Are You at Risk of Improperly Managing Business Associates?

In the world of HIPAA, you are your brother’s (or sister’s) keeper. Under the HIPAA HITECH Act enacted as part of the American Recovery and Reinvestment of 2009, that means, legally speaking, that any covered entity (CE) — namely the healthcare provider — is indeed liable for the actions of any business associate (BA). The BA, as it pertains to HIPAA, is any person or entity that performs any functions, activities, or services on behalf of a CE that involves the use or disclosure of protected health information (PHI), typically for payment (ie, reimbursement) or healthcare operations activities. Generally, BAs are needed by CEs to help run their healthcare business, in which the BA has access to PHI. BAs by definition “create, receive, maintain, transmit, or store PHI on behalf of a CE (including organized healthcare arrangements and health-information organizations).” Some examples of BAs include:

• coding and billing providers;
• waste-disposals entities such as shredding companies, and recyclers;
• offsite medical transcription services;
• records management or archiving services;
• temporary staffing services,
• medical vendors involved with patient care;
• medical or business equipment service providers; 
• accountants and external auditors, 
• attorneys;
• external consultants or independent contractors; 
• electronic health record vendors;
• cloud-storage vendors; and
• answering services.  

If any of these third parties create, receive, maintain, or transmit PHI on behalf of the CE, they are considered a BA, and a business associate agreement (BAA) must be in place to protect patient PHI. If the outside entity is handling (creating, receiving, maintaining, or transmitting) information that is not PHI or is de-identified, it is not considered a BA, and a BAA is not needed. This can be tricky to determine. For example, a copy machine or fax machine vendor or repair service would be a BA if the machines have electronic memory that stores PHI. If there is no electronic memory, they would not be a BA. Likewise, a temporary hire of a nursing staff member who is providing treatment is not subject to BAAs. However, the temp staff company would be a BA if it has access to PHI in the course of employing the temp nurse. Maintaining patient privacy requires a clear understanding of who is and who is not a BA, and when a BAA is required. This article will educate wound care clinicians on the appropriate establishment of BAAs and provide tips on how to potentially avoid legal pitfalls, including those related to marketing initiatives that BAs may try to exploit through collection of PHI. 

Real-Life Examples Of Business Associate Infractions

North Memorial Health Care, Robbinsdale, MN, was involved in an instance in which a BA had an unencrypted, password-protected laptop stolen from a workforce member’s locked vehicle, resulting in a breach involving nearly 10,000 individuals. North Memorial’s administration was fined $1,550,000 for overlooking “two major cornerstones of the HIPAA Rules” — they failed to enter into a BAA with a major contractor; they also did not conduct a thorough risk analysis on their information technology infrastructure.¹ In another case, Catholic Health Care Services (CHCS), Philadelphia, PA, was acting as a BA to six skilled-nursing facilities. A CHCS unencrypted, non-password-protected iPhone was stolen from a workforce member. The phone contained social security numbers; information regarding diagnosis, treatment, and medical procedures; names of family members and legal guardians; and medication information, leading to a breach of PHI for 412 individuals and a $650,000 settlement.² 
___________________________
READ MORE: HIPAA PRIVACY & SECURITY
___________________________

With the advent of HITECH, CEs are responsible for breaches caused by their BAs. There are two important reasons why it’s imperative to vet one’s BAs and ensure they are complying with HIPAA regulations and protecting the privacy and security of patient PHI. (We will discuss appropriate vetting of a BA later in this article.) The CE is liable for civil monetary penalties based on the act or omission of the BA. Likewise, the BA is liable for civil monetary penalties based on the act or omission of any subcontractors it hires (who have access to PHI). In their Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, the Ponemon Institute found that 61% of BAs in their study indicated they had a data breach involving loss or theft of PHI in the past two years; 28% said they had more than two breaches.³ The study also asked BAs how often they assess their vulnerabilities to a data breach. A full 35% said they had “no regular schedule,” 41% said “annually,” 8% said “quarterly or annually,” and 8% were “unsure.”³ BAs, however, are required to provide reasonable assurances that they will:

• not use or further disclose PHI, other than as permitted or required by the contract or as required by law;
• use appropriate safeguards to prevent use or disclosure of PHI, other than as provided in the contract; 
• report to the CE any use or disclosure of the PHI not provided for by its contract, or any breach of unsecured PHI; 
• ensure that any subcontractors who create, receive, maintain, or transmit PHI on behalf of the BA agree to the same restrictions and conditions that apply to the BA with respect to such information; 
• make PHI available to patients in accordance with the regulations; and 
• ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the BA agree to the same restrictions and conditions that apply to the BA (Code of Federal Regulations [CFR] 45 164.402, 45 [CFR] 504(e).

Rules for Business Associates

One issue to note is that vendors have been known to use patient information for purposes other than what has been agreed upon. For example, they may add the personal information to their databases to use it for marketing purposes (ie, identify patients who may benefit from a product, mine the data, or even sell the information). However, HIPAA clearly explains that the BA may use or disclose PHI only as permitted or required by its BAA or contract [CFR 45 164.502(a)(3)]. The BA can only disclose PHI to aid the CE in carrying out its function in providing health services⁴ and cannot authorize any uses or disclosures that the CE cannot make itself.⁵ The regulations do allow the BA to use PHI received for the “proper management and administration of the BA,” if the BA 1) obtains reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially, 2) only uses or further discloses PHI as required by law or for the purposes for which it was disclosed to the person, and 3) the person notifies the CE of any instances (of which it is aware) that the confidentiality of the information has been breached [CFR 45 164.504(e)(4)(ii)].  The BA may also use PHI in its capacity as a BA to “carry out legal responsibilities of the BA [CFR 45 164.504(e)(4)].” To summarize, BAs may not use PHI outside the confines of the BAA, with few exceptions.  

Access by BAs, then, must be done under the terms of the BAA. The information given to BAs must follow the “minimum necessary standard,” unless it is for treatment purposes. That means BAs are given access to the minimum PHI they need to do their job. A clear framework for acceptable use of PHI must be established and agreed upon.⁶ 

BAAs & Marketing

There can also be confusion about BAs with regard to marketing. Generally, if communication related to a patient is considered marketing, CEs must obtain the individual’s authorization before it can be shared. As it pertains to HIPAA, marketing is considered to be any arrangement between a CE and another entity whereby the CE discloses PHI in exchange for direct or indirect remuneration. The CE may not sell PHI to the BA or third party for that party’s own purposes. CEs may also not sell lists of patient names or enrollees to third parties without obtaining authorization from each person on the intended list.⁷ Relying on the BA to engage in marketing does not relieve the CE from obtaining an authorization. Data mining has caused some concern for protection of PHI. With both national healthcare providers as CEs, and national vendors serving them as BAs, there is a treasure trove of PHI. Should these BAs have the ability to use this information? Minnesota’s attorney general, in the aforementioned example early in this article, filed suit against Accretive Health Inc., Chicago, IL, for violation of HIPAA, HITECH, and the state’s consumer protection laws. In this instance, Accretive was a BA for two Minnesota hospitals, with Accretive experiencing a breach of about 23,500 records when a laptop was stolen. Accretive was required to pay nearly $2.5 million. This fine was in part due to the breach, but it was also due to Accretive’ s data mining practices and inappropriate sharing of PHI. Accretive was alleged to have been using data mining, consumer behavior modeling, and propensity to pay algorithms to create “per-patient risk score” calculations.  However, the patient authorization form did not disclose the scope or breadth of the PHI that the hospitals would share with Accretive.⁸ Accretive also had to take corrective action based on sanctions by the Federal Trade Commission. Subsequent action was also taken against North Memorial for providing Accretive with PHI without obtaining satisfactory assurances that Accretive would safeguard the PHI.⁹ As stated previously, data can only be used as outlined in the BAA or as required by law. BAAs also typically state PHI can be used for “proper management and administration.” However, the BA cannot disclose information that a CE is not allowed to disclose.⁵ Additionally, BAs should be properly vetted. How do you vet a BA? There are several questions to ask when trying to ensure compliance with HIPAA regulations:

• Has the BA performed the required security risk assessment? 
• Does the BA have adequate policies and procedures in place to protect PHI?
• Is the workforce regularly trained on protection of PHI?
• How is the BA requiring subcontractors to comply with HIPAA regulations?
• Does the BA provide regular training to the workforce on HIPAA privacy and security policies and procedures?
• Can the BA provide a list of subcontractors and proof that subcontractors will also be in compliance with the regulations?¹⁰ 

Roger Shindell is chief executive officer of Carosh Compliance Solutions, Crown Point, IN, which specializes in HIPAA compliance consulting for small to midsize practices and their business associates. He is also chairman of the HIMSS Risk Assessment Work Group and a member of the American Health Information Management Association’s privacy and security council. Shindell has more than 30 years of multidisciplinary experience in healthcare and has served as an advisor and principal in healthcare, technology, and service companies. He may be reached at rshindell@carosh.com. 

Lorna L. Hecker is executive vice president and director of education and training at Carosh Compliance Solutions. She also runs the company’s professional practice in behavioral health and holds CHPS certification (certified in healthcare privacy and security) through the American Health Information Management Association. A frequent speaker on HIPAA topics unique to behavioral health practices, she is a professor of behavioral sciences at Purdue University Northwest, where she is on the faculty of the marriage and family therapy master’s program. She is the director for the Purdue University Northwest Couple and Family Therapy Center and teaches graduate courses in professional and ethical issues, couples therapy, trauma, theories of family therapy, and play-in family therapy. The author and/or editor of multiple mental health-related books, her most recent publication is HIPAA Demystified:  HIPAA Compliance for Mental Health Professionals (Loger Press). 

References

1. $1.55 million Settlement Underscores the Importance of Executing HIPAA Business Associate Agreements. HHS. Accessed online:www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html?language=es

2. Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement.  HHS. Accessed online: www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/catholic-health-care-services/index.html?language=es

3. Sixth Annual Benchmark Study on Privacy & Security of Health Data. Ponemon Institute. 2016. Accessed online: www.ponemon.org/blog/sixth-annual-benchmark-study-on-privacy-security-of-healthcare-data-1

4. Cerrato, P. A decision-maker's guide to risk, prevention, and damage control. Cambridge, MA. Elsevier. 2016

5. Hirsch R, Deixler H. HIPAA Business Associates and Health-care Big Data:  Big Promise, Little Guidance. 2014. Accessed online: www.bna.com/hipaa-business-associates-and-health-care-big-data-big-promise-little-guidance

6. Robichau BP. Healthcare information privacy and security: Regulatory compliance and data security in the age of electronic health records. New York, NY. Apress Media. 2016.

7. Marketing. HHS Accessed online: www.hhs.gov/hipaa/for-professionals/privacy/guidance/marketing

8. Litten C. Business Associate Breach Leads to $2.5M Settlement by Accretive: But Who is the Covered Entity or Business Associate Here, and Do We Care? Fox Rothschild LLP. 2012. Accessed online: https://hipaahealthlaw.foxrothschild.com/tags/data-mining

9. Snowbeck C. North Memorial Health Care Paying $1.5 million in Federal Privacy Settlement. Star Tribune. 2016. Accessed online: www.startribune.com/north-memorial-paying-1-5-million-in-federal-privacy-settement/372490911 

10. HIPAA Marketing and Sale Provisions: Legal Potholes for Providers, Payors, Advertisers, Data Aggregators, Market Researchers and Others. Duane Morris.  2013. Accessed online: www.duanemorris.com/alerts/HIPAA_Marketing_and_Sale_Provisions_4851.html