An important deadline is fast approaching for healthcare companies to ensure that the outside vendors and sub-contractors they rely on are doing enough to protect the sensitive private data of their patients.

By Sept. 23, the Department of Health and Human Services expects healthcare providers to have completed “business associate agreements” with all third parties that spell out exactly how those vendors will work to protect sensitive health data.

The required agreements are part of a package of reforms HHS released in January 2013 to update the Health Insurance Portability and Accountability Act’s health data privacy and security mandates. The HIPAA enhancements expand many existing requirements to business associates of healthcare companies that handle protected health information. The final rule defines “business associate” as a person who performs services for a covered entity and extends business associate provisions of HIPAA rules to sub-contractors “that create, receive, maintain, or transmit protected health information” on behalf of a business associate.

Subsequent HHS guidance outlined the information these agreements must contain. It says they should clarify and limit permissible uses and disclosures of protected health information by third parties, based on the relationship and the services provided.  Third parties may use or disclose protected health information only as permitted or required by its contract or as required by law.  

While it’s the health provider’s responsibility to ensure the agreements are in place, third-party contractors aren’t off the hook. They are directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for an unauthorized use or disclosure of health information not authorized by its contract. The  agreement must also require contractors to report any use or disclosure of the information not provided for by its contract, including breaches, and make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information.

Too Broad?

When the rule on data use agreements was in its draft stage, many of the vendors and sub-contractors who seemed to fall under its purview questioned its scope. Can a cleaning crew count as a business associate if they enter rooms where personal health information is present? What about landscapers or kitchen staff at a hospital? Over time, most of these dilemmas were resolved. Subsequent versions of the rule narrowed the scope, and the answer to both examples is that they are not included in the data rules governing business associates.

“I still see resistance to being called a business associate, and that’s foolish.” The HIPAA rule makes it clear that “obligations go down the chain.”
Eric Fader, Counsel, Day Pitney

In other cases, clarifications were made that pulled some service providers under the umbrella of the rule. The HHS, for example, eliminated the so-called “conduit exemption,” Eric Fader, counsel with the law firm Day Pitney who specializes in healthcare, explains. “You used to be able to say you were just a conduit for information if you ran a data farm. But the exception has been narrowed so only true couriers, like the post office and internet service providers, are considered conduits.”

Even as the deadline fast approaches, plenty of pushback remains. “I still see resistance to being called a business associate, and that’s foolish,” Fader says.  The HIPAA rule makes it clear that “obligations go down the chain,” he explains, and that a sub-contractor has the same responsibilities as the business associate they work for. 

“By signing the agreement, you are telling the government you know what HIPAA and the HITECH Act is, and that you know what your obligations are and take them seriously,” Fader says. Not having a business associate agreement will work against a service provider if there is a data breach involving personal health information and a government investigation “sees that the entity that suffered the breach did not take their obligations seriously.”

A Shared Responsibility for Data Security

The following, published by the Department of Health and Human Services, offers guidance on agreements that healthcare entities must strike with their business associated.
A written contract between a covered entity and a business associate must:
(1) establish the permitted and required uses and disclosures of protected health information by the business associate;
(2) provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
 (3) require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;
(4) require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;
(5) require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings;
 (6) to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation;
(7) require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
(8) at termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity;
(9) require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and (10) authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.  Contracts between business associates and business associates that are subcontractors are subject to these same requirements.
Source: U.S. Department of Health & Human Services.

“A failure to comply with the statutory obligations makes the consequences of a data breach much worse,” he says.  “We’ve seen the federal government making examples of different healthcare entities in different categories of businesses and for different types of breaches,” says Fader. “ But there are people out there who just still don’t get it. ‘Oh, it would cost us a lot of money to encrypt our e-mails.’ I don’t care, you have to do it.”

Well-constructed business associate agreements that outline the responsibilities and methods to protect patient data and that both sides abide by could earn companies enforcement credit should a problem occur. A business associate with a signed commitment to data security and one that backs up its promises with regular risk assessments, may not face the full wrath of regulators, says Tina Boschert, a partner with the law firm Spencer Fane Britt & Brown.

11th Hour Push

According to some lawyers, health providers and their contractors still have some work to do to get the agreements in place by the deadline later this month. “What I usually find, and its true any time new regulations go into effect, is that people typically wait until the last minute,” Boschert says, but procrastination may not be the only factor. Some organizations may wrongfully assume that older agreements are grandfathered; others may find it difficult to hunt down all these agreements.  “You will have a business associate agreement that is part of a supply or service agreement, or an addendum to another agreement,” she says. “Knowing where they all are may depend on how sophisticated the entity is in terms of tracking all their agreements—which ones are older, which have expired, and which ones haven’t.”

Perhaps the biggest reason some business associates are dragging their feet: liability. “The business associate now takes on a lot of the liability under the law,” Boschert says. “They are responsible for a lot more security requirements and can be held accountable individually.” In the past, health providers, often referred to in regard to HIPPA as “covered entities” were on the hook. “By having a business associate sign this agreement, they obviously want to shift some of the liability and make them accountable,” she says.

With penalties for HIPAA non-compliance established with a maximum penalty of $1.5 million per violation, the financial impact of these agreements could prove costly down the road.

The importance of complying with HIPAA and the business associate requirements is borne out by recent enforcement actions and ongoing investigations, Katherine Miler, an associate with law firm Drinker Biddle & Reath’s healthcare practice group, says. Those cases also underscore the liability fears that have vendors on edge. Among the recent, high-profile breaches of patient information:

In July 2014, Community Health Systems, a Tennessee-based hospital chain with 206 hospitals, discovered that an outside group of hackers targeted its computer network and stole patient data of approximately 4.5 million individuals.

In June 2014, HHS announced that Parkview Health System, a non-profit healthcare system in Ohio, agreed to settle potential violations of HIPAA with a payment of $800,000 and the adoption of a Corrective Action Plan to address deficiencies. An investigation found that it left 71 cardboard boxes of medical records unattended on the driveway of the physician’s home.

In February 2014, Triple-S Salud, a health insurer in Puerto Rico, was fined $6.78 million for a breach. It inadvertently mailed a pamphlet that included beneficiaries’ Medicare claims numbers to 13,336 people.

“Some business associates are pushing back because under HIPAA they are now directly liable, and they are also liable under the contract so there is going to be pushback over what terms are in the business associate agreement,” Miler says. “They want to negotiate what terms are included.”

Nevertheless, at this late date, stalling may not be a worthwhile strategy. “Business associates need to comply with HIPAA so it is not wise for them to refuse to sign these agreements,” Miler says. “They are directly liable under HIPAA and they can’t avoid that liability by not signing the agreements. It is the covered entity’s obligation to have these agreements entered into, and there is going to be liability on both ends.”