[BreachExchange] Business Associates Reminded of HIPAA Duties

[Destry Winant]

https://www.databreachtoday.com/business-associates-reminded-hipaa-duties-a-12528

Federal regulators have issued new guidance clarifying when a business
associate can be held directly liable for compliance with the HIPAA
privacy, security and breach notification rules.

In 2013, as required under the HITECH Act, the Department of Health
and Human Services' Office for Civil Rights issued a final rule -
frequently referred to the HIPAA Omnibus Rule - that, among other
things, identified provisions of the HIPAA rules for which business
associates are directly liable for compliance.

Because of confusion about the issue, OCR has issued a fact sheet and
a compilation of frequently asked questions about the HIPAA compliance
requirements for business associates. "We want to make it as easy as
possible for regulated entities to understand, and comply with, their
obligations under the law," says OCR Director Roger Severino.

BA Liability

OCR's guidance reiterates that the agency has authority to take HIPAA
enforcement action against business associates. For example, the
office can take action for BAs' failure to:

Meet the broad requirements of the security rule, including the
mandate to conduct a comprehensive risk assessment;
Provide breach notification to a covered entity or another business associate;
Refrain from impermissible uses and disclosures of PHI;
Provide HHS with records and compliance reports, cooperate with
complaint investigations and compliance reviews, or permit HHS to
access information, including PHI pertinent to determining compliance;
Disclose a copy of electronic PHI to either the covered entity, the
individual or the individual's designee - whichever is specified in
the business associate agreement - to satisfy a covered entity's HIPAA
obligations;
Make reasonable efforts to limit use of PHI to the minimum necessary
to accomplish the intended purpose of the use, disclosure or request.;
Provide an accounting of certain PHI disclosures.
Enter into business associate agreements with subcontractors that
create or receive PHI on their behalf;
Take reasonable steps to address a material breach or violation of the
subcontractor's business associate agreement.

OCR also can take enforcement action if a BA retaliates against any
individual for filing a HIPAA complaint, participating in an
investigation or other enforcement process or opposing an act or
practice that is unlawful under the HIPAA rules.

BA Breaches

Business associates have been involved in many of the largest health
data breaches, including several large breaches posted to the HHS
HIPAA Breach Reporting Tool website so far in 2019.

Commonly called the "wall of shame," the website lists health data
breaches impacting 500 or more individuals.

As of Tuesday, some 39 incidents affecting a total of nearly 1.1
million individuals that have been added to the tally so far in 2019
were reported as incidents involving a business associate, or where a
business associate was reported as being "present." Those incidents
represent about 20 percent of all breaches added to the tally so far
this year.

BA Risks

"Business associates still struggle with their HIPAA Security Rule
obligations, in many of the same ways as do covered entities,
including with regard to risk analysis, risk management and
encryption, for example," says privacy attorney Iliana Peters of the
law firm Polsinelli. "Business associates struggle with understanding
their obligations to flow down the requirements of their business
associate agreements with their own vendors that have access to
protected health information."

Covered entities and business associates alike must understand the
lifecycle of their data so that appropriate HIPAA-required security
safeguards are applied, Peters adds. And business associates should
periodically conduct "mini-audits" of their security practices to
ensure they are meeting obligations spelled out in their BA
agreements, she says.

Even though business associates became directly liable for HIPAA
compliance nearly six years ago, confusion about their duties
persists.

"Some BAs fail to understand the full scope of their compliance
responsibilities," says Kate Borten, president of privacy and security
consultancy The Marblehead Group.

"For example, some tech companies may claim compliance based on
implementing security technologies, such as strong encryption. But we
know that technology is only a part of a full-blown information
security program as required."

Peters adds: "There may still be some confusion in the regulated
community about not only what potential violations for which business
associate are directly liable, but also the purposes of ensuring that
covered entities and business associate have good business associate
agreements in place, given that liability for other potential
violations stem from those business associate agreements."

For example, Peters says that anything that a business associate is
not directly liable for under HIPAA - but is nonetheless required by a
covered entity - should be addressed in the business associate
agreement. "So, not only is understanding the direct liability piece
important for business associates, it's also important for covered
entities to make sure their business associate agreements are
appropriately comprehensive."

Longstanding Issues

Privacy attorney Kirk Nahra of the law firm WilmerHale says the
guidance from OCR shines a spotlight on BA's longstanding HIPAA
compliance requirements.

"The only thing that might be considered a little new - although it
mainly makes something clear that is already in the rules - is that
business associates don't have a compliance obligation to follow the
administrative requirements of the privacy rule," he notes. "They
probably should do a lot of those things anyways - like training and
policies and procedures - but they aren't compliance obligations
because they aren't in a business associate agreement. "

Managing Vendor Risk

Some covered entities have taken steps to raise the bar on their
expectations of vendors that handle PHI.

For instance UPMC, a large healthcare system based in Pittsburgh,
along with a half dozen other larger healthcare delivery organizations
last year launched the Provider Third Party Risk Management Council.
Members of the council are requiring their vendors - including cloud
services providers - to become certified in the HITRUST Common
Security Framework by summer 2020. That framework cross-references
standards, regulations and business requirements, including HIPAA.

"What we're pushing as a group is that if you want to do business with
us ... you want to deliver services to us through the cloud, you have
to be HITRUST-certified," says John Houston, UPMC's vice president of
information security and privacy and associate counsel.