Exposure Disclosure. Liability and Accountability.
HIPAA has been around for a while. I would not say we are generally complacent about it, but I believe we have become at least comfortable with it.
Enter the HITECH Act, which puts real muscle into HIPAA. Providers should recognize the urgency of reviewing not only their current internal policies regarding protection of patient information, but also the agreements they have in place with entities that use and access patient information on their behalf. With everything that is approaching under HITECH (or here already), providers may be unsettled to find that they are exposed to more potential liability and financial consequences than originally contemplated when HIPAA first came on the scene. That said, the good news is that accountability will now be shared with those entities to which you contract services involving patient information.
Capitalized terms refer to defined terms under HIPAA and HITECH Act, and I am purposely avoiding long explanations and citations with the assumption that these terms are known already to HIStalk readership.
As a quick refresher, the HIPAA Privacy Rule (effective in 2003) and Security Rule (effective in 2005) set out the regulations applicable to health care providers (Covered Entities) and their protection and treatment of patients’ Protected Health Information (PHI). Covered Entities were required to enter into Business Associate Agreements that secured written agreement from Business Associates that they would protect PHI from unauthorized disclosure. At that time it was suggested but not required that the Covered Entity secure an indemnification from the Business Associate, protecting the Covered Entity in the event of an unauthorized disclosure of PHI due to the actions of the Business Associate (optional indemnification language was even previously included in the HHS Office of Civil Rights (OCR) sample Business Associate Agreement).
All providers should undertake a complete review of their existing Business Associate Agreements, while also reviewing their own policies regarding privacy and security of PHI. Business Associate Agreements should be amended or replaced as necessary in order to address the changes to HIPAA resulting from the HITECH Act. While reviewing the Business Associate Agreements, identify those that do not have an indemnification provision whereby the Business Associate indemnifies the Covered Entity for unauthorized disclosures of PHI caused by the Business Associate. This one factor alone is worth the entire review process. See HITlaw February 18, 2011 for a brief indemnification explanation.
HIPAA and HITECH
There is a ton of material worthy of elaboration packed into the following points, but space is limited. Being the straightforward type that I am, here goes:
- HIPAA requires that providers review and update their policies, procedures, and safeguards with regard to the privacy and security of PHI.
- OCR was given authority under HITECH to enforce HIPAA, is investigating data breaches, and has imposed penalties on providers in excess of $1m (two of these in 2011).
- HITECH final regulations will put the bite into HIPAA that until now has had mostly only bark, including required enforcement and mandatory penalties in certain situations.
- HITECH extends compliance regulations and penalties to Business Associates.
In addition to reviewing privacy policies, all providers should review their actual operations with regard to protection of PHI, because while a policy may look good on paper, non-adherence in daily operations will undoubtedly become evident in the event of an audit or investigation.
Here is the most important item to understand. Just because your organization contracts with a Business Associate that performs certain tasks and operations on your behalf does not mean that responsibility for any data breaches and unauthorized disclosures of PHI is automatically passed on to the Business Associate. Your organization, as the health care provider and Covered Entity, is ultimately responsible to the patient. Having an indemnification provision in the Business Associate Agreement ensures that if a breach or unauthorized disclosure of PHI occurs that is in any part the fault of the Business Associate, you will have legal recourse in order to pursue financial contribution from the Business Associate.
The potential impact on a provider organization without this protection is significant. Suppose a breach occurs and it is completely the fault of the provider’s staff. The provider organization is responsible and pays the price. Suppose however that a breach occurs and it was the fault of a Business Associate. The provider organization is still responsible and will pay the full price if it cannot shift some financial responsibility to the Business Associate under an indemnification provision.
Refer back to the bullets above. Before HITECH, everyone in this industry was fairly settled in with HIPAA and knew about the obligations to protect PHI. With the advent of HITECH, HIPAA takes on a much stronger presence. Audits will be performed, failures in compliance will be discovered, and penalties will be assessed (assuming adoption of the HITECH final regulations that amend HIPAA happens in the not-too-distant future). On a practical note, while assessment of a penalty on either the Covered Entity or Business Associate does not by any means guarantee a patient plaintiff a verdict in court, the very existence of any imposed penalties (on either the Covered Entity or its Business Associate) will certainly be introduced in legal actions by patients for unauthorized disclosure of PHI.
As for the Business Associates (vendors) in the industry, HITECH also requires that Business Associates obtain written agreement from subcontractors that they will comply with the Business Associate requirements to which your companies are subject with respect to your provider customers. All the above advice is applicable to your agreements with your subcontractors, and the indemnification from the subcontractors is essential for protection of your companies. Just re-read the above, and put “my company” in place of provider or Covered Entity, and “subcontractor” in place of Business Associate. Civil and criminal penalties, formerly applicable to Covered Entities under HIPAA, may be imposed on Business Associates for HIPAA violations under HITECH. Careful review of your company’s policies and procedures, especially with regard to administrative, physical and technical safeguards, is important. HITECH mandates Business Associate compliance with these HIPAA requirements, so if you do not have a privacy and security policy in place, this should become a top priority for the very near future.
Clearly the HITECH Act calls for increased accountability. First, on the part of providers through audits, investigations, and penalties. Second, by extending compliance requirements (and audits, investigations, and penalties) to Business Associates. This is the real game-changer for technology companies in this industry. Prior to HITECH, the impact and exposure of any breach of a Business Associate Agreement for the Business Associate was dependent on action by the provider customer (Covered Entity). HITECH changes all that and brings accountability, responsibility, and the possibility of civil and criminal penalties right to the Business Associate.
The inclusion of Business Associates in the compliance and penalty aspects of HIPAA though the enactment of HITECH is a strong message from Washington that it is understood providers in some cases are not responsible for data breaches and unauthorized disclosure of PHI, but they alone (until HITECH) were accountable and subject to penalties in those situations. HITECH’s amendments to HIPAA permitting or requiring penalties for Business Associates for their violations is a clear statement of recognition that the penalty, if imposed, should lie where the fault occurred and not just with the Covered Entity which, through no fault of its own, was previously subject to penalty for the actions of others.
I suggest that vendors consider the accountability aspect of HITECH and realize that taking on responsibility and liability is truly becoming a cost of doing business in the industry. Providers did not impose HIPAA and HITECH on themselves. Just as Business Associate vendors should obtain protection from subcontractors for their faults and failings, they should also realize the potential impact on provider customers of any breach with regard to PHI. Fairness dictates that what you require from your subcontractors for your protection you should consider providing to your client base for their protection.
Note I am not anti-vendor, nor am I anti-HIPAA or anti-HITECH. We must all deal with HIPAA and HITECH and the associated benefits for patients, as well as the negative aspects for both Covered Entity and Business Associate offenders. What I suggest is fairness for all, with parties being responsible for their actions.
Review policies, practices, and Business Associate Agreements and update all accordingly. Note: just because HITECH extends civil and criminal penalties to Business Associates does not mean that liability and responsibility to patients for disclosure of their PHI shifts from Covered Entities to Business Associates. While penalties may be imposed, they are not for the sole purpose of compensating patients whose PHI was disclosed. Some portion of the penalties is intended for this use, but this does not mean that your patients will in any way be prevented from bringing action against your organization directly. This enforces the need for indemnification from your Business Associates.
Review policies and procedures (or establish them now), and obtain a written “Subcontractor Business Associate Agreement” from all subcontractors. In any action for data breach or unauthorized disclosure of PHI, attorneys for the patients will try to bring in as many entities as possible, from the provider Covered Entity to the Business Associate to the subcontractor of the Business Associate. Another practical note – just as the existence of a penalty for violation of HIPAA does not guarantee a patient plaintiff a favorable verdict in legal action, neither does the absence of penalties suggest a verdict for the defendant Business Associate (or Covered Entity). Make sure you are in compliance with HIPAA and have indemnification from your subcontractors as described above.
Although to some the information here may seem basic or obvious, I can assure you that it is not so for all readers. I have composed this posting over the past few months based on real inquiries from, and interactions with, people in different areas of responsibility and levels of leadership within the healthcare industry. Some were truly surprising.
In my various engagements, I represent providers as well as technology companies. This gives me a unique perspective, and in postings like this I try not to take sides but rather to offer advice to all. I also throw in a generous dose of fairness because that is what I believe is most important in structuring and negotiating agreements between parties.
William O’Toole is the founder of O’Toole Law Group of Duxbury, MA.