There has been a lot of discussion about the impact of Final Omnibus Rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (HITECH). In Part I, we discussed what HIPAA covered entities (CEs) need to do to prepare. This discussion will focus on what suggestions we have for HIPAA business associates (BAs) and their subcontractors (subBAs). Although the core recommendations are for the most part the same as we identified in Part I for CEs, the justification for adopting these suggestions is slightly different and the priorities are reorganized for BAs and subBAs.
Legal: BAs are now directly liable for compliance with certain HIPAA Privacy and Security Rule requirements. Experienced outside privacy counsel can help BAs become compliant with the final rule requirements. Privacy counsel will be valuable to assist and document whether a breach has occurred, as well as to help BAs and SubBAs develop appropriate compliance programs. Now that CEs have an obligation related to appropriately selecting and retaining vendors, CEs will be doing their due diligence to determine whether their vendors are compliant.
Cyber Insurance: CE’s have been struggling with HIPAA compliance, particularly compliance with the Security Rule, for nearly a decade. Now, BAs must enter into the fold. While BAs for the most part have safeguards in place for protected health information (PHI), strict compliance with the HIPAA Security Rule by BAs is questionable. Insurance is not a substitute for compliance. More than one-third of breaches are caused by vendors and the breach reports we have seen since 2009 suggest that BAs and subBAs have a lot to do to become fully compliant with HIPAA. Therefore, as BAs and subBAs wrestle with these compliance issues, it is critical to have a robust cyber insurance policy in place that covers not only notification costs, but also regulatory penalties. BAs and CEs need to keep in mind that penalties for violations of the HIPAA Rules will be specific to the organization against which the penalty is being assessed.
There appears to be some confusion over whether or not joint and several liability principles will apply to assessment of penalties. There may be a few very limited circumstances where this might be an issue, but for the most part, the penalty will relate to a specific violation by that entity. For example, a BA will not be subject to penalties because a CE did not perform a periodic risk assessment as required by HIPAA. Or, a BA may be subject to a penalty for not having sufficient technical safeguards in place while the CE may be subject to a penalty for being aware of the BA’s failures and not doing something to stop the practice.
Policies and Procedures: Compliance with HIPAA requires that administrative, technical, and physical safeguards be in place to protect PHI. Additionally, the organization must have policies and procedures in place to implement these safeguards. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has enforcement authority of the HIPAA Privacy and Security Rules. After a breach is reported to HHS, OCR requests a copy of the organization’s policies and procedures in place to safeguard PHI. The request is often more broad than the cause of the reported breach and extends to all policies and procedures in place in order for OCR to determine if the responding organization is compliant with HIPAA. Examples of policies that BAs should have in place include: (1) permitted uses and disclosures of PHI; (2) business associates; (3) minimum necessary; (4) de-identification of PHI; (4) back-up plans; (5) disaster recovery; (6) risk analysis; (7) risk management plans; (8) workforce training; and (9) termination of access.
Risk Assessments and Risk Management Plans: BAs are now subject to the OCR HIPAA Audit protocol. HIPAA requires organizations to conduct periodic risk assessments and then to address the risks identified in a risk management plan. The OCR HIPAA Audit program sets a framework to analyze process, controls, and policies of the selected BA by using a comprehensive audit protocol. The protocol addresses uses and disclosures, safeguards in place (administrative, physical, and technical), and breach notification rule compliance.
Incident Response Plans (IRPs): IRPs are a roadmap to guide an organization’s incident response team’s (IRT) breach response activities. As with CEs, the IRPs of BAs and subBAs must include the factors HHS has outlined for consideration in determining whether there is a low probability of compromise: (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; (4) the extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed). An IRT’s members depend on the size and complexity of the organization, but typically include members from the following groups: (1) general counsel; (2) IS/IT; (3) communications; (4) HR; (5) compliance and (6) privacy. External members of the team can include: (1) outside privacy counsel; (2) forensics; (3) notification vendors; and (4) crisis management.
Breach Analysis Forms: Keep in mind two basic requirements when considering the impact of the final rule. The first is compliance and the second is documentation. As BAs develop their compliance programs to fit the new requirements, they need to remember to update their forms as well. The standard for determining whether or not a breach has occurred has changed and so has the required analysis. A breach is presumed unless the CE can show that there is a low probability of compromise. Moreover, HHS has outlined at least four (4) factors that must be considered. (The four factors are listed under Incident Response Plans, supra.) To the extent that third-party tools which analyze breach notification are utilized, BAs need to confirm that the approach reflects the new requirements.
Education: A culture of compliance is expected. Education and awareness are the best ways to develop that culture. In addition to new employee training and annual training, consider periodic training in the form of newsletters and other events to keep privacy at the top of employees’ minds.
Business Associate Agreements: Expect an administrative nightmare. Changes to business associate agreements (BAAs) are coming. CEs will be struggling with compliance with the final rule and you are going to see demands from CEs that may test the BAs' ability to comply with the requests--both on an administrative level because of the volume of contracts that will need to be amended and from a compliance standpoint because BAs are not prepared to meet the safeguard demands. Additionally, BAs will need to modify the agreements they have in place with subBAs to ensure compliance with HIPAA.
Forensics: As with CEs, BAs need to develop relationships with forensic firms because outside forensics is going to be critical in helping to reach a conclusion that a breach has not occurred--low probability of compromise. For those BAs that already have cyber insurance, talk to your broker or carrier about the forensics options and seek recommendations from them as to how the coverage will support you with the changes in the regulations.
OCR Director Rodriguez has made it clear the final rule provides for the most sweeping changes to HIPAA since the Privacy and Security Rules were released. And, further, the final rule provides OCR with an opportunity to vigorously enforce compliance. These statements are a reality for the several dozen OCR investigations that we are currently defending. As time passes, and OCR gains experience through the thousands of breaches that are reported and the audits that are conducted, the questions which organizations face will become more difficult to answer. Compliance with HIPAA must be a top priority for all CEs, BAs, and subBAs.