In recent years, the scope of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and implementing regulations has expanded dramatically, presenting new privacy and information security challenges to technology businesses intersecting with health care. Under HIPAA, companies providing domestic data storage services (including cloud service providers), e-prescribing gateways, and software or equipment used by a covered entity for the provision of healthcare services (including telemedicine / telehealth) fall within the scope of a “business associate” (BA), even if the company merely “maintains” protected health information (PHI) and does not personally view it. The definition of a BA also captures a BA’s downstream subcontractors that create, receive, maintain, or transmit PHI on its behalf. BAs are increasingly at risk of potential federal enforcement actions for noncompliance, specifically for the failure to enter into a business associate agreement (BAA) ensuring it will appropriately safeguard PHI (technical requirements for which are set forth under 45 C.F.R. §164.504(e)).
The U.S. Department of Health and Human Services Office of Civil Rights’ (OCR) recent enforcement actions signal a BA’s failure to enter into a BAA may result in substantial monetary penalties. The OCR has recently reported three large settlements involving the failure to enter into BAAs:
Although these settlements subjected the covered entity to punishment, future enforcement actions will likely target BAs. Indeed, OCR expressed a particular interest in BAs and BAAs through its release of new audit questions for 2016.
The OCR settlements provide two main lessons for BAs. First, as evidenced by the April 2016 settlement, the mere release of PHI to a third party prior to entering into a BAA constitutes a “breach” subject to potential civil liability. Second, internal security risk assessments are imperative. OCR implies appropriate risk assessments could have prevented the above-mentioned data breaches. HIPAA requires BAs to conduct thorough assessments of potential risks and vulnerabilities with the respect to the confidentiality, integrity, and availability of electronic PHI.
Accordingly, technology companies should be mindful of whether they are a BA and, if so, scrupulously adhere to HIPAA. When determining whether an entity is a BA, the key inquiries are (1) what services does the organization carry out for a covered entity and (2) what kind of data does the organization create, receive, maintain, or transmit. If a company’s services to the covered entity involve anything to do with PHI, it is likely a BA and must enter into a written BAA with the covered entity and also with downstream subcontractors involved in handling PHI. BAs should carefully scrutinize the terms of the BAA as many impose further heightened privacy and security requirements than HIPAA. When negotiating a BAA, a BA should be particularly attentive to provisions addressing the parties’ agency status, burdensome breach notification requirements and reporting deadlines, cost allocation of breach notification or investigation, and indemnification..
Ashley Wheelock is an Associate in Locke Lord’s Austin office. She can be reached at ashley.wheelock@lockelord.com.
Sign up for our newsletter and get the latest to your inbox.