The year 2016 placed new focus on the role of business associates pursuant to the Health Insurance Portability and Accountability Act (HIPAA). While in years past the government focused on covered entities subject to HIPAA, 2016 marked the first year that business associates took much of the limelight. The list of activities surrounding business associates includes: the first Department of Health and Human Services’ Office for Civil Rights (OCR) enforcement actions against business associates; OCR's cybersecurity awareness initiative; Phase 2 desk audits involving business associates; new guidance addressing blocking of a covered entity’s access to patient data; and even more recent guidance on the treatment of cloud computing providers as business associates. These actions and guidance indicate that business associates are not immune from OCR's oversight and that this oversight will likely not slow down in 2017.
HIPAA was enacted on August 21, 1996 to address data privacy and security provisions for safeguarding medical information.1 More specifically, the Standards for Privacy of Individually Identifiable Health Information, also known as the HIPAA Privacy Rule, established the first national standards for the protection of patient protected health information (PHI). The HIPAA Privacy Rule applies to health plans, healthcare clearinghouses and healthcare providers, identified as "covered entities." An organization or person working in association with or providing services to or on behalf of a covered entity who handles or discloses PHI is identified as a "business associate." OCR is the agency charged with monitoring and enforcing HIPAA’s privacy and security provisions, including the HIPAA Privacy Rule.2 The HIPAA Privacy Rule requires covered entities that work with a business associate to enter into an agreement that imposes specific safeguards on the PHI that the business associate accesses, uses, and/or discloses known as a business associate agreement, or BAA.3 The HIPAA Security Rule establishes standards for protecting the confidentiality and availability of electronic protected health information (ePHI). The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 made business associates subject to many of the provisions of the Privacy and Security Rules.
OCR Enforcement Actions against Business Associates
Catholic Health Care Services
On June 30, 2016, OCR announced a resolution agreement to settle HIPAA Security Rule violations with Catholic Health Care Services of the Archdiocese of Philadelphia that, for the first time, involved a business associate being held directly liable for violations of the HIPAA rules.4 The resolution agreement5 involved a $650,000 monetary payment and a corrective action plan, highlighting the requirement that business associates implement HIPAA Security Rule protections for any ePHI that is created, received, maintained, or transmitted from covered entities.
Care New England
OCR entered into a resolution agreement with a second business associate on September 23, 2016. Care New England Health System agreed to settle potential violations of HIPAA for $400,000. The violation stemmed from the loss of a covered entity’s unencrypted backup tapes. OCR found, among other things, that the BAA between the parties, entered into in 2005, was only updated as a result of the investigation and did not incorporate revisions required by the HITECH Act.
Although the Catholic Health Care Services settlement is the first OCR enforcement action directly against a business associate, it follows two other actions in 2016 that involved the failure of covered entities to enter into BAAs with service providers where PHI was being used and/or disclosed.
In March 2016, OCR announced a resolution agreement and corrective action plan for North Memorial Healthcare in the amount of $1.55 million in connection with a breach of PHI by its service provider, Accretive Health.6 OCR's investigation found that an unencrypted but password protected laptop was stolen from an Accretive Health employee's locked vehicle. This laptop contained ePHI of 9,497 individuals. OCR indicated that the settlement amount was due in part to North Memorial's failure to have a BAA in place with Accretive Health, which was acting as a business associate by performing payment and healthcare operations activities on North Memorial's behalf.
Raleigh Orthopaedic Clinic
In April 2016, Raleigh Orthopaedic Clinic entered into a resolution agreement in the amount of $750,000 and a corrective action plan for improperly disclosing PHI to a third-party service provider without entering into a BAA with that service provider.7 The Clinic had orally agreed to allow this vendor to transfer x-ray images to electronic media in exchange for harvesting the silver from the x-ray films. The Clinic gave the third-party vendor access to the PHI of 17,300 patients but never executed a written BAA with it. In a press release announcing the settlement, OCR Director Jocelyn Samuels emphasized that “HIPAA’s obligation on covered entities to obtain BAAs is more than a mere check-the-box paperwork exercise” and that “it is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”8
In total, OCR has reached twelve HIPAA settlements in 2016, with an aggregate of roughly $24 million in financial penalties, which included a record $5.55 million settlement9 with the largest fully integrated health care system in Illinois; settlements with university health systems in Oregon10 and Mississippi11 ($2.7 million and $2.75 million, respectively); and a major settlement involving a health system featuring acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations throughout California and in parts of Texas and New Mexico12 ($2.14 million). In addition, a civil monetary penalty was imposed on a provider of respiratory care, infusion therapy, and medical equipment to in-home patients, with more than 850 branch locations in 48 states.13
These activities demonstrate a significant increase in HIPAA enforcement actions, as OCR entered into only six settlements in all of 2015 totaling approximately $6.2 million in financial penalties. These actions have involved large, medium and small entities, which underscores the need for all covered entities and business associates to ensure that they are conducting a comprehensive risk analysis to identify vulnerabilities or weaknesses in HIPAA compliance; timely addressing any such vulnerabilities and developing policies and procedures to address privacy and security obligations; and entering into BAAs and monitoring existing ones to determine if any updates or changes need to be made to reflect current relationships.
OCR Cyber-Awareness Initiative
In February 2016, OCR launched its new Cyber-Awareness Initiative (Initiative) for the purpose of helping the healthcare industry better understand the current security threats and vulnerabilities it faces.14 Through the Initiative, OCR intends to educate the healthcare industry on acceptable security measures to reduce breaches of ePHI. Business associates were a focus of the Initiative from the very beginning. The April 2016 Initiative Topic (Initiative Topic) focused on preparing business associates to handle security breaches or cyberattacks. As detailed in the Initiative Topic, a large percentage of covered entities believe it is impossible to determine if data safeguards and security policies and procedures of their business associates are adequate enough to effectively respond to a data breach. Further, covered entities think it is difficult to manage business associate security incidents.
In the Initiative Topic, OCR provided some tips for covered entities and business associates in confronting a security breach. OCR advised covered entities to consider defining how and for what purpose PHI shall be used or disclosed in service-level or BAAs in the event of data breach or security incident. The Initiative Topic reminded covered entities they can be liable for untimely HIPAA breach notification to affected individuals, HHS and the media, a requirement of the HITECH Act. It is important for service-level or BAAs to outline a timeframe that business associates or subcontractors need to report a breach or cyberattack. Reporting a breach or cyberattack should be done in a timely matter but the quicker the incident is reported, the faster a covered entity or business associate can respond. Timely reporting can minimize damages, prevent further loss of ePHI, preserve evidence for forensic analysis and help regain access to the IT system.
OCR also provided some guidance in the Initiative Topic for drafting a BAA. Covered entities need to consider the type of information that a business associate should be required to report to the covered entity in the event of a security breach. It is best to include in the report: (1) the business associate name and individual point of contact; (2) description of the incident, including the date it happened and the date of discovery (if known); (3) the types of unsecured PHI involved; and (4) actions taken by the business associate to investigate the incident and protect against future incidents.15 Finally, OCR recommended training business associate workforce members to identify and report security breaches. To ensure compliance with all of these measures mentioned above, covered entities should conduct security audits and assessments to evaluate business associates’ or subcontractors’ privacy and security practices.
Phase 2 Audits
In July 2016, OCR kicked off Phase 2 HIPAA audits by notifying approximately 167 covered entities that they had been chosen for the audit.16 The HITECH Act requires HHS to conduct periodic audits of covered entities and business associates to ensure compliance with HIPAA’s Privacy, Security and Breach Notification Rules.17 OCR began the audit process in 2011 and 2012 with its initial Phase 1 Pilot audits of 115 covered entities. As part of Phase 2, OCR intends to audit both covered entities and business associates of all sizes and provider types. The purpose behind the audits is to identify best practices and discover any risks and vulnerabilities that have yet to be discovered through OCR’s ongoing complaint investigations and compliance reviews. OCR emailed covered entities and business associates a questionnaire asking for them to verify their contact information and provide background information on their size, type, and operations. This questionnaire asked covered entities to identify their business associate relationships and provide contact information for each of their business associates.
Every business associate identified is eligible to be audited. OCR will be using a combination of desk and onsite audits for both covered entities and business associates. OCR is conducting two rounds of desk audits, the first for covered entities and a second round specifically for business associates. The first round of desk audits was intended to be completed by December 2016. After the desk audits are completed, select covered entities and business associates can look forward to bringing in the New Year by preparing for onsite audits as OCR conducts a more in-depth examination of the desk auditees. Since any business associate identified is eligible for an audit, OCR will likely be auditing a broad range of business associates from consultants and cloud service providers to law firms. Even if these business associates are not exclusively or primarily focused in the healthcare industry, they are required to meet the Security Rule provisions for having administrative, physical and technical safeguards in place for protecting ePHI as well as adequate policies and procedures and documentation standards. In November, OCR announced it had notified select business associates of their inclusion in the Phase 2 audits.18 While the information learned from these audits will not be known until later in 2017, business associates not selected for an audit should still be active now in addressing compliance with all of their privacy and security obligations.
Blocking Access to PHI
The future success of U.S. healthcare information technology (IT) relies on achieving interoperability, the ability of technology systems and software applications to easily exchange and share electronic health information.19 However, the road to interoperability has not been without obstacles, with certain healthcare providers and health IT vendors interfering with the free exchange of electronic health information by engaging in information blocking.20 Health information blocking occurs when persons or entities knowingly and unreasonably interfere with the exchange or use of electronic health information.21
In an effort to curb health information blocking, OCR released new guidance in the form of a Frequently Asked Question (FAQ) published in September 2016.22 Business associates engaged in blocking a covered entity’s access to patient data will be in violation of the HIPAA Privacy Rule according to this new FAQ. OCR emphasizes that a business associate may not use PHI in a manner or to accomplish a purpose or result that would violate the HIPAA Privacy Rule. The FAQ appears to settle any issues that arise in business disputes between covered entities and their business associates as well as ensure that covered entities will be allowed continued access to the PHI they maintain. Failing to ensure that PHI remains accessible and usable by the covered entity is a violation of the HIPAA Security Rule. Business associates cannot terminate or deny access privileges of a covered entity. For instance, an electronic health record (EHR) vendor that activates a “kill switch” embedded in its software that renders PHI inaccessible to the healthcare provider during a payment dispute is impermissible. As noted in the FAQ, covered entities are ultimately responsible for ensuring the availability of their own PHI. If a covered entity has agreed to terms in a BAA that prevents the covered entity from ensuring access to its own PHI, then it is not in compliance with the Privacy and Security Rules. Covered entities should carefully review the terms of their performance contracts and BAAs to ensure they haven’t agreed to any provisions that would put them at risk of violating HIPAA.
Cloud Computing Guidance
Most recently, OCR released new guidance on cloud computing in the form of a FAQ in October 2016 that a cloud storage provider (CSP) maintaining a covered entity's PHI is a business associate.23 The FAQ stated that even “no-view” CSPs (such as CSPs that handle encrypted data only and do not have access to decryption keys for such data) are still business associates and must still comply with certain HIPAA requirements, including implementation of safeguards to maintain confidentiality,24 execution of a BAA, conducting a Security Risk Analysis, compliance with the Privacy Rule and Security Rule,25 and compliance with the Breach Reporting Rule.
In addition, the FAQ states that when a business associate subcontracts with a CSP to create, receive, maintain or transmit ePHI, the CSP subcontractor is also a business associate – and also must comply with certain HIPAA requirements, including compliance with the Security Rule and execution of a BAA. The FAQ cited the July 2016 OCR enforcement action against Oregon Health and Science University that resulted from the failure of a covered entity to execute a BAA with a CSP that stored ePHI of more than 3,000 individuals on a cloud-based server to highlight this BAA requirement for CSPs that store ePHI.
The FAQ eliminates the ability of CSPs operating under a HIPAA gray area known commonly as the "conduit exception" that some CSPs may have believed exempted such CSP from compliance with HIPAA. The conduit exception allows transmission-only services for PHI that are transient in nature (such as the postal service) to avoid compliance with HIPAA.26 The FAQ clarifies that the conduit exception requires that access to PHI be only transient in nature, whereas CSPs that maintain ePHI for the purpose of storage have persistent access to such ePHI, and therefore do not qualify for this exception. However, the FAQ does clarify that OCR will recognize that CSPs and their covered entities may present situations under which a CSP does not have actual or constructive knowledge that it holds PHI so long as such HIPAA violations are not due to the CSP's willful neglect. The FAQ states that such CSPs have an affirmative defense to what would otherwise be a HIPAA violation as long as the CSP takes action within 30 days of the time that the CSP knew or should have known of the violation (or additional period as OCR may determine based on the nature and extent of the non-compliance) to correct any noncompliance.
Further, the FAQ indicates that if PHI is encrypted at a level that meets NIST standards,27 an unauthorized incident may fall within the breach "safe harbor" and therefore not require reporting to the CSP's customers. Still, OCR expects CSPs to take reasonable steps to find out if a customer is a covered entity or business associate, and to take responsibility for control and security of the cloud environment, as encryption alone will not address HIPAA's required administrative and physical safeguards to maintain confidentiality.
Finally, the FAQ states that covered entities (including providers) may use mobile devices to access ePHI in a cloud environment (again provided that the parties have entered into a BAA) and that PHI need not reside on servers within the United States. The final FAQ note clarifies that a CSP that receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule is not a business associate because, by definition, de-identified information is not PHI.
These developments demonstrate that OCR is sending a strong and timely message that both covered entities and business associates should take the necessary steps to ensure their HIPAA compliance programs are effective in order to avoid potentially large penalties. These activities should put business associates on alert that OCR is actively looking for violations of the Privacy and Security Rules by business associates. Well-developed BAAs and comprehensive HIPAA compliance programs are steps in the right direction to deter enforcement actions.
Ashley L. Thomas is an attorney in the Raleigh, North Carolina office of Nelson Mullins Riley & Scarborough, where she works with healthcare industry clients on regulatory and transactional matters. Ashley is not yet admitted to practice law in North Carolina but is licensed in Illinois, Indiana and Missouri. She currently serves as the Co-Chair of the Science and Technology Committee for the ABA's Young Lawyers Division. She may be reached at firstname.lastname@example.org.
Tony Caldwell is an attorney in the Indianapolis, Indiana office of Hall Render Killian Heath & Lyman. He practices healthcare law with a focus on health information technology, general business transactions and services, privacy and security and electronic health records. He may be reached at email@example.com.