In recent years, the scope of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and implementing regulations has expanded dramatically, presenting new privacy and information security challenges to technology businesses intersecting with health care. Under HIPAA, companies providing domestic data storage services (including cloud service providers), e-prescribing gateways, and software or equipment used by a covered entity for the provision of healthcare services (including telemedicine / telehealth) fall within the scope of a “business associate” (BA), even if the company merely “maintains” protected health information (PHI) and does not personally view it. The definition of a BA also captures a BA’s downstream subcontractors that create, receive, maintain, or transmit PHI on its behalf. BAs are increasingly at risk of potential federal enforcement actions for noncompliance, specifically for the failure to enter into a business associate agreement (BAA) ensuring it will appropriately safeguard PHI (technical requirements for which are set forth under 45 C.F.R. §164.504(e)).
The U.S. Department of Health and Human Services Office of Civil Rights’ (OCR) recent enforcement actions signal a BA’s failure to enter into a BAA may result in substantial monetary penalties. The OCR has recently reported three large settlements involving the failure to enter into BAAs:
- In April 2016 OCR announced a $750,000 settlement with a North Carolina orthopedic practice resulting from the failure to execute a BAA prior to providing PHI of 17,300 patients to a third party entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. OCR initiated its investigation of the practice following its receipt of a breach report from the practice itself. Interestingly, the “breach” at issue was merely the fact that the covered entity released the information to the third party prior to executing a written BAA. OCR specifically stressed that “the lack of a business associate agreement left this sensitive health information without safeguards and vulnerable to misuse or improper disclosure.”
- In March 2016 OCR announced a $1.55 million settlement with a Minnesota healthcare system following its investigation of a breach report involving an unencrypted, password-protected laptop stolen from a BA’s employee’s locked vehicle, impacting the electronic PHI of 9,497 individuals. The covered entity failed to enter into a BAA with BA performing certain payment activities on its behalf. OCR’s investigation revealed that from March 21, 2011 to October 14, 2011, the covered entity impermissibly disclosed the PHI of at least 289,904 individuals to the BA without obtaining satisfactory privacy and security assurances in the form of a written BAA. OCR further concluded that the covered entity failed to perform a risk assessment of all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.
- In November 2015 OCR entered into a $3.5 million settlement against an insurance holding company in San Juan, Puerto Rico. This settlement was the result of the covered entity’s self-reported multiple data breaches. One of the breaches involved the covered entity’s discovery that a vendor impermissibly disclosed its beneficiaries’ PHI (including the beneficiary’s names, mailing addresses, and Health Insurance Claim Number) on the outside of a pamphlet mailed to the beneficiaries. The covered entity, OCR alleged, did not have an appropriate BAA with the vendor and failed to conduct an accurate and thorough risk analysis incorporating all IT equipment, applications, and data systems utilizing electronic PHI (ePHI).
Although these settlements subjected the covered entity to punishment, future enforcement actions will likely target BAs. Indeed, OCR expressed a particular interest in BAs and BAAs through its release of new audit questions for 2016.
The OCR settlements provide two main lessons for BAs. First, as evidenced by the April 2016 settlement, the mere release of PHI to a third party prior to entering into a BAA constitutes a “breach” subject to potential civil liability. Second, internal security risk assessments are imperative. OCR implies appropriate risk assessments could have prevented the above-mentioned data breaches. HIPAA requires BAs to conduct thorough assessments of potential risks and vulnerabilities with the respect to the confidentiality, integrity, and availability of electronic PHI.
Accordingly, technology companies should be mindful of whether they are a BA and, if so, scrupulously adhere to HIPAA. When determining whether an entity is a BA, the key inquiries are (1) what services does the organization carry out for a covered entity and (2) what kind of data does the organization create, receive, maintain, or transmit. If a company’s services to the covered entity involve anything to do with PHI, it is likely a BA and must enter into a written BAA with the covered entity and also with downstream subcontractors involved in handling PHI. BAs should carefully scrutinize the terms of the BAA as many impose further heightened privacy and security requirements than HIPAA. When negotiating a BAA, a BA should be particularly attentive to provisions addressing the parties’ agency status, burdensome breach notification requirements and reporting deadlines, cost allocation of breach notification or investigation, and indemnification..
Ashley Wheelock is an Associate in Locke Lord’s Austin office. She can be reached at firstname.lastname@example.org.