agency. Id. at 5582.

16Id.

1778 Fed. Reg. at 5600.

s Do you have a current relationship with the busi- ness associate? What has been your experience with it?

What has been the experience of others with the busi- ness associate?

s What is the nature of the business associate’s business?

s What services is the business associate performing for you? Are they services that only the business associ- ate can perform? Are the services the type of activity/

services that the business associate usually performs?

s Is the business associate in an industry or profes- sion in which it is required to maintain the confidential- ity of information communicated to it by a client? Or in a regulated industry or profession where the regulator has imposed such requirements? If not, is the business associate in a highly regulated industry in which there is a significant focus or emphasis on regulatory compliance?

s What is the business associate’s reputation, if any, in its industry or profession? If it is in a highly regulated industry, what is generally known, if anything, about its compliance program?

s What type (paper, electronic) and quantity of PHI does/will the business associate handle on your behalf?

Is any of the PHI likely to be considered sensitive PHI?

s How will PHI (or electronic PHI) be transmitted to or by the business associate?

Whether to engage a particular business associate

on its HIPAA compliance is a decision that you

may want to base on the totality of the facts and

circumstances with respect to that business

associate.

Whether to engage any particular business associate (or prospective business associate) on its HIPAA com- pliance is a decision that you may want to base on the totality of the facts and circumstances with respect to that business associate. If, for example, the business as- sociate handles a great deal of PHI for you—particularly if such PHI includes sensitive PHI—and/or the business associate has had privacy or breach issues in the past (especially if it has not adequately addressed such is- sues), you may want to consider engaging the business associate on its HIPAA compliance.

How Can You Engage a Business Associate on

HIPAA Compliance?

If you decide to engage a business associate or pro- spective business associate on its HIPAA compliance, you will have to consider how to do so. There is a broad range of approaches that could be employed, and vari- ous levels of examination and detail that could be sought, with respect to a business associate’s HIPAA compliance. But you may have limited time and re-

sources to conduct any examination or review. And par- ticularly if you are a small- or medium- sized entity, you may have limited internal expertise to evaluate the tech- nical aspects of a vendor’s compliance program, espe- cially with respect to information security.

Nevertheless, there may be cost effective approaches to engage a business associate or prospective business associate on its HIPAA compliance. These approaches may include:

Due diligence.As you interview and conduct diligence on vendors (prospective business associates), include HIPAA compliance as part of your review. Ask about in- terviewing the personnel responsible for HIPAA com- pliance. For example, see if you can talk to the vendor’s information technology/information security personnel to gain an understanding of the entity’s approach to in- formation security generally, and what the entity is do- ing to meet HIPAA Security Rule’s requirements. This could include asking about the information security cre- dentials of the relevant personnel, and/or checking them out via LinkedIn or other online resources, to con- sider their information security expertise.

Review third party validation.In some instances, it may be difficult to determine if the measures that a (pro- spective) business associate has taken are sufficient for purposes of HIPAA compliance. This is especially the case with the HIPAA Security Rule.

The Security Rule establishes certain general require- ments, including that the confidentiality, integrity and availability of electronic PHI be ensured, by implemen- tation of administrative, physical and technical safe- guards.¹⁸

But the Rule does not dictate particular security mea- sures to be implemented to meet such requirements. In- stead, the Rule permits an entity to determine the secu- rity measures to implement based on several factors, in- cluding the entity’s size, complexity, and capabilities and its technical infrastructure, hardware, and software security capabilities.¹⁹

It also contains certain ‘‘addressable’’ implementa- tion specification which an entity must implement if reasonable and appropriate safeguard in its environ- ment and considering its likely contribution to protect- ing electronic PHI, and if not, implement an equivalent alternative measure, if reasonable and appropriate.²⁰

Because of the structure of the Security Rule, it may be difficult for you to assess a vendor’s compliance with the Rule—especially if you lack technical expertise, or knowledge of the information security measures com- mon in the vendor’s industry, to enable you to fully evaluate the vendor’s information security program.

This is where a third party’s assessment, or validation, of the vendor’s information security program, and its compliance with the Security Rule, may be helpful.

Although not required by the HIPAA Security Rule, a business associate may have retained a third party to audit or assess its information security risks, its imple- mentation of safeguards, and/or its compliance with the Security Rule. Such an audit/assessment may provide an independent analysis of the entity’s information se- curity program and its HIPAA Security Rule compliance

1845 CFR § § 164.306(a)(1), 164.308, 164.310, 164.312.

1945 CFR § 164.306(b).

2045 CFR § 164.306(d)(3).

in the context of its business and technological capabili- ties.

If a (prospective) business associate has obtained such an assessment and is willing to discuss the results of such a third party’s audits/assessment, or to share such document (under a nondisclosure agreement), with you, it may permit you to make an informed deci- sion about its HIPAA Security Rule compliance.

Review polices and procedures and/or risk assessment and management plan. The HIPAA Security Rule re- quires business associates to develop, maintain, and/or implement certain written documents, such as HIPAA Security Rule policies and procedures, a security risk analysis/assessment and risk management plan, and a business contingency plan.²¹

HHS has emphasized in its guidance documents and in its enforcement actions that an accurate and thor- ough security risk analysis (and risk management plan) is of key importance for Security Rule compliance.

(These documents assess the potential risks and vulner- abilities to the confidentiality, integrity, and availability of electronic PHI, and identify security measures suffi- cient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Security Rule re- quirements.)

If your prospective business associate does not have—or is unable to provide—a third party’s assess- ment of its HIPAA compliance, you may want to con- sider whether it might be appropriate to discuss, and/or seek to review (under a nondisclosure or confidentiality agreement), key Security Rule documents.

Given HHS guidance, you may want to focus on the business associate’s risk analysis and risk management plan in such discussions and/or reviews, as a means for

assessing the entity’s overall HIPAA Security Rule com- pliance.

Conclusion

As a covered entity or business associate, you are not required to actively monitor the HIPAA compliance of your business associate or subcontractor. However, a compliance failure by such an entity can have a nega- tive impact on you.

Thus, you may want to consider proactively engaging on HIPAA compliance with certain business associates, based on the business associate’s particular circum- stances. Even for a small- or medium-sized covered en- tity with limited time, resources, and/or technical exper- tise, there are several approaches to such an inquiry that may provide you with helpful information on the business associate’s compliance in a cost effective man- ner.

The time to act is now, before issues with a business associate’s HIPAA compliance causes you problems.

Consider which, if any, of your business associate or prospective business associates are such that you should engage on their HIPAA compliance. Then, re- view the vendor’s HIPAA compliance, which could in- volve, depending on the circumstance, interviewing the vendor’s information security personnel, obtaining a copy of any third-party validation it has, or reviewing its security risk assessment and management plan (or other policies and procedures).

The time and resources you devote to the effort now may be amply rewarded in problems avoided.

The opinions expressed in this article are those of the author and do not necessarily reflect the views of the firm or its clients. It is intended to be informational and does not constitute legal advice regarding any specific situation.

2145 CFR § § 164.308((a)(1),(ii), (a)(7).