Building a HIPAA-Compliant CultureEssential Steps Business Associates Must Take
If a vendor refuses to sign a business associate agreement as required under the HIPAA Omnibus Rule, covered entities may need to devise an alternate approach, says attorney Gerry Hinkley.
Under HIPAA Omnibus, business associates, as well as their subcontractors, are now liable for HIPAA compliance if they receive, create, maintain or transmit protected health information on behalf of a covered entity.
"If the covered entity has made the determination that someone that they do business with is their business associate, the law requires a business associate agreement to be in place," Hinkley says in an interview with HealthcareInfoSecurity (transcript below).
When a business associate is reluctant to sign an agreement, Hinkley recommends incorporating the terms of the business associate agreement into the service contract or some other contract between the parties.
"It doesn't have to be a stand-alone agreement," he says. "And often times the provisions appear to be innocuous to the vendor when they're incorporated in the service agreement."
In the interview, Hinkley also discusses:
- Tips for determining whether a company is a business associate under HIPAA Omnibus;
- How to prepare for breach notification under HIPAA Omnibus;
- How HIPAA Omnibus applies to banks.
Hinkley is chair of Pillsbury Winthrop Shaw Pittman's healthcare industry team based in San Francisco. He's practiced law in the healthcare industry for more than 35 years with a focus on privacy and information technology. Hinkley is also a member of the leadership council of the eHealth Initiative and chair of the legal task force of the Healthcare Information and Management Systems Society.
Preparing Business Associate Agreements
MARIANNE KOLBASUK MCGEE: The HIPAA Omnibus Rule compliance deadline is less than two months away. At this point, what should covered entities be doing with their business associates to make sure they are ready on time?
GERRY HINKLEY: Covered entities should consult the transition provisions of the law to determine when they need to enter into updated business associate contracts. Depending on the circumstances, this may be required as early as Sept. 23, 2013 or as late as Sept. 22, 2014. However, if the covered entity's arrangements with business associates are modified or renewed during this period, the business associate contract must be updated at that time. Although covered entities are not legally required to do so, it may make sense for them to confirm with their business associates that they're entering into business associate contracts with their own subcontractors if the subcontractors receive PHI. This is required by Sept. 23, 2013.
Business associates should already have a compliant business associate contract that they're routinely using with covered entities, and covered entities may also have their own standardized forms. One thing that covered entities need to do as implementation becomes imminent is to develop a contracting format and implementation program so that they can organize their efforts to come into compliance.
Top Compliance Challenges
MCGEE: What are the challenges that you're seeing business associates having the most trouble with in complying with HIPAA Omnibus, and how can they overcome those challenges?
HINKLEY: I think the biggest challenge the business associates have is creating a HIPAA compliance culture. [Under the HIPAA Omnibus Rule,] business associates are directly liable under HIPAA and enforcement can be brought against business associates directly. This is a dramatic change from the [original HIPAA provisions], where business associates' obligations really only derived from contractual arrangements with covered entities. Because business associates now are subject to portions of the HIPAA Privacy Rule and pretty much all of the HIPAA Security Rule, together with the data breach reporting requirements, they actually now have to have a robust HIPAA compliance program as if they were covered entities. They also stand to face potentially high penalties [for non-compliance], which can be as great as $1.5 million per violation.
Some of the things that go into creating a HIPAA-compliant culture include having regular risk assessments, encrypting data and implementing administrative and technical safeguards that generally have applied to covered entities. They also need to enter into HIPAA-compliant business associate agreements with their own subcontractors. ... Subcontractors of business associates who receive PHI are essentially also treated as business associates for purposes of HIPAA.
MCGEE: What are the biggest mistakes that you're seeing covered entities and business associates making as they get ready to comply with HIPAA Omnibus?
HINKLEY: I think the biggest mistake we're seeing is misunderstanding who business associates are. A default conclusion on the behalf of covered entities is that anyone that they do business with who they happen to give PHI to is their business associate. We see situations often with our clients who receive PHI through the ordinary course from a covered entity being handed a business associate agreement and then asking us, "Why are we being asked to sign this?" We have to go through the analysis of, "Are you a business associate?" Business associates are limited to the group of entities that receive PHI from a covered entity and carry out a function for the covered entity. If they merely receive the PHI in another authorized manner, but they're not carrying out a function for a covered entity, they're not a business associate.
Determining Business Associates
MCGEE: Any suggestions for vendors or service providers that are uncertain whether or not they're a business associate under HIPAA Omnibus?
HINKLEY: You just have to read the definition. It's expanded under HITECH to clarify that it includes anyone who also transmits or maintains PHI for a covered entity. This is an expansion. This has taken HIPAA into the cloud, if you will, and a lot of [cloud] organizations have taken a position that they were not a business associates. That now has been clarified. ...
Another area that we do a lot of work in relates to financial institutions. There's a provision in HIPAA itself that excludes banks from HIPAA compliance with respect to PHI that they receive incidentally to a normal banking transaction. For example, somebody pays a medical bill by check. It goes to the bank, [and] typically enough information [is] on the check itself to constitute it being protected health information. Banks, at least with respect to that kind of functioning, were not subject to HIPAA. But what has occurred is that [some] banks do a lot of other things about actually carrying out functions for covered entities that are beyond what you would customarily construe as a banking function. So we've spent time with [those] financial institutions to get them comfortable with the fact that, yes, in fact, they're business associates and they need to include HIPAA [compliance] even though they're also already subject to Gramm-Leah-Bliley, which is the institutional information protection act that applies specifically to banks.
Overcoming Refusal to Sign Agreements
MCGEE: What suggestions do you have for covered entities that say that some of their business associates refuse to sign these agreements, disputing that they're a business associate?
HINKLEY: If the covered entity has made the determination that someone that they do business with is their business associate, the law requires a business associate agreement to be in place. There are a couple of paths to take when you have a contractor who says, "I'm just not going to sign that agreement." One is we incorporate the terms of the business associate agreement in the service contract or other contract between the parties. It doesn't have to be a stand-alone agreement, and often times the provisions appear to be innocuous to the vendor when they're incorporated in the service agreement. That's kind of a way to bypass a separate agreement. Historically, under HIPAA that did create some concern, although, frankly, we're not hearing that complaint so much anymore. As a practical matter, if a covered entity has decided that someone is a business associate and they can't get business associate terms into a written contract with that entity, they can't give them PHI. They have to figure out a way if they want to continue to utilize the services of the vendor to not have protected health information be part of what the vendor ... actually receives from them. If they can't do that, then they really can't do business with the vendor.
MCGEE: How should business associates be preparing for breach notification under HIPAA Omnibus?
HINKLEY: They need to read the security rule and do what it implies and extrapolate from it for their own physical and technological environment. What I tell everybody who asks me is you have to implement encryption that meets the Department of Health and Human Service's standards. If health information is encrypted appropriately and it's lost, you know that does not constitute a data breach. That's a very clear "get out of jail free" card.
What we find too often ... is people turn off the encryption. It's too cumbersome. The challenge for the industry and for business associates is to find the easiest form of encryption to implement and use, and then take it to the next step and impress upon your workforce through training and other means that [skipping encryption] is not something the company will tolerate. Make it clear from your employment policies that if someone is the cause of a data breach because they didn't follow company policies that's a cause for termination.
Ongoing Risk Assessments
MCGEE: Any final suggestions or tips that you have for business associates or covered entities as they deal with each other in preparation for HIPAA Omnibus?
HINKLEY: I think the best practice will be for business associates to actually develop a HIPAA compliance plan that revolves around an ongoing risk assessment. [Some companies think] that the risk assessment is such a big deal and it's so expensive that companies have to plan for it every three years, and sometimes they just don't do it. There isn't budget or it just doesn't happen. What we're counseling is do something every month. Have a 12-month risk assessment plan that just gets into the normal work flow, that it's not an extraordinary activity. Then, as risks are identified, act on them. Begin to take steps to address how to ameliorate that risk. In the end, that's all part of what I said at the beginning [about] how business associates need to create a HIPAA compliant culture within their organization.
For entities that are receiving PHI in the capacity of business associates ... it's an additional business process. For example, we receive protected health information from our clients that are covered entities when we have to in connection with the services that we provide. We're a business associate. That's taking our organization and saying that in addition to everything else we have to do in meeting our ethical obligations for our clients, we have strict legal requirements with respect to this particular type of information when we receive it, and we have to act like anybody else who's a business associate and have processes, do risk assessments, do training annually and the like.