Doctor concerned with health care law

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Health Law Daily, April 17, 2014

Covered entities warned to manage exposure to business associate liability

By Sarah E. Baumann, JD

Tod Ferran has some advice for Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) covered entities (CEs) trying to guard their electronic protected health information (ePHI)—“You Can’t Hide Behind a BAA.” In a Health Care Compliance Association (HCCA) webinar titled as such held on April 16, 2014, Ferran spoke about the need to fully comply with the HIPAA Omnibus Final Rule (78 FR 5566) which requires that signed revised business associate agreements (BAAs) with all existing business associates be in effect no later than September 22, 2014. Ferran, CISSP, QSA, of Security Metrics, recommends CEs take a prioritized approach in dealing with BAs in order protect themselves from liability.

Omnibus Final Rule requirements. Business associates (BAs) are entities or individuals that transmit, process, or otherwise handle ePHI data on behalf of CEs. Covered entities may deal with a wide variety of BAs, including external labs, pharmacies, attorneys, transcriptionists, and a host of other organizations. On January 25, 2013, the Omnibus Final Rule made changes to the HIPAA privacy, security and enforcement rules to implement certain provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which was part of the American Recovery and Reinvestment Act of 2009 (ARRA) (P.L. 111-5). The rule makes BAs directly liable for compliance with HIPAA privacy and security rule requirements. It also requires covered entities that engage BAs to have contracts in place and obtain “satisfactory assurances” to ensure that the BAs safeguard ePHI and use and disclose information only as protected by the privacy rules. Contracts entered into after January 25, 2013, were required to comply with the new requirements no later than September 22, 2013. Contracts entered into prior to January 25, 2013, must comply no later than September 22, 2014, if not renewed sooner.

Ostensibly, the rule creates liability for BAs. However, Ferran cautions that CEs are deemed by the Office of Civil Rights (OCR) to be the ultimate owner of ePHI data and are thus liable for any breaches of privacy or security rules. How then, should a CE go about reviewing and modifying existing agreements to ensure that they comply?

Satisfactory assurances. The rule is vague as to what steps a CE must take to ensure that ePHI data is safe, stating only that a CE should obtain “satisfactory assurances” to that effect. To protect themselves, Ferran says that CEs should audit or validate all BA patient data handling and security processes. Although CEs should attempt not to exert so much control as to cause a BA to terminate a relationship, increased HHS enforcement makes an auditing or validation process necessary. If BAs bristle at the idea of being audited, Ferran suggests entering into a dialogue to find a way to best meet both entities’ needs. However, if a CE cannot make headway, “Find a different associate to work with . . . truly, it’s not worth saving a few pennies.” CEs should manually track evidence, seeking, for example, summaries of completed risk analyses and risk mitigation strategies from BAs, as well review notices of privacy practices. They may do so through compliance monitoring tools, third party vendor validation, or their own dedicated compliance teams.

Prioritized approach. Before addressing existing BA agreements and modifying them, as necessary, to ensure that they comply with new standards, Ferran suggests creating an “on-boarding” process for new BAs to determine how the CE will generally handle validation, even if new BAs will be hired infrequently. Once this is done, it will be easier to deal with specific agreements.

With the on-boarding process complete, Ferran recommends prioritizing existing BAs as low-, medium-, or high-risk by contacting the chief security officers for all BAs and gathering information. Business associates without a chief security officer should be red-flagged as high risk, as they likely to be unaware of HIPAA requirements. When speaking to CEOs, covered entities should update contact information, ensure that BAs are still handling their ePHI, and let the BAs know if additional requests will be forthcoming. If BAs are no longer handling a CE’s ePHI, the BA should provide proof that the ePHI has been securely deleted. BAs can be classified as medium risk where a chief security officer does not fully understand HIPAA requirements and as low-risk where the officer both understands requirements and is able to provide assurances.

Recommended evidence. After prioritizing, CEs should begin dealing with high-risk BAs and move on to medium- and low-risk BAs, gathering evidence in the form of a mini-audit. For starters, CEs should verify that the data required and the data transmitted match. Ferran notes that findings of HIPAA violations often involve the transmittal of too much data. He emphasized that CEs should never send more data than is absolutely required. Covered entities must gather the evidence necessary to demonstrate to the OCR that they have exercised due diligence in gathering satisfactory assurances and have not exercised willful neglect by failing to do so. A summary of a risk analysis of the BA is crucial.

During the webinar, Ferran also provided a detailed list of information that CEs should gather, including information about firewalls and antivirus programs. In sharing his opinion that data should be protected by at least two levels of security, he noted that credit card security information breaches often occur despite the existence of a firewall. He stressed the importance of safely implementing wireless technology, involving encryption and software that can identify rogue wireless access points.

Covered entities would be well-advised to check with their BA to determine whether the BA was vulnerable to the Heartbleed bug that has been in the news as of late. Heartbleed can attack systems without leaving a trace. A patch was created to address the issue. However, it would behoove CEs to make sure that BAs that may have been affected have addressed the issue. Websites are available that can allow individuals to enter URLs to see if they are vulnerable to the bug.

BAs should also implement training in social engineering, teaching employees security awareness. He cited the Stuxnet worm, which allegedly took down an Iranian nuclear power plant when plant workers found seemingly harmless USB drives lying around and used them to complete their work. It turned out that those drives were infected with the worm. Ferran discussed the importance of intrusion detection systems (IDS) and intrusion prevention systems (IPS), which can prevent or notify CEs of breaches. Data loss prevention (DLP) is worthwhile, but the cost of the software is only about one-third the total cost of DLP. It also involves training

Vulnerability. One particular area of vulnerability occurs with BAs that subcontract work. For example, many BAs may contract with customer service representatives who work from home on their personal computers without notifying them of HIPPA requirements. A browser may constantly cache pages, storing them at a local workstation. A BA should take action to ensure that the cache is automatically cleared upon disconnection. A second area of vulnerability is the security of an employee’s workstation. In at least one instance, Ferran discovered that a BA employee had notebooks filled with patient information kept in an unlocked desk drawer.

Breach notification. Covered entities must be confident not only that they have exercised due diligence and can provide satisfactory assurances that they have complied with the Omnibus Final Rule, but that their BAs will work with them to protect data and notify them of breaches promptly. CEs must notify HHS within 60 days of a breach, so Ferran strongly recommends that BAAs include a specific time period in which the BAA must notify the CE of a breach. Words like “promptly” must be clearly defined in the same paragraph.

Final advice. In addition to being subject to fines from the OCR, state attorneys general may also pursue actions against covered entities. HIPAA best practices may be used as standards to establish negligence and professional malpractice. Although both covered entities and BAs may be prosecuted, Ferran notes that CEs will be the ones truly damaged by media coverage. Contracts must be updated no later than September 22, 2014. Covered entities should plan to make some progress every month to comply with the September timeline. In Ferran’s words, “Get started. Don’t wait. We can’t be complacent about this.”

MainStory: TopStory NewsStory ComplianceNews AuditNews EHRNews EnforcementNews HITNews HIPAANews

Health Law Daily

Introducing Wolters Kluwer Health Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.