Byline: Joseph Goedert
In July 2010, the Department of Health and Human Services' Office for Civil Rights published a proposed rule, mandated under the HITECH Act, to strengthen provisions of the HIPAA privacy, security and enforcement rules. OCR expects this year to release a final 'omnibus' rule, which also will include changes to the breach notification rule.
If the final rule closely follows what was proposed, it will beef up requirements on covered entities, their business associates, and subcontractors of business associates.
The changes are significant because the proposed rule puts new requirements on business associates and subcontractors, who are the 'downstream' handlers of much of the protected health information-paper and electronic-that moves through the health care industry. And the new requirements, if finalized, will change relationships between the spectrum of entities handling protected health information.
Under existing HIPAA rules, covered entities-providers, payers and claims clearinghouses that conduct HIPAA claims and related transactions electronically-are liable for criminal or civil penalties for violations of the privacy, security and breach rules.
Covered entities also are liable for failure of their business associates to abide by the rules, but there are circumstantial exemptions. But under the July 2010 proposed rule those exemptions would be removed, exposing covered entities to liability for any violations by business associates.
The exemptions were dropped in the proposed rule because legal liability under HIPAA would be expanded to business associates. The rule also expanded the definition of 'business associates' to include health information exchanges, health information organizations, electronic prescribing gateways, patient safety organizations and vendors that contract with covered entities to offer personal health records to patients-making these entities also liable.
The rule then went one step further by defining business associates' subcontractors as business associates under HIPAA. This makes a subcontractor-a person who acts on behalf of a business associate and is not an employee of the business associate-also legally liable for compliance.
Bringing subcontractors deep into the HIPAA fold 'is far more important than has been given credit in the media,' contends Kate Borten, president at The Marblehead Group, a Massachusetts-based health information technology security and privacy consultancy.
There's been no real accountability among those handling protected health information downstream from covered entities, Borten states, but now business associates will be directly subject to OCR penalties. And that will put big pressure on business associates to make sure their subcontractors-many of whom have little or no knowledge of HIPAA-fully comply with the rules governing PHI.
The primary goal of the new rules is simple-expand liability and commitment by downstream vendors to proper handling of protected health information will rise. Lou Ann Wiedemann, director of professional practices at the American Health Information Management Association, believes the rules will succeed. Business associates will get serious about the privacy and security rules 'because now they're on the liability hook,' she adds. 'This will be the biggest change in the rules.'
For too long, health care has been a business that assumed no one would want your health information and therefore didn't apply rigorous safeguards, Wiedemann contends. 'But it really is a business, and money changes hands. The rules will really change how people do their business.'
A primer
The privacy rule currently does not directly govern business associates. Covered entities have been expected to enter into 'business associate agreements,' or BAAs, which are contracts with language compelling business associates to comply with the privacy and security rules. But there's been no real push to make sure covered entities are keeping a close eye on others that handle their protected health information, experts say.
Under the changes included in the proposed rule, a covered entity that knows of noncompliance by a business associate must take 'reasonable' steps to fix the problem or terminate the contract, if feasible. A business associate also is required to mitigate noncompliance by a subcontractor. Further, business associates must report any breaches of protected health information to a covered entity, which would report the breach to HHS/OCR. Subcontractors must report breaches to the business associate, which reports to the covered entity.
Consequently, all three types of entities handling PHI would be liable for investigation and potential financial and criminal penalties under HIPAA, and covered entities and business associates would be responsible for some degree of oversight of subcontractors. This means covered entities' business associate agreements will be more formalized and many business associates likely will, for the first time, enter into such contracts with their subcontractors-with the goal of enhancing protection of information downstream from the covered entity.
Even if a business associate does not enter into a BAA with a subcontractor, the business associate would still be liable for noncompliance by the subcontractor, and the subcontractor also would be liable.
Changing relationships
There are several ways the proposed provisions, if finalized, will change relationships between organizations that handle protected health information.
Covered entities will tighten language in BAAs to ensure that business associates and their subcontractors immediately report any breaches of PHI, Wiedemann at AHIMA says. That's important because the breach notification rule gives covered entities 60 days to report a breach once discovered, and they won't want any delays in finding out.
Covered entities also will require business associates to conduct scheduled security rule risk assessments and revisit the assessments as warranted, Wiedemann predicts.
The reality today, security consultant Borten says, is that many covered entities don't keep good track of business associates, much less subcontractors.
When she asks clients for lists of business associates and subcontractors, she often gets out-of-date lists and business associate agreements that haven't been signed. Many of the agreements were written after the privacy rule became effective in 2003 and were never updated to include the security rule in 2005.
Finally, new or updated business associate 'agreements' might not be called 'contracts,' but they are contracts and legal documents that should be signed by the CEO or CFO-someone with legal authority-and not the privacy officer, Borten advises.
Covered entities under the proposed rule do not have to enter into separate contracts with business associates' subcontractors. But Jared Rhoads, senior research specialist at Computer Sciences Corp., a Falls Church, Va.-based consultancy, says covered entities will become more involved with business associates' subcontractors, 'rather than treating them as unknown entities.'
Covered entities at minimum will want information from business associates on who the subcontractors are and their duties-such as shredding documents or destroying old hard drives, Rhoads says. And, depending on resources, a covered entity may do its own follow-up studying of a subcontractor if it's not a name they know. Some may also do on-site reviews-going to a business associate or subcontractor to see first-hand if the facility is designed as they say and if they have all stated equipment, he adds. 'It all comes down to resource availability.'
Covered entity view
Covered entity Rady Children's Hospital of San Diego doesn't expect final HIPAA rules to significantly change its relationship with business entities.
The rule primarily pushes risk to business associates and subcontractors that they haven't had before, says Cassi Birnbaum, director of health information management and privacy officer. Covered entities, if they have been overseeing downstream vendors, may not necessarily have to change a lot in the relationships, she believes. 'But it doesn't preclude us from still going through our due diligence.'
Some business associates aren't as educated in their HIPAA responsibilities as they should be, so covered entities must continue the education process, Birnbaum notes. 'We often find we are the ones who have to bring them up to speed.' She estimates only about half of business associates understand the HIPAA changes that are coming. Business associates haven't yet asked for help in educating subcontractors, but the hospital will make sure the education is done and assist if needed, she says.
Rady Children's Hospital, as a covered entity, is supposed to keep tabs on entities handling PHI downstream, and the organization has several ways of doing so.
It has a central repository of business associate contracts and tools to track if a contract needs a HIPAA business associate agreement and the reasons it needs one.
In addition, if a contract does not have a HIPAA agreement, that fact has to be confirmed in writing by the health information management department, legal, and the CIO, CFO and COO.
Tracking tools also identify if BAAs are the right version for each specific contract, and if the relationship has changed and the agreement needs to be revisited.
The hospital has a template for BAAs and requires vendors to sign its agreement. That brings blow-back from some vendors, Birnbaum acknowledges. But California has stricter privacy laws than much of the nation, and vendors also have to understand and agree to the state provisions. For instance, covered entities in the state have only five business days to report a breach.
Business associates requiring access to protected information must have an up-to-date BAA with tightly defined length of access, types of information, the person or people accessing data, and the HIPAA training required.
The hospital also will conduct background checks on companies and individuals, using the Department of Health and Human Services' Office of Inspector General database to check for such exclusions as fraud and abuse, or revoked licensure.
Subcontractor oversight
Under the final omnibus HIPAA rule, business associates also can expect to do more oversight of their subcontractors, and some already do so at various levels.
WPC Services, the consulting subsidiary of Washington Publishing Co., which publishes implementation guides for health care information technology standards such as the HIPAA transactions, conducts security audits as part of its standard operating procedures with subcontractors.
The consultancy has program mangers for all subcontractors overseeing what PHI they have and how they handle it, says Eric Mueller, president. Further, the firm sets ground rules, audit capabilities, and security protocols and enforces them with audits. 'We define the environment in which our subcontractors will operate if they use PHI,' he asserts. For example, subcontractors are required to use WPC's e-mail system and its level of encryption, encrypted hardware with access locks when left unattended, and encrypted flash drives.
Stepping up audits
Right now, WPC Services will audit once a year if a contract lasts for a year. In the future, the audit could be as frequent as quarterly, Mueller says. In the near future, the consultancy will go further by scanning subcontractors' source code and checking patch levels-checking not just processes but the technology that supports the security of the processes.
The reason for overseeing subcontractors is simple-business survival-and that won't change if the business associate and its subcontractors become directly liable under HIPAA, Mueller contends.
'If I have a customer and there's a fine for a breach, we would be liable for any fiscal penalty to the covered entity. But our view is that the real exposure in notifying of a breach is the bad publicity, a hit to our reputation, our client's reputation and their bottom line,' he says.
For now, WPC is enhancing its existing security oversight to be pre-emptive in anticipation of the new rules. 'We can only focus on what we know, and we know that the rules will tighten but not how much. Until final rules are out, covered entities can't answer questions about what will be expected of us and what we will expect from subcontractors. Lawyers need final rules.'
What's also needed along with the final rules, Mueller believes, is a common method to audit HIPAA compliance-what has to be measured, who has access to data, what they access, how they access, when they access and why they access.
A lot of covered entities don't have the answers today, he notes. 'Any team involved in a project at a covered entity needs to ask themselves those questions before, during and after a project.'
Like WPC Services, business associate T-System Inc., a Dallas-based vendor of emergency department information systems, is unclear exactly how a final rule will change its relationships. But even under the proposed rule, the company does not foresee significant changes in its dealings with covered entities, says Tina Clark, manager of contract administration. Business associates, she notes, already are bound to the same privacy and security rule provisions as covered entities through the business associate agreements with those entities.
What would change under the proposed rule is that what previously only existed as a contractual obligation would become a regulatory requirement.
Under a final rule, instead of being accountable only to the covered entity, T-System and other BAs also likely will be accountable to the federal government, Clark adds. Another difference would be that when the HHS Office for Civil Rights investigates a breach by a business associate, the BA will have to report any previous breaches they've had, says Christina Anderson, director of human resources at T-System.
Since passage of the HITECH Act, the vendor has tightened its oversight of business subcontractors, making sure they get the same privacy and security training as employees, Anderson says. So already, the rule that isn't yet final is in effect to some degree, she notes.
Will Big Companies Balk at the New Rules?
If a company won't sign a HIPAA compliance business associate agreement with WPC Services, the consulting subsidiary of Washington Publishing Co., then WPC has to find another way to get the services it wants, says Eric Mueller, president.
That's just a reality, but it's also a concern as HIPAA rules get tightened to make business associates and subcontractors legally liable for ensuring the security and privacy of protected health information. Mueller fears that multi-industry business associates that many health care entities use-such as Microsoft, SAS and Oracle-will balk at signing agreements that make them liable under HIPAA.
And that means covered entities won't be able to adopt new technologies or processes if they can't find a business associate to sign a business associate agreement. These large companies consider themselves content vendors that provide platforms to store or use data, and not health care companies.
Really, Mueller wonders, are these companies going to accept the security demands of a health care industry that still commonly uses FTP to communicate? 'This liability gray area is going to prevent covered entities from adopting new technologies,' he contends. 'The HHS Office for Civil Rights will have to define liability gray areas and where the lines are drawn.'
Cyber Liability Insurance Offers Nuanced Protection
Provisions of the HITECH Act may strengthen privacy and security protections, but breaches of protected health information will still occur.
One risk management tool available to covered entities, business associates and their subcontractors is cyber liability insurance, which will pay for some of the costs of breach remediation.
The insurance typically covers network security (protect against destruction, deletion or obstruction of data), privacy liability (costs of a breach response from inadvertent disclosure of data), crisis management (data forensics investigation and breach notification) and cyber extortion (use of malicious code to destroy data or holding data for ransom).
But there are nuances to the coverage, says Brian Lapidus, COO of the fraud solutions unit of security firm Kroll Inc., New York. Policies vary based on the dollar amount of coverage that a customer is willing to pay. It's also important for an organization to fully understand its risk portfolio before buying insurance that may not pay as expected, he adds.
Carriers typically will require a risk assessment before writing a policy. Further, most policies will include conditions related to ongoing security controls, and failure to maintain the controls could void the coverage.
Depending on the insurance carrier and the price tag, a policy may or may not cover legal expenses, public relations services and response activities such as patient notification, Lapidus notes. It's important that an organization's privacy, risk management and compliance officers collaborate when shopping for cyber liability insurance, as all policies have some cap on coverage.
If a breach occurs, Lapidus advises to get outside legal counsel in most cases. Health care privacy counsel is a niche area, and many provider organizations and vendors they deal with don't have a specialized attorney on staff or under contract.
Organizations also should contract for a forensic investigation to better understand the scope of a breach, how it occurred, and even if it occurred at all, Lapidus says. He recalls a hospital that had a 'huge event,' that could have affected 750,000 patients, but an investigation found the network was not hacked and data was not compromised.
'Forensics is not the first thing organizations think about,' he adds. 'They think about notifying clients and patients. Forensics helps you make the right decisions for notifying.'
Another tip: Cleaning patient mailing lists before sending notifications will mitigate costs and demonstrate to regulatory agencies that an organization is being diligent about getting in touch with the right people.
