Kimberly Shutters, BCS
Founder and CEO, HIPAA alli, San Diego, CA
What if your organization had to pay a $1.55 million Health Insurance Portability and Accountability Act (HIPAA) settlement because you did NOT have a Business Associate Agreement (BAA) and/or did not confirm risks were mitigated? Do NOT let this happen to you or your business associate (BA)!
In 2011, the Office of Civil Rights (OCR) conducted an investigation of North Memorial Health Care of Minnesota after a protected health information (PHI) breach affected 9,497 patient records. The data breach was a result of a stolen laptop from an employee’s vehicle of their BA, Accretive Health, Inc., and while the device was password-protected, the electronic PHI (ePHI) stored on the device had not been encrypted.
The investigation revealed that North Memorial had overlooked “two major cornerstones of the HIPAA Rules,” according to OCR Director Jocelyn Samuels. Do you have current and signed BAAs? Do you know if your BA has conducted a risk analysis including a mitigation plan for all identified risks?
Accretive Health, Inc., had been contracted to perform a number of operations on behalf of North Memorial. Those operations required Accretive Health to have access to a hospital database containing both paper and ePHI of 289,904 patients. However, prior to access to patient data being granted, North Memorial failed to obtain the required signed copy of a HIPAA compliant BAA.
Also revealed, North Memorial had not performed a comprehensive risk analysis for the entire organization. Consequently, North Memorial would not have been able to identify all security vulnerabilities and could therefore not have taken action to address all potential issues.
Healthcare providers, referred to as covered entities (CE), must obtain a signed BAA from anyone that provides functions, activities or services for or on behalf of a CE that requires access to patient PHI. A signed copy of the BAA must be obtained before access to PHI. The BAA must outline the responsibilities the BA is obligated to ensure PHI is protected and is not disclosed to any unauthorized parties (See 45 CFR § 164.502(e)).
The HIPAA Security Rule Applies To You Too, BAs!
Prior to HIPAA implementing the Security Rule, no generally accepted set of security standards or general requirements for securing ePHI existed. During this time, new technologies were evolving and the industry began to rely on the use of computers to store data, send and pay claims, answer eligibility questions, and conduct a host of other administrative and clinically-based functions.
Further changes were made when on January 17, 2013, the Department of Health and Human Services (HHS) OCR issued the Omnibus Final Rule that modified the HIPAA Privacy, Security, Enforcement and Breach Notification Rules as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act (GINA). This Final Rule became effective on September 23, 2013, and is often referred to as the HIPAA Omnibus Final Rule. The omnibus rulemaking was published in the Federal Register on January 25, 2013.1
A significant aspect of the final rule is the effect on BAs. The introduction of the HITECH Act made the Breach Notification Rule, much of the HIPAA Security Rule, and certain provisions of the Privacy Rule directly applicable to BAs. BAs can now be held liable for civil and criminal violation of these provisions. The HITECH Act also adopted a new structure for civil monetary penalties, under which maximum penalties of $50,000 per violation can be imposed, up to a maximum of $1,500,000 for identical violations in a calendar year.
Who and What are Business Associates?
These days most CEs and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other individuals and/or businesses. HHS defines this type of service provider as a BA, as defined in 45 CFR 160.103.2
A Business Associate (BA) is a person or entity including subcontractors, other than a member of the workforce of a CE, who performs functions or activities that involve access by the BA to PHI. BAs are also subcontractor that creates, receives, maintains, or transmits PHI on behalf of another BA.
The HIPAA Privacy Rule, Uses and Disclosures of PHI: General Rules – Standard: Disclosures to BAs §164.502(e) (1), addresses conditions for disclosure of PHI to BAs.
According to §164.502(e)(1)(i), a CE may disclose PHI to a BA and may allow a BA to create, receive, maintain or transmit PHI on its behalf, if the CE obtains satisfactory assurance that the BA will appropriately safeguard the information (see BAA as defined below). The type of BA services may include:
- Healthcare Claims Administration
- Management Service Provider
Examples of BAs:
- A third-party administrator that assists a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involves access to PHI.
- An attorney whose legal services to a health plan involve access to PHI.
- A consultant that performs utilization reviews for a hospital.
- A healthcare clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a healthcare provider and forwards the processed transaction to a payer.
- An independent medical transcriptionist that provides transcription services to a physician.
- A pharmacy benefits manager that manages a health plan’s pharmacist network.
What is a Business Associate Agreement?
The HIPAA rules require CEs and BAs to obtain a signed BAA from each BA and their subcontractors to ensure appropriate safeguards are implemented to protect PHI and ePHI. The BA agreement contract, known as the BAA, serves to clarify and limit the permissible uses and disclosures of PHI only as permitted or required by its BA, based on the relationship between the parties and the activities or services being performed by the BA.
A BA can be held directly liable and subject to civil and, in some cases, criminal penalties for making uses and disclosures of PHI that were not authorized by its contract or required by law. Liability may attach to BAs, even in situations in which the BA has not entered into the required agreement with the CE.
Since adoption of the original HIPAA Privacy Rule and Security Rule, BAs have had to enter into agreements with CEs that required the BA to implement administrative, technical and physical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI.
Countless CEs believe it’s impossible to determine whether the data safeguards, security policies and procedures of their BAs are adequate to respond effectively to a data breach. To complicate matters, a large percentage also believes BAs would NOT notify them in the event of a security breach or cyberattack.
Why Should You Care?
It is your responsibility as a CE to put in place a BAA that holds the third party to the same standards of privacy and confidentiality as yourself.
BAAs are required for all vendors or organizations you grant access to your patient’s PHI. CEs are required to identify who their BAs are and confirm there is a current BAA in place. The BAA must limit the BA’s access to PHI to allow only what is necessary to carry out its activities for the CE.
CEs and BAs, in accordance with §164.306, must ensure the confidentiality, integrity and availability of all electronic PHI the CE or BA create, receive, maintain or transmit on the CE’s behalf only if the CE obtains satisfactory assurances, in accordance with §164.314(a) that the BA will appropriately safeguard the information.3
Also, if the BA carries out any part of a CE’s obligation under the Privacy Rule, the BA must comply with the Privacy Rule with respect to that activity. If the BA subcontracts any of its activities, it must enter into an agreement with its subcontractor that complies with the requirements for BAAs and it may not permit the contractor to use or disclose PHI in a manner that would not be permissible to the BA.
What is a HIPAA Security Risk Analysis?
All ePHI created, received, maintained or transmitted by any organization is subject to the Security Rule. The Security Rule requires BAs to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI.
This means all BAs are required to perform a comprehensive organizationwide HIPAA Security Risk Analysis to identify their potential administrative, physical and technical security risks to PHI; 45 CFR § 164.308(a)(1). This means it must include more than your EHR system!
Conducting an accurate and thorough risk analysis is the first step in identifying potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the BA.
Many of the Security Rule standards contain implementation specifications. An implementation specification is a more detailed description of the method or approach CEs can use to meet a particular standard.
Implementation Specifications are either Required or Addressable.
Required – specification must be implemented. For example, this includes all BAs including entrepreneurs and start-up medical application developers.
Addressable – specification allows BAs to adopt alternative measure to achieve the purpose of the standard, if the alternative measure is reasonable and appropriate; 45 C.F.R. § 164.306(d). Note, this does not mean it is optional.
It is important to remember the Security Rule does not prescribe a specific risk analysis methodology, recognizing that methods will vary dependent on the size, complexity and capabilities of the organization. Instead, the Rule identifies risk analysis as the foundational element in the process of achieving compliance and it establishes several objectives that any adopted methodology must achieve.
There are numerous methods of performing risk analysis and risk management. There is no single method or “best practice” that guarantees compliance with the Security Rule. However, most risk analysis and risk management processes have common steps. The following steps are provided as examples of steps CEs could apply to their environment. The steps are adapted from the approach outlined in NIST SP 800-30 shown in Figure 1.
Following are some example risk analysis steps used to evaluate and identify controls to address potential risk areas:
- Identify the scope of the analysis.
- Gather data.
- Identify and document potential threats and vulnerabilities.
- Assess current security measures.
- Determine the likelihood of threat occurrence.
- Determine the potential impact of threat occurrence.
- Determine the level of risk.
- Identify security measures and finalize documentation.
For more information on risk analysis methodology the National Institute of Standards and Technology (NIST), Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, offers guidelines representing industry standards for good business practices with respect to standards for securing PHI. Although only federal agencies are required to follow federal guidelines, non-federal organizations may find their content valuable when developing and performing compliance activities.
Performing a risk analysis is not a one-and-done task. After completion, the risk management process of identifying and measuring risks and developing strategies to manage them begins. Risk management plans are intended as documentation of your approach and the commitments to address the risks identified in your risk analysis.
Rather, it is an ongoing cycle of activity that must be engaged with discipline and proactive decision-making. An initial or baseline risk assessment can be done at any point in time. However, the continuous process of identifying, analyzing, planning, tracking and controlling risks has an ongoing lifecycle that must receive attention to be effective, especially considering continuously new and emerging technologies arriving and being adopted in the industry.
Due to the introduction of the HITECH Act (made the Breach Notification Rule), much of the HIPAA Security Rule, and certain provisions of the Privacy Rule which were made directly applicable to BAs, BAs can be held liable for civil and criminal violation of these provisions. The HITECH Act also adopted a new structure for civil monetary penalties, under which maximum penalties of $50,000 per violation can be imposed, up to a maximum of $1,500,000 for identical violations in a calendar year.
BAs must conduct and document a HIPAA security risk analysis of their computer and other information systems to identify potential security risks and respond accordingly 45 CFR § 164.308(a)(1). And don’t forget to document your findings—If it’s not documented, it didn’t happen!
Remember: Any change made to the equipment used to create, receive, maintain or transmit a practice’s PHI requires an update to the risk analysis.
178 Fed. Reg. 5566 ( Jan. 25, 2013)
2Note: This references used for entire Business Associate & Your Practice section https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html