Latest HIPAA Settlement and OCR FAQ Emphasize (Again) the Importance of Properly Structuring the Business Associate Relationship
On September 23, 2016, the United States Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with Care New England Health Systems
(CNE), “on behalf of each of the covered entities under its common ownership or control,” for potential violations of the HIPAA Privacy and Security Rules. This latest settlement ups the wattage of the bright light OCR is shining on business associates (BA) and the business associate relationship. It is particularly important because of OCR’s recent announcement that Phase 2 BA desk audits will begin next month.
CNE provides “centralized corporate support” as a BA of its subsidiary affiliated covered entities (CE). Services include technical support and information security for the affiliated entities’ information systems. In November 2012, Women & Infants Hospital of Rhode Island (WIH) – one of CNE’s subsidiary CEs – had notified OCR of the loss of unencrypted backup tapes containing approximately 14,000 individuals’ electronic protected health information (ePHI). The hospital’s business associate agreement (BAA) with CNE was effective March 2005 and had not been updated to incorporate changes required by the 2013 Omnibus Final Rule. WIH did not revise the BAA until August 2015, after OCR became involved.
OCR’s investigation indicated the following conduct occurred:
WIH disclosed protected health information (PHI) to its BA, CNE, and allowed CNE to create, receive, maintain, or transmit PHI on its behalf, without obtaining satisfactory assurances that the BA would appropriately safeguard the information. The hospital failed to renew or modify its existing BAA with CNE to include the applicable implementation specifications the Privacy and Security Rules require.
WIH impermissibly disclosed at least 14,004 individuals’ PHI to its BA, CNE, by providing CNE access to PHI without obtaining satisfactory assurances – in the form of a written BAA – that the BA would appropriately safeguard the information.
CNE, on behalf of the affiliated covered entities, including WIH, agreed to pay a $400,000 resolution amount, and enter into a two-year corrective action plan that includes implementing policies and procedures to address the BA relationship, workforce training, and security incident response.
Regarding the underlying breach, in July 2014, the hospital entered into a consent judgment with the Massachusetts Attorney General’s Office
, and reached a $150,000 settlement. The Massachusetts AG provides further details:
In April 2012, WIH realized that it was missing 19 unencrypted back-up tapes from two of its Prenatal Diagnostic Centers, one located in Providence, Rhode Island and the other located in New Bedford, Massachusetts. The back-up tapes contained the personal information and protected health information of 12,127 Massachusetts residents.
In the summer of 2011, these back-up tapes were supposed to be sent to a central data center at WIH’s parent company, Care New England Health System and then shipped off-site in order to transfer legacy radiology information to a new picture archiving and communications system. However, due to an inadequate inventory and tracking system, WIH allegedly did not discover the tapes were missing until the spring of 2012. Due to deficient employee training and internal policies, the breach was not properly reported under the breach notification statute to the AG’s Office and to consumers until the fall of 2012.
Under the terms of the State AG settlement, WIH agreed to take steps to ensure future compliance with state and federal data security laws and regulations, including maintaining an up-to-date inventory of the locations, custodians, and descriptions of unencrypted electronic media and paper patient charts containing personal information and PHI. The hospital also agreed to review and audit security measures and take any corrective measures recommended in the review.
OCR determined that the consent judgment with the Massachusetts AG sufficiently covered “most of the conduct” at issue in the breach, including failure to implement appropriate safeguards related to PHI on backup tapes, and failure to timely notify affected individuals.
OCR Director Jocelyn Samuels commented: “This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule.”
Who’s In Trouble Here?
While some tout CNE as OCR's second settlement with a business associate (following its settlement with Catholic Health Care Services of the Archdiocese Philadelphia
(CHCS) in June 2016), it is more accurate to characterize this settlement as one focusing on the covered entity hospital, WIH. The business associate, CNE, entered as a party to the settlement not on its own behalf, but "on behalf of" the breaching hospital and the other affiliated covered entities under CNE’s ownership and control. Notably, the covered conduct addressed in the Resolution Agreement refers to the hospital's
impermissible disclosures of PHI based on its failure to enter into a compliant BAA with CNE. Finally, the hospital – not CNE – was a party to the consent judgment with the Massachusetts Attorney General's Office.
Even if the settlement was not with CNE as a business associate, CNE is surely now on OCR's radar in this capacity. And given the current enforcement environment, this is not an enviable place to be.
Enforcement Environment for the Business Associate Relationship
A “business associate” is a person who creates, receives, maintains, or transmits PHI to provide certain services to the CE.
Both the Privacy Rule and the Security Rule prohibit disclosing PHI to a business associate unless and until the BA has provided “written assurances” that it will appropriately safeguard the information.
These assurances must be documented in a “written contract or other arrangements” that meets the requirements of a business associate agreement.
A compliant BAA also clarifies and limits the BA’s permissible uses and disclosures of PHI, based upon the parties’ relationship and the services the BA performs. A business associate may only use and disclose PHI as permitted or required by the BAA, or as required by law. BAs are now directly liable under the HIPAA Rules for uses and disclosures that the BAA does not authorize.
In early 2016, OCR entered settlement agreements with two covered entities stemming from breaches by their business associates.
In March 2016, OCR announced a settlement with North Memorial Health Care, a comprehensive not-for-profit health care system. OCR began investigating North Memorial after receiving a report that an unencrypted, password-protected laptop was stolen from the vehicle of a business associate’s employee. This impacted 9,497 individuals’ ePHI. OCR's investigation revealed the following conduct occurred:
North Memorial provided its BA access to the PHI without obtaining satisfactory assurance from the BA (in the form of a written business associate agreement) that the BA would appropriately safeguard PHI.
North Memorial impermissibly disclosed 289,904 individuals’ PHI to the BA by providing access to PHI without obtaining the BA’s satisfactory assurances (in the form of a written BAA) that the BA would appropriately safeguard the PHI.
North Memorial failed to conduct an accurate and thorough risk analysis that incorporated all of North Memorial's information technology equipment, applications, and data systems using ePHI.
North Memorial agreed to pay a $1.55M resolution amount, and enter into a corrective action plan. OCR Director Jocelyn Samuels commented: “Two major cornerstones of the HIPAA Rules were overlooked by this entity. Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
In April 2016, OCR announced a settlement with Raleigh Orthopaedic Clinic, P.A., after receiving a breach report in 2013. OCR's investigation revealed that the clinic released x-ray films and related PHI of 17,300 patients to an entity that would transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. The clinic had not executed a business associate agreement with the entity, “acting as its business associate,” before disclosing the PHI, in violation of 45 CFR 164.502(e).
The clinic agreed to pay a $750,000 resolution amount and enter into a corrective action plan. OCR Director Samuels emphasized: “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise. It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
Immediately after announcing these settlements, and most likely in response to a collective wail from covered entities, OCR sent a listserv mailing in May 2016 cautioning CEs to consider how they will address a privacy or security breach by a business associate
. This is an area of insecurity for many CEs – and perhaps rightly so considering the earlier settlement announcements. While the Breach Notification Rule requires BAs to notify their CE after discovering a breach of unsecured protected health information,
OCR reports that a large percentage of CEs believe their BAs will not, in fact, notify them of breaches or security incidents. OCR also reports that CEs find it “difficult” to manage security incidents involving BAs, and “impossible” to determine whether their BAs' security policies and procedures are adequate to effectively respond to a breach. To address these issues, OCR recommended – among other things – that covered entities beef up their business associate agreements, and consider auditing and assessing their BAs' security and privacy practices.
OCR followed its listserv announcement with its first settlement with a business associate
– a $650,000 resolution with CHCS stemming (as they so often do) from a stolen portable electronic device containing "extensive" unencrypted ePHI. OCR's investigation revealed the business associate had not accurately and thoroughly assessed the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI (i.e., it had not conducted a Security Rule risk analysis), and had not implemented a risk management plan to address risks and vulnerabilities.
Commenting on the settlement, OCR Director Samuels emphasized: “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities. This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”
OCR's latest commentary on the business associate relationship is an FAQ released September 28, 2016
, addressing availability of PHI maintained by a business associate. Here, OCR answers with a definite "no" the question: May a business associate block or terminate access by the covered entity to the protected health information maintained by the BA for or on behalf of the CE?
First, if a BA blocks the CE's access to this PHI (or terminates the CE's access), it has engaged in an impermissible use in violation of the Privacy Rule.
Therefore, a BA that is an EHR developer cannot resolve a payment dispute with a covered health care provider by activating an embedded kill switch that renders the data inaccessible to the provider. Likewise, a BA that refuses to return PHI at the end of the engagement, as provided by the BAA, also violates the Privacy Rule.
Second, a BA that blocks a CE's access to PHI violates the Security Rule requirement that BAs maintain the availability of PHI they create, receive, maintain, or transmit on a CE's behalf. Maintaining availability means ensuring the PHI is accessible and usable by the CE on demand, whether the PHI is maintained in an EHR, the cloud, a data backup system, a database, or another system. A BA violates the Privacy Rule if it terminates a CE's access privileges, or otherwise denies the CE access, to PHI the BA maintains on its behalf.
Third, the Privacy Rule requires a BA to make PHI available to the CE as necessary to satisfy the CE's obligation to provide individuals with access to their own PHI.
Therefore, a business associate may not deny a covered entity access to the PHI the BA maintains on the CE's behalf if the covered entity needs the PHI to satisfy these obligations.
BAs that worry this FAQ targets only their behavior can take heart: CEs are also advised to beware. OCR emphasizes that a CE is ultimately responsible for the availability of its own PHI. If a CE agrees to terms in a BAA that prevent the CE from ensuring the availability of its own PHI, the CE itself is out of compliance.
And, of course … there are those audits. In March 2016, OCR announced that the long-awaited Phase 2 compliance audits were underway
. As expected, this second wave of audits included business associates as auditees. Desk audits of 167 covered entities are currently underway, and OCR announced that desk audits of BAs will begin in October. While the BA auditees are expected be drawn from a pool of BAs identified by the covered entity audit pool, OCR has not ruled out that it will select other BAs, as well. Site audits of a smaller group of CEs and BAs will begin in early 2017.
What Can Covered Entities and Business Associates Do Now?
Important lessons can be gleaned from this most recent OCR settlement. If you are a covered entity or business associate, you can learn from Care New England Health System's troubles and:
1. Designate a person within your organization to ensure that you enter a HIPAA-compliant business associate agreement with each BA before disclosing protected health information to the BA. If you are a BA, the designated individual should ensure you have entered a HIPAA-compliant BAA before receiving PHI from your covered entity. OCR has provided sample BAA provisions that can help you with this task.
2. Implement policies and procedures to:
a. Assess current and future business relationships to determine whether each relationship is a "business associate" relationship as defined by the HIPAA Rules.
b. Negotiate and enter into a HIPAA-compliant business associate agreement before disclosing PHI to a BA, or receiving PHI if you are a BA.
c. Maintain documentation of each BAA for at least 6 years beyond termination of the business associate relationship, as the Privacy Rule requires.
d. Limit disclosures of PHI to a business associate to the minimum amount necessary for the BA to perform its duties. If you are a business associate, request and receive from your CE only the minimum necessary PHI to perform your duties. Less is sometimes more.
e. Address security incidents, including a requirement that all workforce members report to the designated Privacy/Security Officer, at the earliest possible time, any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system of which they become aware.
3. Distribute these policies and procedures to workforce members who handle PHI as part of their job responsibilities.
4. Train workforce members on these policies and procedures, and retrain if and when the policies and procedures change.
5. Assess the policies and procedures, and revise and update as necessary, at least annually.
6. Implement measures providing that:
a. Workforce members will report any violation of these policies and procedures to the Privacy/Security officer.
b. Your organization will, upon receiving information that a workforce member may have violated these policies and procedures, promptly investigate and address the violation in a timely and appropriate manner.
c. Your organization will apply appropriate sanctions (which may include re-training or other instructive corrective action, depending on the circumstances) against workforce members – including supervisors and managers – who fail to comply with the policies and procedures.
OCR is increasingly focusing the enforcement spotlight on the business associate relationship. With Phase 2 desk audits of business associates to begin in October, and field audits of both CEs and BAs upcoming early next year, regulated entities are well-advised to learn from recent enforcements, and take advantage of OCR guidance to strengthen their compliance programs.
For more information on HIPAA compliance and audits, contact Kim Metzger
, Deepali Doddi
or a member of our HIPAA Privacy and Security practice
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
45 CFR 164.502(e)(1)(i) (Privacy Rule); 45 CFR 164.314(a) (Security Rule)
45 CFR 164.502(e) (Privacy Rule); 45 CFR 164.308(a) (Security Rule); 45 CFR 164.532(d)
45 CFR 164.502(e)(1) (Privacy Rule); 45 CFR 164.314(a) (Security Rule)
45 CFR 164.308(b) and 164.502(e)
45 CFR 164.308(a)(1)(ii)(A)
45 CFR 164.410(a)(1)
45 CFR 164.502(a)(3)
45 CFR 164.306(a)(1)
45 CFR §§ 164.502(a)(4)(ii), 164.504(e)(2)(ii)(E).
Of course, there may be business associate arrangements in which the parties agree that the BA will not provide the CE access to the PHI, for example, data aggregation services that render the original data unreturnable to the CE. OCR does not consider these contractual arrangements to constitute the types of impermissible data blocking or access termination.
45 CFR §§ 164.308(b)(3), 164.502(e)(2), and 164.504(e)(1)