Am I a Business Associate?
Do I want to be a Business Associate?
What are my obligations?
Today’s eLunch Presenters
Marion Goldberg Health Care Washington, D.C. mgoldberg@winston.com Tom Mills Health Care Washington, D.C. tmills@winston.comCovered Entitty
Health Plan
Health Care Clearinghouse
Health Care Provider that engages in electronic
Prior to the HITECH Act
Business Associates were not in HIPAA statute
HHS invented Business Associate so that Covered
Entities could not wiggle out of HIPAA obligations by contracting out services
Prior to HITECH ACT
Under HIPAA regulations: Covered Entity was
required to enter into a Business Associate contract with its Business Associates
Business Associate contract = Business Associate
Agreement (“BAA”)
If the BAA met all regulatory requirements, the
Covered Entity did not have liability for acts (or omissions) of its Business Associate
Compliant BAA
HITECH Act - 2009
HITECH Act brought Business Associates under most
HIPAA requirements
New regulations: Requirements also apply to
subcontractors (Business Associates of Business Associates)
Business Associate – Post HITECH Act
Becomes a Business Associate by definition not by
contract
Liability attaches when meets the definition of
Business Associate
Business Associates
Need to know who are your Business Associates Need to know if you are a Business Associate
What is a Business Associate?
Provides services for or on behalf of a Covered Entity Creates, receives, maintains, or transmits protected
health information
For a function or activity regulated the HIPAA privacy
What is a Business Associate Post
HITECH Act?
Provides services to or for a covered entity that
involves the disclosure of PHI from the Covered Entity or another Business Associate:
legal actuarial accounting consulting data aggregation management administrative
A Health Information Organization
E-prescribing Gateway, or other provider of data
transmission services
Provider of a personal health record on behalf of a
covered entity
What is a Business Associate Post
HITECH Act?
claims processing or administration
data analysis, processing, or administration, utilization review,
quality assurance
patient safety activities billing
benefit management
What is a Business Associate Post
HITECH Act?
Shredding company
Copier repair company if copier retains PHI Record storage company
Cloud storage company
Bank other than for check clearing and credit card
services
What is a Business Associate Post
HITECH Act?
Subcontractor of a Business Associate
Subcontractor of a subcontracted Business
Associate, all the way downstream
What is a Business Associate Post
HITECH Act?
Who is not a Business Associate?
A health care provider who receives disclosures from by
a covered entity concerning the treatment of the individual.
A plan sponsor who receives disclosures from a group
health plan (or health insurance issuer or HMO) if the disclosures comply with HIPAA
Who is not a Business Associate?
A government agency that receives PHI to determine
eligibility for, or enrollment in, a government health plan that provides public benefits and is
administered by another government agency, or collecting PHI for these purposes as permitted by HIPAA
Who is not a Business Associate
A conduit
Post Office FedEx
UPS
Local courier service
Bank that provides check clearing Credit card company
Business Associates
Must have a Business Associate Agreement
Covered Entity gets BAA with its Business Associates Business Associates (not Covered Entities) get BAA
with subcontractors, who are now Business Associates (all the way downstream)
Business Associates
A Covered Entity is liable for the acts (and omissions)
of its Business Associate
AND
A Business Associate is liable for the acts (and
omissions) of its Business Associate IF
Business Associates
A Covered Entity is liable for the acts (and omissions)
of its Business Associate AND
A Business Associate is liable for the acts (and
omissions) of its Business Associate IF
The Business Associate is an agent of the Covered
Liability for Business Associates
A Covered Entity is liable for the acts (and omissions)
of its Business Associate AND
A Business Associate is liable for the acts (and
omissions) of its Business Associate IF
The Business Associate is an agent of the Covered
Entity or contracting Business Associate
Liability for Business Associates
But only liability for the Business Associate with
whom you contract, not the downstream Business Associate(s)
Liability for Business Associates
No exception for compliant BAA and no knowledge
Liability for Business Associates
So, Covered Entities and Business Associates must
Federal Common Law of Agency
Problem: no Federal common law of agency for
HIPAA
Guidance from HHS in the preamble to the January
25, 2013 regulations
Fact specific – taking into account the totality of the
Business Associates - Agency
Essential factor- whether the Covered Entity has the
right to control the Business Associate’s conduct in performing the service
Business Associate – Agency - Control
Authority of the Covered Entity to give interim
instructions or directions
Whether the Covered Entity can direct how the work is done Whether the BAA requires the Business Associate to make
PHI available based on instructions from the Covered Entity
Doesn’t matter if Covered Entity has exercised the
Business Associates – Agency Control
Indication of lack of control if only avenue for
control is to sue for breach of contact or amend the contract
Scope of Agency
Time, place and purpose of the Business Associate’s
conduct
Whether a Business Associate engaged in a course of
conduct subject to the Covered Entity’s control
Whether Business Associate's conduct is commonly
done by a Business Associate to accomplish the service performed on behalf of the Covered Entity
Whether or not the Covered Entity reasonably
expected the Business Associate would engage in the conduct in question
Business Associates – Agency Control
Skill required – greater the skill, less likelihood of
control
Example – small Covered Entity hires Business
Associate to de-identify PHI
Not likely the Covered Entity has the skill to give interim
Business Associate – Agency Control
Nature of Services
No agency relationship likely if the Covered Entity is legally
or otherwise prevented from performing the service
Covered entity cannot perform the activities of The Joint
Commission or other accrediting organization
Business Associate – Agency Control
Nature of Services
No agency relationship likely if the Covered Entity is legally
or otherwise prevented from performing the service
Covered entity cannot perform the activities of The Joint
Commission or other accrediting organization
BUT
If the Covered Entity contracts out or delegates an obligation
under HIPAA service to a vendor, the vendor is likely an agent (but depends on the ability to control the
Business Associates - Agency
Not likely an agency relationship
Accounting services Legal services
Business Associates - Agency
Likely an agency relationship
Billing services Cleaning service
Business Associates - Agency
Scope of Agency
Agent must be acting within the scope of the agency
Agency relationship may exist even if the Covered Entity
does not retain the right or authority to control every aspect of the Business Associate’s activities
Factors
Time, place and purpose of agent’s conduct
Whether engaged in a course of conduct subject to the Covered
Entity’s control
Whether conduct is commonly performed by an agent to
accomplish the service
Business Associates - Agency
Can be an agent even if:
Covered Entity does not retain the right or authority to
control every aspect of the Business Associate’s activities
Covered Entity does not exercise the right of control but it
holds the authority to exercise that right
The Covered Entity and Business Associate are a distance
Business Associates - Agency
Covered Entity is only liable for conduct of the
Business Associate that is within the scope of the agency
But, the conduct is within the scope of the agency if the
conduct occurs during the performance of the assigned task or incident to the task, regardless of carelessness, a mistake, or if the Business Associate disregarded an instruction
A Covered Entity would be liable for an impermissible disclosure
of PHI even by a Business Associate even if the disclosure was contrary to clear instructions
Business Associate - Agency
Outside scope of the agency
If conduct is solely for the benefit of the Business Associate
or a third party
If course of conduct is not intended to serve any purpose of
Security Rule Obligations
Ensure the confidentiality, integrity and availability
of PHI
Protect against any reasonably anticipated threats or
hazards to the security or integrity of PHI
Protect against any reasonably anticipated uses or
disclosures of such information that are not permitted or required under the Privacy Rule
Security Rule Obligations
Business Associates must comply with safeguards for
electronic PHI:
Administrative Safeguards Physical Safeguards
Security Rule Obligations
Business Associate must take into account:
Business Associate’s size, complexity, and capabilities of
the covered entity or business associate
Business associate’s technical infrastructure, hard-ware,
and software security capabilities
The costs of security measures
The probability and criticality of potential risks to
Security Rule Obligations
Appoint a Security Official
Security policies and procedures Conduct a risk analysis
Security Rule Obligations
Employee training
Document compliance
Business Associate Agreement with Business
Business Associates – Privacy Rule
Required disclosures
As required by law
To the Secretary of HHS to evaluate compliance by a Covered
Entity or Business Associate
To the Covered Entity
To the Individual or Individual’s designee to respond to
request for access to individual’s PHI or request for electronic PHI
Business Associate Uses and Disclosures
As permitted by the Business Associate Agreement
Business Associate cannot benefit from uses and disclosures
Business Associates – Privacy Rule
Restrictions on Use or Disclosure
Sale of PHI
Minimum Necessary Standard
Only the minimum necessary to accomplish the task
Applies to uses and disclosures One exception – treatment
Business Associate must comply with Covered
Entity’s minimum necessary standards and Business Associate Agreement
Be careful of what you provide, you can always
Business Associate Reporting
Must report own and subcontractors’ breaches to
Business Associate Agreement Grandfather
If BAA in effect prior to January 25, 2013, have until
earlier of a renewal or amendment to underlying agreement or September 22, 2014
Otherwise, earlier of renewal or amendment of
underlying agreement or September 23, 2013
Evergreen contract renewal is not deemed a renewal
Business Associate Agreement Grandfather
Just applies to need to enter into a new agreement Does not affect requirement to comply with the
Tiers of Violations – Tier 1
For a violation in which it is established that the
covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the provision was violated
Penalty $100 - $50,000 per violation
Tiers of Violations
Reasonable diligence means the business care and
prudence expected from a person seeking to satisfy a legal requirement under similar circumstances
Tiers of Violations – Tier 2
Violation in which it is established that the violation
was due to reasonable cause and not willful neglect
Penalty $1,000- $50,000 per violation
Tiers of Violations
Reasonable cause means an act or omission in
which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an
administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect
Tiers of Violations
Willful neglect means conscious, intentional failure
or reckless indifference to the obligation to comply with a HIPAA provision.
Tiers of Violations – Tier 3
Violation in which it is established that the violation
was due to willful neglect and was corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred
Penalty $10,000-50,000 per violation
Tiers of Violations Tier 4
For a violation in which it is established that the
violation was due to willful neglect and was not
corrected during the 30-day period beginning on the first date the covered entity or business associate
liable for the penalty knew, or, by exercising
reasonable diligence, would have known that the violation occurred
Penalty at least $50,000 per violation Annual maximum is $1,500,000
How to count violations
Varies
Multiple individuals – number of individuals Occurs over time period – number of days
If impermissible disclosure and safeguards violation,
two separate violations times number of individuals/days
Factors in determining penalty
Nature and extent of violation (including number of
individuals)
Nature and extent of the harm (financial,
reputational, physical)
History of prior compliance
Financial condition (both that may have hindered
compliance and regarding the penalty)
OCR has discretion
What is a Breach?
Unauthorized use or disclosure that compromises
Breach Notification
Most improper disclosures will have to be disclosed Harm standard no longer applies
Breach Notification
If there is improper use or disclosure, a breach is
presumed unless can show low probability PHI has been compromised
Burden is on Covered Entity or Business Associate to
Breach Notification
If the information may relate to multiple covered
Breach Notification Risk Assessment
Factors
Type of information
Amount of information Who received it
Whether can be identified How it could be used
Breach Notification Timing
Without unreasonable delay but not more than 60
days
Timing begins when anyone in the workforce knows
or should have known of the breach
If breach is by a Business Associate, beginning of
notice period depends on whether Business Associate is an agent (lots of legalese)
Breach Notification
To each affected Individual
To the Secretary of HHS – if 500 or more individuals
involved (she posts the breach on her web site)
To the media – if more than 500 residents in one
Breach Notifications – 500+ by Type
Theft 51% Unauthorized Access/Disclosure 20% Loss 14% Hacking/IT Incident 7% Improper Disposal 5% Unknown 3%Breach Notification – 500+ Breaches by
Location of Breach
Laptop 23%
Paper Records 22%
Desktop Computer 15%
Portable Electronic Device 14% Network Server 11%
Other 10% Email 3%