Managing BAs Under HIPAA OmnibusPrivacy Attorney Offers Insights for Covered Entities
The HIPAA Omnibus Rule spells out that a business associate is "an entity that creates, receives, maintains or transmits protected health information for a function or regulated activity," says Stephen Wu, a partner at Cooke Kobrick & Wu LLP.
In an interview with Information Security Group (transcript below), Wu says that although the rule offers more details on what kinds of companies might be business associates, we still "don't have the full picture of what's a business associate and what's not a business associate from HHS. And as a result, what you're seeing now is a lot of legal counsel talking with their clients, trying to figure out whether certain types of vendors are within the business associate definition or not, and you have a lot of judgment calls being made."
Covered entities, such as hospitals, clinics and health plans, should be prepared for discussions with some companies that will dispute whether they, in fact, are a business associate, he says. And once they determine that a vendor is, indeed, a business associate, "that vendor is going to have to start creating a comprehensive compliance program or else consider exiting the market in the healthcare field," he says.
In addition, covered entities should complete a "due diligence" investigation of potential business partners before signing a contract, Wu advises. Plus, business associates should conduct investigations before they sign contracts with downstream subcontractors. These investigations should determine "that this is an appropriate entity to perform functions on behalf of a covered entity or a business associate" and gain access to sensitive patient information, he explains.
Once contracts are signed, covered entities should continually monitor the HIPAA compliance of business associates, he says. "There should be ongoing questions about data flows and data mapping," he stresses, as well as ongoing risk assessments.
In the interview, Wu also discusses:
- Why there's so much confusion about the HIPAA Omnibus Rule's expanded definition of who's a business associate. "I believe many vendors falling under the definition don't realize they are," he says.
- The three biggest challenges business associates are having so far in complying with HIPAA Omnibus;
- Steps business associates should take to comply with the rule's updated breach notification guidance.
The attorney will discuss other tips for how covered entities can work with their business associates on HIPAA Omnibus compliance in an upcoming Information Security Media Group webinar.
Wu is former chair of the American Bar Association Section of Science & Technology Law and co-chair of its Information Security Committee. He has written or co-authored five books on data security law, including "A Guide to HIPAA Security and the Law," and is writing a book on handling mobile devices in the enterprise.
MARIANNE KOLBASUK MCGEE: Under HIPAA Omnibus, the definition of business associate has been expanded, and there seems to be some confusion still about who's a business associate. What types of vendors and service providers are now considered business associates that weren't in the past, and who's still not considered a business associate?
STEPHEN WU: Well, Marianne, to answer your question, I think it's good to turn back the clock and look at the definition of business associate in [HIPAA] 45CFR160.103 before the HITECH Act. And what it said there is that a business associate ... performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information. Some of the examples that they gave in the regulations are claim processing; ... data analysis, processing or administration; utilization review; quality assurance, billing; benefit management; practice management and re-pricing. There was also another part of that regulation that talked about legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services for a covered entity involving the disclosure of individually identifiable health information. ...
So we had a list of specific inclusions, and then, well, when you said who's out at that point, one of the things that the regulation said is if the person receiving the health information is a workforce member - that is someone under the direct supervision of a covered entity - that person is not a business associate. Also, there has been some guidance put out by Health and Human Services over the years, and what it talked about is excluding people like janitors, plumbers, electricians, photocopy/repair people. These are folks who would have only incidental access to health information as part of their services, or if you are an entity receiving protected health information for purposes of treatment, such as labs, pharmacies, contact lens suppliers. And then there was a very interesting discussion of something called the mere conduit, which is, if you can imagine, the United Parcel Service taking a sealed envelope containing protected health information from one place to another, United Parcel Service or the Postal Service or these other kinds of delivery services would be a mere conduit moving information from one place to another, never actually opening the envelope and looking at it. And from other types of service perspectives, a mere conduit might be some provider, for example, of telephony services, where somebody on one end picks up the phone and somebody on the other end picks up the phone, and the service is just providing the wire between Person A and Person B where protected health information might be passing back and forth. But that telephony company is simply a mere conduit of that information.
So now let's fast forward to the HIPAA Omnibus Rule. ... Well, what are the changes that the HIPAA Omnibus Rule made? Now there's a new definition of business associate, as you were mentioning. And one of the aspects of the definition says the business associate is an entity that creates, receives, maintains or transmits protected health information for a function or regulated activity, and then it also mentions these legal, actuarial, accounting and [other] services. So the folks who are doing the legal, actuarial, accounting services are still in. Also still in are the particular services that I mentioned, like claims processing, administration, data analysis and so forth. But there are also specifically included business associates, such as e-prescribing gateways or other persons that provide data transmission services with respect to protected health information to a covered entity that requires access to that protected health information on a routine basis.
There's another new inclusion of an [organization] that offers personal health records to one or more individuals on behalf of a covered entity. And also, there is a new addition in the definition saying that a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a business associate - that subcontractor to the business associate is itself a business associate. There's also a mention in the regulation about people performing patient safety activities under 42CFR3.20.
So when the Omnibus Rule came out, there was an explanation by the Department of Health and Human Services that [it had received] some questions about whether storage providers or hosting companies are covered entities and [it wanted] to talk about that "mere conduit" rule. That mere conduit rule exception to the definition still exists, but HHS said that the exception is very narrow in that it only applies if it's a true conduit moving information from A to B. So a hosting company where information is being stored long-term - that is not a mere conduit. That hosting company is maintaining protected health information on a more or less permanent basis, and so therefore cannot fit within this exception of being a mere conduit.
That's a long way of saying we've got some new inclusions and we've got some new guidance about what a mere conduit is. But in a way, we don't have the full picture of what's a business associate and what's not a business associate from HHS. And as a result, what you're seeing now is a lot of legal counsel talking with their clients, trying to figure out whether certain types of vendors are within the business associate definition or not, and you have a lot of judgment calls being made.
MCGEE:Now, as you deal with business associates that are trying to comply with HIPAA Omnibus, what provisions are presenting the biggest challenges for them and what steps should they be taking to overcome those challenges?
WU:Well, let me identify three top issues that I see in terms of what are the provisions that are presenting the biggest challenge. ... The number one challenge involved is ... a business associate recognizing that it is a business associate. There are lots of vendors out there who are trying to say, "Well, we've never been a business associate in the past; we don't think that we are a business associate." And when going through negotiations with people upstream, they may be in the process of renewing contracts or entering into new sales contracts, and the people upstream are saying, "You are a business associate; we want you to sign this business associate agreement. And the vendor is trying to say, "Well, I don't think I want to have that compliance overhead; I don't want to sign that business associate agreement."
So first of all, you can't address an issue unless you recognize that it is an issue in the first place. ... The vendor needs to look and determine whether or not in a particular context that vendor is a business associate or not. And if that vendor is a business associate, that vendor is going to have to start creating a comprehensive compliance program or else consider exiting the market in the healthcare field.
The second issue that I would point out is that the business associates need to know what information they're collecting and where that information is stored, what's the data flow, how does it enter the company, how is it being collected, how is it being generated, and how is it leaving the company. Right now, one of the chief challenges is trying to figure out what the data flows are. Business associates should ask questions internally and produce data maps and descriptions of how the data is flowing through the company.
The third issue I would point out is there's a challenge involved with a business associate understanding what is superfluous with respect to business associate compliance and what is necessary. The example that I would give is there is some discussion about [whether] business associates maybe ask ... to create limited data sets, a subset of data that would have less information and not have the degree of protectedness that regular protected health information, would have. Well, if you're a data shredder, there's no point in you having to do these kinds of functions because your job is simply to shred data. You are a business associate, but yet a lot of the business associate overhead of doing certain things doesn't really apply to you.
Or, for example, there are provisions in the new privacy regulations about facilitating the process by which a patient can request a copy of protected health information. Well, again, if you're shredding data, you're not going to be helping to comply with these requests; you're simply going to be shredding data. So you have to figure out what applies to you and what doesn't apply to you. Analyzing what is and isn't necessary is the task I'm talking about.
And then with respect to the contracting process, it's important to tailor the arrangements and the agreements to the actual business context and not simply sign a business associate agreement just because somebody puts a comprehensive business associate agreement in front of you.
MCGEE: What steps should business associates take to comply with the breach notification rule of HIPAA Omnibus?
WU: First, I would say that the potential business associate has to go through that process that I described about asking the question, "Am I a business associate?" ... and then saying, "Am I a business associate for all of my customers, partners, etc., or just some of them and in what context?" Then, if the vendor says, "Well, I'm going to be considered a business associate," I would like to then suggest that that vendor rethink the business model. Should this vendor stay in the market, exit the market, or consider pricing changes to provide a HIPAA-specific service that might involve charging more to the customer? Then ... there should be a risk analysis done in terms of identifying the possible risks of unintentional or intentional acquisition, access or use of protected health information to determine what are the real risks for breaches. And then following that risk analysis, undertaking a comprehensive written security, privacy and breach notification program.
All of these need to fit together, so breach notification is just one piece of this. There should be security, privacy and breach notification working together - and then figuring out the kinds of steps it will take to respond to an incident. Part of going through this comprehensive written information security program is developing procedures for reporting security incidents and handling security incidents, trying to determine whether breaches occurred or not and then reporting the breach as necessary, creating the infrastructure in advance.
And then, to be able to implement that program, it's necessary to not only have something written on paper but also to test the procedures, create the breach response team or incident response team, and then go through the exercise of trying to test those procedures to make sure that they will work in reality. And after going through those types of exercises, look back and say, "How did it work; can we improve the procedures?"
And the final step would be to make sure that you are changing your documentation in response to these new breach notification requirements, changing contracts to reflect the status as business associate, and also including downstream entities to make sure that there are flow-downs of breach notification requirements to them - and changing your own policies, processes, and procedures as a result of all of those changes.
MCGEE: What steps should covered entities take in managing their business associates to ensure that they're complying with HIPAA? For instance, can or should covered entities audit their business associates to ensure they're complying?
WU: The answer is yes, they can audit. But what I would say is, going back to the beginning of the process of creating a relationship with a business associate downstream, it's important for a covered entity or a business associate thinking about doing business with a subcontractor to do a lot of due diligence before the contract is signed or the work starts, to make sure that this is an appropriate entity to be performing functions on behalf of that covered entity or business associate.
Now, once the contract is signed, as part of the ongoing relationship - and this should be built into the contract - there should be some assessments over time and asking ongoing questions about data flows and data mapping, along the lines of what I was talking about earlier. The contract should flow down requirements for security and breach notification and privacy to the downstream business associate. And with those ongoing assessments, it might involve something like monitoring. If there's some network connectivity, then some monitoring can be done. There can be ongoing discussions about collaborating on breach notification procedures.
And then, to answer your question about audits, yes, an audit can be done, and some of the issues to be worked out are how often would these audits occur, how much advanced notice should the audited entity be given, what are the audit criteria. Those are the things that should be worked out in advance. And then when the periodic audits take place, those should be implemented.
And, by the way, it is possible to do something called a desktop audit where you're reviewing the documentation of the audited entity. That might happen more frequently or might be something as changes in documentation take place that should be discussed with the upstream entity. And then it may be that at the beginning, or periodically, you do a full field audit for onsite inspect review and interviews of the people carrying out the functions.
HIPAA Compliance Advice
MCGEE: Finally, Stephen, now that business associates are directly liable for HIPAA compliance under HIPAA Omnibus, what final advice do you have for them to avoid potentially expensive noncompliance mistakes?
WU: First, recognize that your company might have a compliance issue in the first place. If you don't know that you are responsible for this compliance, you might not recognize a problem, and it might surprise you that you have this issue. I believe that there are many vendors out there right now who are falling within the definition of a business associate under the regulation but yet don't realize that they are. So the first step I would say is recognizing that there's a compliance issue in the first place.
Then, second, recognize that there is liability for the authorized acts of your so-called agents under the HIPAA Omnibus Rule. You can be responsible for their mistakes, so that raises the stakes and puts more onus on you to manage your downstream business associates and subcontractors.
Then third, I would say there really aren't shortcuts to be had. You have to do the work it takes and the due diligence it takes to make sure that you are monitoring your downstream entities. It's important to understand that there is a bigger compliance picture of state and international or foreign laws that may come into play. Compliance with HIPAA is just simply one piece of a very larger picture of compliance for healthcare entities. And compliance with one regime doesn't mean compliance with others. So it's important to have a comprehensive compliance program.