Since the implementation of the privacy and security regulations of the Health Insurance Portability and Accountability Act (“HIPAA”) in 2003 and 2005 respectively, business associates (“BAs”) – those entities that perform services for or on behalf of covered entities – had been a weak link in the overall protection of protected health information (“PHI”). BAs were not directly subject to HIPAA, but were only indirectly subject to its requirements through the business associate agreements – which were generally boilerplate – that covered entities were required to maintain as a condition of sharing PHI. Thus, under the original regulatory structure, the only risk for a BA was for a breach of contract.
All of that changed with the enactment of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act in 2009. As a result of HITECH, BAs are now directly subject to enforcement by the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) to the same extent as covered entities. State Attorneys General may also enforce HITECH requirements against BAs. While the proposed HITECH regulation provides a 180-day compliance period for both covered entities and BAs to come into compliance with the final rule’s provisions (see 75 F.R. 40867, July 14, 2010), and OCR has announced that it will not enforce HITECH provisions against BAs until the final omnibus regulation is published, there is no such grace period for Attorneys General, who have taken full advantage of their new enforcement authority.
The number of BAs overwhelms the number of covered entities. In general, a single covered entity may have numerous BAs, with hospitals often having hundreds of them. When PHI is shared with other organizations, many of which may be small and relatively technologically unsophisticated, the risk of a breach increases significantly. According to the reported breaches affecting 500 or more individuals listed on the HHS’ “Wall of Shame,” more than 50% of the breaches reported by covered entities were caused by a BA. The sheer number of BAs, their lack of sophistication with respect to the very technical requirements of the security rule, and the relatively lax oversight by their covered entity clients make BAs an obvious enforcement target. All of these factors, together with the enhanced enforcement authority under HITECH, means that BAs are now confronted with mounting pressures on many fronts, including attorney general enforcement, covered entity oversight, and OCR enforcement.
Attorney General Enforcement
A well-publicized and groundbreaking example of the impact of this newly granted enforcement authority to attorney generals occurred in Minnesota and involved Accretive Health, a publicly traded debt collection firm, that was a BA of several Minnesota hospitals. The investigation against Accretive was triggered by a lost, unencrypted laptop containing 23,531 patient files, and ultimately extended to the two hospitals when it was discovered that the hospitals had given Accretive much more patient information than necessary to collect the debts at issue and failed to inform patients that their information was being shared. A complaint alleging both multiple HIPAA violations and state unfair debt collections practices was filed in February 2012. In a settlement on July 31, 2012, Accretive agreed to pay nearly $2.5 million to the state of Minnesota and to refrain from conducting business in the state for six years.
BAs can expect more such investigations and covered entities should be aware that an investigation of BA practices will likely lead to an investigation of their own HIPAA practices. This investigation puts both BAs and covered entities on notice that the casual practices of the past decade are no longer acceptable.
Covered Entity Oversight
Covered entities are beginning to take a more active role in monitoring their BAs. They are sending out Requests for Information about their business associate security practices and, in some cases, asking to conduct an actual security audit. Others are setting up an audit program of their BAs to determine whether the BA is complying with the requirements of the BA Agreement. In light of the risk to the covered entity of a data breach by a BA, it is likely that this kind of oversight will become more common.
To date, OCR has neither brought any enforcement actions against BAs nor included BAs within the scope of the HIPAA audit program. However, it is no secret that OCR intends to extend its audit program to BAs, probably in 2014. Moreover, once the compliance period required by the still to-be-published final omnibus HIPAA regulation is past, business associates can expect swift enforcement efforts by OCR. Given the number of breaches reported to the Wall of Shame for which BAs appear responsible, OCR already has a number of potential BA targets lined up.
How Can BAs Prepare?
- Cooperate in signing and negotiating a BA Agreement. Clear expectations will assist in achieving compliance. This is particularly important with respect to responsibilities for breach notification.
- Understand the requirements of HIPAA and HITECH. Given the technical nature of the Security Rule, most BAs will need to retain a consultant to assist in establishing the required safeguards. However, remember that compliance with the Security Rule is “scalable” and depends, to some extent, on the size and resources of the organization. What is required of a national consulting firm is not required of a solo practitioner who serves as an expert.
- Invest the resources in establishing a HIPAA Privacy and Security Program. It is a far better investment to be proactive than to be reactive after experiencing a serious breach that causes reputational harm.
Susan McAndrew, deputy director for health information policy at the Department of Health and Human Services Office for Civil Rights on December 4, 2012 announced that DHS will publish a final version of the HITECH regulations by “early to mid-2013.”