Managing HIPAA Business Associate Relationships - April 24, 2018

© 2018 Nussbaum-Hindmand 1
Managing HIPAA Business Associate
Relationships
Security, Privacy and Compliance
24 April 2018| Chicago Technology For Value-Based Healthcare Meetup
24 April 2018|©Nussbaum-Hindmand|2Managing HIPAA Business Associate Relationships
➣HIPAA Basics
➣Business Associate (BA) Relationship
➣Uncertainties and Disagreements About the BA Relationship
➣BA Breaches
➣Key Security Safeguards
➣Supervising the BA
➣Wrap Up
Topics

➣This presentation and any discussion
◆Are for educational and informational purposes only, and should not be construed as legal
advice or as an offer to perform legal services on any subject matter.
◆Contains general information and may not reflect current legal developments or information. The
information is not guaranteed to be correct, complete or current. The presenters and sponsors
make no warranty, expressed or implied, about the accuracy or reliability of the information
provided.
➣Individuals and entities should consult a qualified attorney prior to acting or refraining from action.
➣ Nothing herein is intended to create an attorney-client relationship and shall not be construed as
legal advice. Viewing this material or participating in this webinar does not create an attorney-client
relationship.
➣The information provided is intended to be an overview and relevant details may not be covered.
➣By accessing this information, you acknowledge receipt, understanding, and consent to this
disclaimer.
Disclaimer
HIPAA Basics

➣Protected Health Information (PHI) – individually identifiable health information that:
◆is created or received by a covered entity or employer; and
◆relates to the physical or mental health or condition of an individual, the provision of
health care to an individual, or payment for health care
◆Not limited to treatment information
➣Electronic Protected Health Information (ePHI) – PHI transmitted or maintained in
electronic media
HIPAA Background – Key Terms
➣Covered Entity (CE)
◆Health care provider transmitting health information electronically
◆Health plan
◆Health care clearinghouse (e.g., medical billing company)
➣Business Associate (BA) – Person or entity that performs services for or on behalf of a
Covered Entity involving PHI or on behalf of another BA that is working on behalf of a CE
➣Business Associate Agreement (BAA) – written contract b/w BA and CE governing BA’s
use and obligations re PHI
HIPAA Background – Key Terms

HIPAA Rules provide a floor of protection
➣Other federal and state laws may also apply
➣42 C.F.R. Part 2 – substance abuse disorder
➣State law - HIPAA preemption exceptions(45 C.F.R. § 160.203)
◆Not contrary
◆Greater protections or rights for individuals
◆State law public health or health plan reporting
◆HHS Secretary determinations
➣Genetic Information Non-Disclosure Act (GINA)
➣International
◆General Data Protection Regulation (GDPR)
HIPAA Background – Other Laws + Regulations
➣Business associate agreement (BAA) w/client (covered entity or upstream BA) and subcontractors
➣Security Rule
➣Breach Notification
➣Privacy:
◆Use and disclosure of PHI only as allowed in BAA
◆Minimum necessary
◆Accounting of disclosures
◆No sale of PHI
◆Marketing restrictions
◆Allow individuals & HHS access
HIPAA Background – BA Obligations

➣Requires covered entities and business associates to implement reasonable and appropriate
administrative, physical and technical safeguards
➣Applies to ePHI
➣required v addressable safeguards
➣Administrative safeguards – risk analysis, risk management, regular review of system activity,
security incident procedures, security officer, workforce sanction policy, workforce security, training,
contingency plan
➣Physical safeguards – facility access controls, workstation use and security, device and media
controls
➣Technical safeguards – access control, audit controls, integrity, user authentication, transmission
security
HIPAA Background – Security Rule
Business Associate (BA)
Relationship

➣Business Associate:
◆Creates, receives, maintains or transmits PHI
▹ on behalf of a covered entity (directly, or indirectly as subcontractor of a BA);
▹ for claims processing or administration, data analysis, processing or administration, utilization review,
quality assurance, patient safety activities, billing, benefit management, practice management, or repricing;
or
◆Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative,
accreditation, or financial services to or for a covered entity, if the service involves PHI
Who is a BA?
➣Typically a business associate (if access to PHI):
◆Cloud vendors
◆Medical transcription
◆Answering service
◆Document storage or disposal
◆Patient safety or accreditation
◆Medical billing
◆Utilization review and management companies
◆Health information exchanges (HIEs), e-prescribing gateways, health information organizations
(HIOs)
◆Third party administrators and pharmacy benefit managers
◆Data conversion, de-identification and data analysis
Who is a BA?

Typically not a business associate:
➣Workforce of the covered entity
➣Health care provider (re disclosure for treatment)
➣Plan sponsor (re disclosures from its group health plan)
➣Bank (when merely payment processing activities)
➣Janitorial service
➣Maintenance and repair personnel (if no PHI access)
➣Conduits (e.g., U.S. Postal Service and its electronic equivalents)
Who is a BA?
Subcontractor business associate
• Delegated function, activity or service from BA to subcontractor
• Access to PHI
Who is a BA?

Who is a Business Associate?(cont’d)
Chain of Business Associate
Relationships
Covered Entity
Bus Assoc A
Subcontractor B
Subcontractor C
Subcontractor D
BAA
BAA
BAA
BAA
…
Who is a BA?
BAA requirements:
➣Permitted and required uses and disclosures of PHI
➣Allow the covered entity to terminate for breach
➣No use or disclosure except per BAA
➣Safeguards - improper use or disclosure
➣Comply with the Security Rule
➣Enter into BAAs with downstream subcontractors at least as stringent as the upstream BAA
➣Report breaches, security incidents and improper uses or disclosures of PHI
➣Make PHI available for covered entity to respond to requests from individuals
➣Allow HHS access to books and records
➣At termination, return or destroy PHI
◆Extend protections of the BAA if not feasible to return or destroy
The Business Associate Agreement (BAA)

Negotiable BAA terms include:
➣BA use/disclose PHI for its management & administration
➣Indemnification and insurance
➣Breach notification deadlines and responsibilities
➣Notice and cure period
➣Subcontractors
➣BA right to de-identified data
➣Offshore restrictions
Business Associate Agreement (cont’d)
What to do if the parties do not agree that
a vendor is a BA
Resolving BA Relationship
Uncertainties

A BA is defined by the access to PHI on behalf of the CE
➣Even if there is no business associate agreement, a BA is still a BA
◆BA status is determined by regulatory definition, not the agreement of the parties
◆Failure to put in place a BAA would be a violation for the CE (and the BA with downstream BAs)
◆A BA must still comply with the requirements under HIPAA even without a BAA
◆Absence of a BAA means that the parties have
not addressed important issues, e.g.,
▹ Notification
▹ Responding to patient inquiries
▹ Data handling
▹ Disposition of data
Resolving BA Uncertainties
Unless data is completely de-identified, you have access to PHI
There are 18 elements, which must be removed to de-identify (safe harbor)1,2
1. List is not exhaustive, nuances exist for many of these identifiers
2. Even if you remove all 18, if there is sufficient info to re-identify, then the data is still PHI
➣Names
➣Addresses
◆Street
◆City
◆County
◆Zip code
➣Dates
➣Telephone/fax numbers
➣Vehicles ID (VIN, Lic. Plate)
➣Device IDs and serial #s
➣Email addresses and URLs
➣SSN
➣Medical record numbers
➣Biometrics
➣Health plan numbers
➣Photos
➣Account numbers
➣Any other unique number, code
➣Certificate/license numbers

Even if processing PHI is not a direct BA responsibility, access to PHI may create
a BA relationship and duties
➣Access to records thrown out (e.g., shredding services provider)
➣Hosting services providers
➣Cloud services providers
➣Collections firms
➣Moving firm
➣Computer hardware support
➣Copier maintenance company
Cloud services providers (CSPs) are BAs
➣Even if the data is encrypted, the CSP is a BA
➣CSP may not block CE’s access to data
➣Breach and utility of indemnities
➣Offshoring may increase risks
➣Assure alignment between any SLAs and the BAA
◆System availability and reliability
◆Back-up and data recovery
◆Data return on termination
◆Use, retention and disclosure limitations
◆Security responsibilities
➣CSP should remain alert to use of their services for handling PHI – avoid inadvertent BA status

Cloud services providers traditionally cited the conduit exception
➣Conduit exception
◆ Entities providing mere courier services, such as the USPS, UPS, FedEx
◆“Electronic equivalents, such as internet service providers (ISPs) providing mere
data transmission services.”
◆Conduits have no access to the data
◆Emphasis on transient aspects of transmission
➣HHS has been clear, the conduit exception is very narrow
➣Conduits do NOT include
◆Hosting vendors
◆Cloud storage
◆Cloud email providers
Business Associate Breaches

The HITECH Act and Breach Notification Rule mandate breach notification upon
discovery of unauthorized uses and disclosures of “unsecured PHI.”
➣Two recognized methods of securing PHI:
■ Encryption (NIST)
■ Destruction
Breach Notification
Notice obligation of covered entity
➣To individual, media and HHS
Notice obligation of business associate
➣To covered entity – without unreasonable delay and in no case later than 60 days after discovery
➣Subcontractor notice obligation – to upstream BA
➣Business associate agreement may impose stricter standards
Breach Notification

“Discovery” – earlier of actual knowledge or reasonable diligence standard
➣BA (subcontractor) discovery will be imputed to the covered entity (upstream BA) if the BA or
subcontractor is an agent of the covered entity (upstream BA)
◆Does covered entity (or upstream BA) have the right to control the conduct of the BA?
▹ Interim instructions or directions
➣Some implications of breach:
◆Transparency - notification
◆ May trigger investigation
▹ Fines, resolution agreement
▹ HIPAA settlement for late notification – Presence Health Network (January 2017)
◆ PR – impact on goodwill
Breach Notification
Don’t forget:
➣State breach notification laws
➣Residence of affected individuals may determine applicable notice law
➣State attorneys general
➣Federal Trade Commission (FTC)
➣Plaintiffs’ lawyers (e.g., class actions)
Breach Notification

Recurrent themes--deficiencies
➣Risk analysis
➣Internet accessibility
➣Encryption
➣Business associate agreement
HIPAA Enforcement
Lack of Business Associate Agreement (BAA):
➣Oregon Health & Science University (2016) $2.7M
➣Catholic Health Care Services of the Archdiocese of Philadelphia (2016) $650K
◆Settlement with business associate
➣Center for Children’s Digestive Health (April 2017) - $31K
➣Raleigh Orthopaedic Clinic (2016) - $750K
➣North Memorial Health Care MN (2016) - $1.55M
➣Triple-S Management (2015) – 3.5M
➣Phoenix Cardiac Surgery (2012) - $100K
➣Advocate (2016) – $5.5M (multiple events)
HIPAA Settlements

Key Security Safeguards
There are a long list of appropriate security safeguards that a BA should have in
place
Not possible to exhaustively list all the required security safeguards in an agreement
➣Often reference to industry best practices
◆NIST
◆ISO
◆Other standards
➣Aligning BA’s security policies and procedures with those from the CE or delegating BA
◆Security safeguards should either be addressed in the BAA or a referenced exhibit
◆May be a challenge for the BA to have multiple different customer policies
driving their security approach
➣Evaluate the BA’s security environment prior to entering into an agreement – selection criteria
Key Security Safeguards

All BAs must comply with the Security Rule
CE (and upstream BAs) will want to review the BA’s compliance
➣Risk analysis
◆Sufficient?
◆Maintained and periodically updated
➣Risk Management
◆Plan for addressing gaps identified in the risk analysis
◆Prioritized by threat level, probabiltiy
Key Security Safeguards: Risk Analysis
Supervising the BA

There are many benefits to requiring that a BA have independent audits
➣Operationally untenable for both the customer and the vendor
◆Most CEs do not have the expertise or resources to audit their BAs
◆BAs do not want to have every customer performing their own audit
➣Third-party audits are a good first step
◆Frequency
◆Period covered or point in time
◆How remediation is handled and validated
◆Scope of audit
➣Qualifications of the third-party audit provider (SOC-2, ISO, commercial certifications)
Supervising The BA: Leveraging Third Parties
Too great a degree of supervision of a BA may result in greater liability for BA
actions
➣Omnibus rule incorporated federal common law rule of agency
◆If a BA is deemed to be an agent of the CE or an upstream BA (‘principal’), then actions of the BA
are imputed to the CE (or upstream BA)
◆Accelerates when the principal is deemed to know about a breach (and is required to notify)
◆Makes principal liable for actions of the agent BA
➣Agency Determination
◆Depends on the specific facts and totality of circumstances
◆The right or authority of the CE (or upstream BA) to
control the BA’s conduct
Supervising The BA: Striking The Right Balance

Wrap up
Answers to questions are for general
information purposes and do not
constitute specific legal advice
Discussion

Managing HIPAA Business Associate Relationships - April 24, 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Managing HIPAA Business Associate Relationships - April 24, 2018

Similar to Managing HIPAA Business Associate Relationships - April 24, 2018 (20)

More from Dan Wellisch

More from Dan Wellisch (18)

Recently uploaded

Recently uploaded (20)

Managing HIPAA Business Associate Relationships - April 24, 2018