Business Associates: The Next HIPAA Enforcement TargetAttorney Adam Greene Says Vendors Can Learn from Other Settlements
Business associates need to be paying close attention to the details of HIPAA resolution agreements that federal regulators are signing with covered entities for HIPAA non-compliance cases and data breaches, says privacy attorney Adam Greene.
That's because the Department of Health and Human Services' Office for Civil Rights is likely getting closer to taking HIPAA enforcement action against BAs that have been involved in breaches and other HIPAA-related incidents.
"I think there is probably [enforcement] work going on behind the scenes" related to business associates, he says. "What we tend to see for settlement agreements is, on average, two to three years between an incident occurring - such as a reportable breach to OCR - and then the resolution agreement will come out ..." he says.
Business associates first became directly liable for HIPAA compliance in September 2013, when enforcement of the HIPAA Omnibus Rule went into effect. "So, we're just entering into the time where, if, for example, you're a business associate and you had an incident on Sept. 23, 2013, we might be getting closer to the idea of [the case] being resolved soon through a resolution agreement," he says. "I wouldn't be surprised that within the next year we see our first business associate [enforcement] action from something that happened in 2013 or 2014."
In the meantime, business associates need to be learning from the settlements that OCR has been signing with covered entities in HIPAA cases, including a recent $750,000 resolution agreement with Cancer Care Group, P.C. , which was triggered by an investigation into a 2012 breach. Among other findings, the OCR investigation found that the cancer clinic failed to conduct a risk analysis prior to the breach (see New HIPAA Compliance Audit Details Revealed).
The lack of a comprehensive and timely risk analysis has been at the center of many OCR HIPAA settlements, Greene notes.
"If you're a business associate, look at whether you have a risk assessment ... You want to make sure that when you see a new settlement about a mobile device being stolen - do you have a risk assessment that identifies the risk of one of your workforce members having a mobile device that has PHI ... and if it gets stolen ... what have you put in place to reduce that risk?"
In the interview, Greene also discusses:
- The biggest HIPAA security and privacy challenges business associates and subcontractors face;
- How much oversight covered entities should have over the HIPAA compliance efforts of business associates;
- The Food and Drug Administration's recent warnings about medical device cybersecurity and steps covered entities need to take as a result (see FDA Official: More Medical Device Vulnerability Discoveries Likely).
As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was a senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.