Every individual and business in the health care industry must understand their obligations under the Health Insurance Portability and Accountability Act of 1996 ("HIPM"), the Heath Information Technology for Economic and Clinical Health Act of 2009 ("HITECH"), and their implementing regulations. Surprisingly, many physicians do not seem co realize the changes HITECH made to H!PM include holding a Business Associate ("BA") to most of the requirements that are imposed on a Covered Entity ("CE"); that is, a health plan, healthcare clearing house, or healthcare provider, such as a physician. ASC, medical spa. or clinical laboratory. Consequently, this has become an area of government scrutiny and enforcement.
The U.S. Department of Health and Human Services-Office of Civil Rights ("OCR") recently published "Direct Liability of Business Associates" (the ''Publication"). The Publication identifies ten (10) common violations of HIPAA-HITECH this agency has found among BAs, and their related CEs. This publication should be reviewed by every CE and BA. (For a copy. please contact the author.)
Who/What is a Business Associate?
A 'business associate' is a person or entity char performs certain functions or activities that involve the use or disclosure of protected health information ["PHI"] on behalf of, or provides services to a covered entity ["CE"] .... A covered health care provider, health plan, or health care clearinghouse [all of which are CEs] can be a business associate of another covered entity.
Examples of parties who may be a BA, if they have access to PHI include, but certainly are nor limited to:
- CPA firms;
- Independent medical transcriptionists;
- Pharmacy benefits managers; and
- Software managers
Are you a Business Associate?
The italicized sentence, above, is worth repeating: A covered health care provider ... can be a business associate of another covered entity. Indeed, many physicians are both CEs and BAAs, without realizing the difference in their roles or the different legal obligations each role assumes. For example, a physician is a CE when treating patients; however, when serving as the medical director of a hospital or other health care facility and reviewing its PHI. that same physician is a BA. Similarly, a physician who performs utilization review services on behalf of an accountable care organization in which they participate also is one of its BAs (and probably, vice versa). In both cases, the physician needs a business associate agreement ("BM") in place before performing those duties.
Business Associates Can Be Liable Under HIPAA-HITECH.
The Publication identifies ten (10) categories of violations for which OCR has held BAs liable:
- Failing to cooperate with or provide the Secretary of HHS with compliance reports, complaint investigations. or compliance reviews.
- Taking retaliatory action against anyone who files a HIPAA complaint or cooperates with an investigation.
- Failing to comply with the HIPAA Security Rule.
- Failing to provide timely breach notification to a CE or another BA.
- Impermissibly using or disclosing PHI.
- Failing to disclose electronic PHI ("ePHI") to either the CE, the individual. or their designee, to satisfy a CE's obligation regarding form and format, and the time and manner of access required under the HIPAA regulations.
- Failing to make reasonable efforts co limit the disclosure of PHI to the "minimum necessary'' to accomplish the intended purpose of the use or request.
- Failing. in certain circumstances, to provide an accounting of disclosures to an individual. their designee, or the Secretary of HHS.
- Failing to enter into a BM with subcontractors who have access to, create, or receive PHl, ,and, when there is a BAA with a subcontractor, failing to enforce the terms of that agreement.
- Failing to rake reasonable seeps to address a material breach or violation of a subcontractor's BAA.
(NOTE: OCR has sanctioned CEs, as well as their BAs. that failed to have adequate BAAs in place or failed to enforce the terms of those agreements.)
OCR no longer is "giving a pass" to a CE or BA who does not satisfy the requirements of HIPAA-HITECH. Justifications such as "the rules are too complex", "the rules are not clear", or "it is coo expensive to comply" will nor gain a CE (or BA) any sympathy, much less a reduction it their alleged violations or penalty. As a collateral matter these incidents are likely to be viewed as violations of the Florida Information Protection Act ("FIPA"). which also imposes sanctions.
HIPAA-HITECH compliance is neither straightforward nor intuitive. The cost of a violation can far exceed the cost of compliance. In addition to fines and legal fees, violations of HIPAA-HITECH and FIPA damage a business' reputation and can be the basis for a private right of action. Prudence, nor price, should be the star guiding compliance efforts for BAs and CEs.
What is the best way to avoid having to address an alleged violation? Either become proficient or retain attorneys and ocher consultants who arc proficient
in the requirements of HlPAA-HITECH, and then make sure the organization complies. Every BA ,and CE needs co decide how co proceed. However, in making that decision, please keep in mind a thought attributed to Abraham Lincoln: "He who represents himself has a fool for a client."
This article was originally written in the journal Miami Medicine:
Siegel, S. H. (2019, 11). HIPAA business associates (including you) have exposure too. Miami Medicine [Miami], p. 17.