Category Archives: HIPAA

July 1, 2013

Checklist for HIPAA Business Associate Agreements

by Kim Stanger, Holland & Hart LLP

In the wake of the HITECH Act and recent Omnibus Rule changes, business associates¹ of covered entities must comply with most of the HIPAA Privacy and Security Rules applicable to covered entities or face penalties of $100 to $50,000 per violation.² Among other things, covered entities and business associates must execute agreements whereby the business associate agrees to comply with certain Privacy and Security Rule provisions affecting protected health information (“PHI”).³ The Omnibus Rules will require most covered entities and business associates to review and update their business associate agreements (“BAAs”) by September 23, 2013.⁴ The Omnibus Rules will also require covered entities to execute BAAs with certain entities that were not considered business associates in the past, including data storage companies and entities that provide data transmission services and require access to the data on a routine basis.⁵ To see a decision tree for determining business associate status, click here.

Checklist for BAA Compliance. Under the HIPAA Privacy and Security Rules, BAAs generally must contain the following terms.⁶ To the extent the business associate enters a BAA with its subcontractors, those subcontract BAAs should also contain equivalent terms.⁷

Establish the permitted and required uses and disclosures of PHI by the business associate.⁸ The BAA may not authorize the business associate to use or further disclose the PHI in a manner that would violate the Privacy Rule if done by the covered entity, except that the BAA may but is not required to:
1. Permit the business associate to use and disclose PHI for the proper management and administration of the business associate.
2. Permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.
3. Permit the business associate to disclose PHI for the foregoing purposes if (1) the disclosure is required by law, or (2)(i) the business associate obtains reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and (ii) the person notifies the business associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.
Provide that the business associate will:⁹
1. Not use or further disclose the PHI other than as permitted or required by the BAA or as required by law.
2. Use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by the BAA.
3. Where applicable, comply with Security Rules with respect to electronic PHI.
4. Report to the covered entity any security incidents or use or disclosure of PHI not provided for by the BAA of which it becomes aware, including breaches of unsecured PHI as required by § 164.410.
5. Ensure that any subcontractors that receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such PHI. Business associates may do so by requiring the subcontractors to execute a BAA with the business associate.
6. Make available PHI consistent with the patient’s right to access PHI as set forth in § 164.524.
7. Make available PHI for amendment and incorporate any amendments to PHI in accordance with
  § 164.526.
8. Make available the information required to provide an accounting of disclosures in accordance with
  § 164.528, including certain information concerning disclosures of PHI in violation of the Privacy Rule.
9. To the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the covered entity in the performance of such obligation. [Note: this is a new requirement under the Omnibus Rule].
10. Make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary of HHS for purposes of determining the covered entity’s compliance with the Privacy Rule.
Include appropriate termination provisions¹⁰ , i.e.:
1. At termination of the contract, if feasible, the business associate must return or destroy all PHI received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such PHI.
2. If such return or destruction of PHI is not feasible, extend the protections of the BAA to the PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.
3. Authorize termination of the BAA by the covered entity if the covered entity determines that the business associate has violated a material term of the BAA.

Additional Terms. The OCR has published sample BAA language at its website, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html. However, the OCR’s sample language may not include additional terms that covered entities and business associates may want to include in their agreements. For example, while not required by HIPAA, covered entities may want to:

Confirm that the business associate is acting as an independent contractor and not as the agent of the covered entity.
Require business associates and subcontractors to carry appropriate insurance to cover HIPAA violations.
Require business associates and subcontractors to defend and indemnify the covered entity for violations of HIPAA or the BAA.
Require business associates, at their own cost, to respond to any potential HIPAA violation and provide any notice of privacy breaches or security incidents as mandated by the Privacy, Security or Breach Notification Rules.
Impose time limits or other conditions on the business associate’s performance so long as such conditions do not establish an agency relationship as discussed below.
Coordinate the BAA with the underlying services agreement.
Include additional term or termination provisions.
Authorize termination of the underlying services agreement if the BAA is terminated.
Allow for amendment of the BAA as necessary to accommodate changes to the HIPAA Rules.
Include choice of law and venue provisions.

Business associates may want to include additional or alternative terms that minimize their exposure, such as:

Prohibit covered entities from asking the business associate to take any action that would violate the HIPAA Rules if done by the covered entity.
Prohibit covered entities from agreeing to restrictions on the use or disclosure of PHI that might adversely affect the business associate, or notify the business associate of such restrictions.
Authorize termination of the BAA if the covered entity agrees to restrictions that materially affect the business associate’s ability to perform or costs of performance.
Allow the business associate to recover costs associated with such additional restrictions or requirements.
Eliminate or limit any insurance or indemnification agreement otherwise requested by the covered entity.
Waive or limit damages for which the business associate may be liable under the BAA.

Liability for Business Associate’s Action. The HIPAA Privacy and Security rules confirm that a covered entity violates HIPAA if the covered entity knew of a pattern of activity or practice of a business associate that constituted a material breach or violation of the BAA unless the covered entity took reasonable steps to cure the breach, end the violation, or terminate the contract.¹¹ In addition, a covered entity may be vicariously liable for the business associate’s misconduct if the business associate was acting as the agent of the covered entity.¹² The same rules apply to a business associates with respect to their subcontractors.¹³ Accordingly, covered entities and business associates should ensure that their BAAs:

Confirm the business associate or subcontractor is acting as an independent contractor, and not as the agent of the covered entity or business associate; and
Confirm that the BAA does not give the covered entity or business associate such control over operational activities so as to make the business associate the agent of the covered entity, or the subcontractor the agent of the business associate.

Effect of No BAA. Covered entities and business associates violate HIPAA if there is no required BAA in place; however, business associates must still comply with the relevant HIPAA Rules even if there is no BAA.

Additional Resources. If you have questions about these or other issues, the Office of Civil Rights maintains a helpful website on HIPAA issues, http://www.hhs.gov/ocr/privacy/. In addition, Holland & Hart has prepared sample HIPAA forms for its clients, including sample business associate and subcontractor agreements. If you are interested in obtaining such forms, please contact me at kcstanger@hollandhart.com.

¹Under HIPAA, “business associates” are generally defined as those entities outside of the covered entity’s workforce who create, receive, maintain or transmit PHI on behalf of a covered entity to perform certain enumerated functions, including claims processing; data analysis; utilization review; quality assurance; patient safety activities; billing; benefit management; practice management; legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services; data transmission services if routine access to data is required; and subcontractors of business associates. 45 CFR § 160.103.
²Id. at §§ 164.402 and .404.
³Id. at §§ 164.308(b) and .502(e)(1)-(2).
⁴The Omnibus Rule extends the deadline to September 23, 2014, if (1) the BAA complied with HIPAA rules as they existed before January 25, 2013, and (2) the BAA is not renewed or modified prior to September 23, 2014. See id. at
§ 164.532(e).
⁵Id. at § 164.103.
⁶A covered entity need not execute a BAA if the covered entity disclosed only a limited data set (as defined by HIPAA) to the business associate and the covered entity has a data use agreement with the business associate that complies with §§ 164.514(e)(4) and 164.314(a)(1), if applicable. See id. at § 164.504(e)(3)(iv). If the covered entity and business associate are both governmental entities, the BAA may contain certain alternative or additional provisions. See id. at
§ 164.504(e)(3).
⁷Id. at §§ 164.314(a)(2)(iii) and .504(e)(5).
⁸Id. at § 164.504(e)(2)(i) and (4)(i)-(ii).
⁹Id. at §§ 164.504(e)(2)(ii) and .314(a)(2)
¹⁰Id. at § 164.504(e)(2)(ii)(J) and (iii). The covered entity may omit the provision authorizing termination if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate. See id.
at § 164.504(e)(3)(iii).
¹¹Id. at § 164.504(e)(1)(ii).
¹²Id. at § 160.402(c).
¹³Id. at §§ 160.402(c) and 164.504(e)(1)(iii).

For questions regarding this update, please contact
Kim C. Stanger
Holland & Hart, U.S. Bank Plaza, 101 S. Capitol Boulevard, Suite 1400, Boise, ID 83702-7714
email: kcstanger@hollandhart.com, phone: 208-383-3913

This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

May 22, 2013

Idaho University to Pay $400,000 for HIPAA Violations: Lessons Learned and Resources to Avoid Penalties

by Kim Stanger, Holland & Hart LLP

This week, Idaho State University agreed to pay $400,000 to settle HIPAA Security Rule violations that allegedly left the electronic health information of 17,500 patients accessible for at least 10 months. According to the Office of Civil Rights (“OCR”):

ISU disabled firewall protections that would have otherwise protected the information on its servers.
ISU’s risk analyses and assessments of its affiliated clinics were inadequate.
ISU failed to apply proper security measures and policies to address risks to the information.
ISU did not have procedures for routine review of its system which could have detected the firewall breach much sooner.

All of these items were required by the Security Rule. The OCR’s press release is located here.

This case offers several lessons for all providers and their business associates:

The OCR is serious about Security Rule compliance. Like most of the recent reported cases in which penalties were imposed, this case arose from the violation of the Security Rule. Many if not most providers have ignored or do not understand the specific, technical requirements of the Security Rule. This is the second time the OCR has imposed penalties on Idaho providers for Security Rule violations this year; even larger penalties have been imposed on entities in other states. The message is clear: providers must take Security Rule compliance seriously.
Business associates beware. In addition to providers, HIPAA now applies directly to business associates of providers. Business associates are those entities who create, maintain, receive or transmit protected health information on behalf of providers. Business associates must also comply with Security Rule requirements. Many business associates may not understand their HIPAA obligations.
Perform and document a proper risk assessment. The Security Rule requires covered entities and business associates to perform, document, and periodically update a risk assessment of their information systems to ensure they have adequate policies and procedures to protect electronic health information. The OCR has published a guide for conducting appropriate risk assessments, which is available here.
Implement the required Security Rule policies and procedures. The Security Rule requires providers and business associates to implement specific administrative, physical and technical safeguards set forth in 45 CFR § 164.300 et seq. Implementing and documenting such safeguards are keys to avoiding HIPAA violations and, if violations occur, HIPAA penalties. The OCR has published a series of guides to help providers and business associates implement the Security Rule; the guides are found here.
Respond immediately if you discover a potential breach. Responding immediately may help avoid or mitigate security breaches. In addition, providers and business associates can avoid penalties altogether if (1) the violation did not result from willful neglect, and (2) they correct the problem within 30 days. It behooves providers and business associates to ensure they have the required safeguards in place and respond immediately to potential breaches, including making any necessary reports to individuals or HHS.

Holland & Hart HIPAA Resources. Holland & Hart has prepared resources to help clients and contacts comply with the HIPAA rules, including the following:

A redlined copy of the Security, Privacy and Breach Notification Rules which shows the changes made by the recent HIPAA Omnibus Rule. Click here to view.
Checklists of required HIPAA polices. Security checklist | Privacy checklist.
Sample HIPAA Privacy Rule policies and forms. For information concerning the policies and forms, contact kcstanger@hollandhart.com.
Articles offering suggestions for complying with HIPAA, including the new HIPAA Omnibus Rule requirements. The articles may be downloaded at http://www.hollandhart.com/healthcare/.
HIPAA training webinar. This hour-long webinar was originally presented as part of our Health Law Basics series. The recording may help entities satisfy HIPAA training requirements. The recording is available for download here.

We hope these resources will help our clients and friends comply with HIPAA and avoid the penalties.

March 1, 2013

HIPAA Omnibus Rule: Checklist for Compliance

by Kim Stanger, Holland & Hart LLP

The new HIPAA omnibus rule modifies the privacy and security rules for covered entities (including health care providers and health plans), and their business associates. Although the new rules are effective March 26, 2013, covered entities and business associates generally have until September 23, 2013 to comply.¹ Before then, covered entities and business associates need to do the following:

Business Associates: Implement HIPAA Policies, Procedures and Safeguards. The HIPAA privacy and security rules now apply directly to business associates of covered entities.² “Business associates” are those outside entities that create, receive, maintain or transmit protected health information in the course of performing functions on behalf of a covered entity, including contractors, consultants, data storage companies, health information organizations, and subcontractors of business associates.³ Business associates must now implement many of the same policies, procedures and safeguards that have been required of covered entities for years, including the following:
1. Security Rule. Business associates will need to conduct and document a risk assessment of their information technology systems and implement the specific administrative, technical and physical safeguards specified in the Security Rule.⁴ The Office of Civil Rights’ website contains helpful guidance for Security Rule compliance: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html.
2. Privacy Rule. Most of the privacy rule provisions do not apply directly to business associates, but because business associates cannot use or disclose protected health information in a manner contrary to the limits placed on covered entities,⁵ business associates will need to implement many of the same policies and safeguards that the Privacy Rule mandates for covered entities, including rules governing uses and disclosure of protected health information and patient rights concerning their information.⁶ Those are typically outlined in the business associate’s agreement with the covered entity. Since business associates are now directly liable for HIPAA violations, they should ensure they understand and train their employees concerning HIPAA Privacy and Security Rule requirements.
3. Breach Notification. If a business associate becomes aware of a breach of unsecured health information, they must notify the covered entity and assist the covered entity in responding to the breach.⁷
Identify New Business Associates and Execute Agreements. Covered entities are required to have business associate agreements with their business associates before allowing them to use or disclose protected health information. The omnibus rule expanded the definition of “business associates” to include entities that provide data transmission services and require routine access to information such as health information organizations.⁸ Covered entities should identify any such business associates and execute appropriate agreements with them. Business associates must execute appropriate business associate agreements with their own subcontractors if the subcontractor creates, receives, maintains or transmits protected health information for the business associate.⁹
Review and, If Necessary, Amend Business Associate Agreements. Covered entities and business associates must ensure that their existing and future agreements contain the elements required by 45 CFR § 164.314(a) and .504(e). In addition to previous requirements, the agreement must require the business associate to:
1. Comply with the security rule.
2. Execute business associate agreements with their subcontractors.
3. To the extent the business associate carries out on obligation of a covered entity, comply with any HIPAA rule applicable to such obligation.
4. Report breaches of unsecured protected health information to the covered entity.
The OCR has published updated sample business associate language at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html. The omnibus rule confirms that covered entities are liable for the misconduct of business associates if the business associate is acting as the agent of the covered entity.¹⁰ To minimize their exposure, covered entities and business associates should ensure their agreements confirm that their business associates and subcontractors are acting as independent contractors and not as the agents of the covered entity or business associate, and that the agreements do not give the covered entity too much control over day-to-day operations of the business associate.¹¹ Covered entities may also want to include indemnification or similar clauses to protect themselves. Covered entities have up to September 22, 2014 to modify business associate agreements if (1) the agreement they had in place on January 25, 2013, complied with the HIPAA rules as of that date, and (2) the agreement does not expire or renew (other than through evergreen clauses) prior to September 22, 2014.¹²
Update Privacy Policies. Covered entities should update their privacy policies to comply with the new omnibus rules, including the following as applicable to the covered entity:
1. Deceased Persons. Covered entities may now disclose protected health information to family members or others who were involved in the decedent’s health care or payment for their care prior to the decedent’s death so long as the disclosure is relevant to the person’s involvement and is not inconsistent with the decedent’s prior expressed wishes.¹³
2. Patient Access to Electronic Information. If a patient requests an electronic copy of their information, covered entities must generally produce it in the form requested if readily producible.¹⁴ If the patient directs the covered entity in writing to transmit a copy of the electronic information to another person, the covered entity must generally comply.¹⁵
3. Response to Request for Access. Covered entities must generally respond to a patient’s request to access their information within 30 days; the omnibus rule eliminated the provision that gave covered entities extra time to respond if records were maintained offsite.¹⁶
4. Limits on Disclosures to Insurers. Covered entities cannot disclose information about a patient’s care to an insurer if (1) the insurer seeks the information for treatment or payment purposes; (2) the patient or someone on the patient’s behalf paid for the care to which the information pertains; and (3) the patient requests that the information be withheld from the insurer.¹⁷ Good luck implementing this requirement. Developing a workable solution may take some advance preparation. Fortunately, the limit only applies if a patient requests nondisclosure; most patients will not request this restriction unless asked, so covered entities should not raise the issue with the patient. If a patient does request nondisclosure, covered entities should require that such requests be directed to a central person who can coordinate the efforts among billing, medical records, IT, and other relevant departments to ensure the protected data is sequestered.
5. School Immunizations. Covered entities may now disclose information about immunizations to a school if (1) state law requires such information for school enrollment; and (2) the patient or their personal representative consents to the disclosure. The consent may be oral.¹⁸
6. Sale of Information. Covered entities must obtain written authorization to sell a patient’s information, and the authorization must disclose that the sale will result in remuneration to the covered entity.¹⁹
7. Marketing. Covered entities must obtain written authorization to use the patient’s information for marketing purposes, including most non-face-to-face communications for treatment purposes if the covered entity receives financial remuneration to make the communication.²⁰ If remuneration is involved, the marketing authorization must disclose that fact.
8. Fundraising. The new rule allows covered entities to disclose more information to institutionally related foundations to assist with fundraising, but fundraising communications must explain how the recipient may opt out of receiving such communications and the opt out method cannot be burdensome.²¹
9. Research. If the covered entity engages in research, it should review new standards applicable to research as described in 45 CFR § 164.508(b).
Update Breach Notification Policies. The omnibus rule modified the standard for reporting breaches of unsecured health information. Under the new standard, the unauthorized acquisition, access use or disclosure of protected health information in violation of the Privacy Rule is presumed to be a reportable breach unless (1) the covered entity or business associate demonstrates there is a low probability that the information has been compromised based on a risk assessment of certain factors, or (2) the breach fits within certain exceptions.²² Covered entities must ensure that their policies incorporate and that they apply this new, arguably lower standard. For more information about the breach notification standard, see my recent Healthcare Update at http://www.hollandhart.com/pubs/uniEntity.aspx?xpST=PubDetail&pub=2094. Given the lower standard, covered entities and business associates may want to consider encrypting records to the extent possible to avoid reportable breaches.
Modify Notice of Privacy Practices. Covered entities must update their notices of privacy practices to add the following:
1. A description of the types of information that require an authorization, i.e., psychotherapy notes, marketing, and sale of information.²³
2. A statement that other uses or disclosures not described in the notice will require an authorization.²⁴
3. A statement that the recipient of fundraising materials may opt out.²⁵
4. A description of the individual’s right to limit disclosures to insurers if the patient paid for the relevant care.²⁶
5. A statement that the covered entity must notify the patient of a breach of unsecured protected health information.²⁷
Train Employees. Covered entities and business associates must train their employees concerning the new rules.²⁸
Review HIPAA Compliance. Given the new, lower breach notification standard, covered entities will likely to be required to self-report more breaches. Those reports may result in more patient complaints and government investigations. Accordingly, it is a good time to review and, as necessary, improve your compliance with all the HIPAA rules, not just the new omnibus rules. Doing so may help you avoid reportable breaches and, if a breach occurs, sidestep HIPAA penalties, which can range from $100 to more than $50,000 per violation. Having the required policies and safeguards in place coupled with prompt action to correct any breach will likely establish an affirmative defense to any penalties. For suggested steps to avoid penalties, see my recent Healthcare Update at http://www.hollandhart.com/pubs/uniEntity.aspx?xpST=PubDetail&pub=1898.

Resources. To assist clients in complying with the new omnibus rule and HIPAA in general, I have prepared sample Privacy Rule policies, forms, and agreements. If you would like to obtain a set of the sample documents, please contact me at kcstanger@hollandhart.com.

¹45 CFR § 160.105
²Id. at § 164.104(b)
³Id. at § 164.103
⁴Id. at §§ 164.302 to .316
⁵Id. at § 164.502(a)(3)
⁶Id. at § 164.502 to .528
⁷Id. at § 164.410
⁸Id. at § 164.103
⁹Id. at § 164.314(a)(2) and .502(e)(1)
¹⁰Id. at § 164.402(c)
¹¹See 78 FR 5581
¹²45 CFR § 164.532(e)
¹³Id. at § 164.510(b)(5)
¹⁴Id. at § 164.524(c)(2)(ii)
¹⁵Id. at § 164.524(c)(3)(ii)
¹⁶Id. at § 164.524
¹⁷Id. at § 164.522(a)(1)(vi)
¹⁸Id. at § 164.512(b)(1)(vi)
¹⁹Id. at § 164.502(a)(5)(ii) and .508(a)(4)
²⁰Id. at § 164.501 and .508(c)
²¹Id. at § 164.514(f)
²²Id. at § 164.402
²³ Id. at § 164.520(b)(1)(ii)(E)
²⁴Id. at § 164.520(b)(1)(ii)(E)
²⁵Id. at § 164.520(b)(1)(iii)
²⁶Id. at § 164.520(b)(1)(iv)(A)
²⁷Id. at § 164.520(b)(1)(V)(A)
²⁸ Id. at § 164.530(b)

January 18, 2013

HHS Issues New HIPAA Omnibus Rule

by Kim Stanger, Holland & Hart LLP

HHS issued the new HIPAA omnibus rule yesterday. The new rule contains important changes for health care providers and their business associates. For example, the new rule:

Modifies the standard for reporting breaches to patients and HHS. HHS replaced the former “no harm, no foul” rule with a new standard: a breach is presumed unless the covered entity can demonstrate a low probability that the protected health information has not been compromised. This requires an assessment of specified factors and will likely increase the number of reportable breaches.
Confirms HIPAA requirements for business associates and their subcontractors. Business associates are subject to HIPAA penalties if they fail to comply. The definition of “business associates” was expanded to include entities that provide data transmission services for protected health information and require routine access to the information.
Confirms providers are liable for their business associate’s violations if the business associate is acting as the agent for the provider. The rule’s commentary contains a helpful analysis for determining whether an agency relationship exists.
Makes it easier for family members to obtain information about decedents. The rule also confirms that HIPAA does not apply to information 50 years after the decedent’s death.
Expands patients’ right to obtain electronic copies of their records.
Prohibits providers from disclosing information to health insurers if the patient pays for the treatment and requests that the information not be disclosed to insurers. Implementation will create significant practical problems for practitioners.
Prohibits the sale of protected health information unless certain conditions are satisfied.
Imposes additional requirements for the use of protected health information for marketing or fundraising. Among other things, an authorization is required to disclose information for treatment purposes if the provider is receiving remuneration for the disclosure.
Requires new provisions to be added to providers’ Notice of Privacy Practices, including a description of disclosures that require authorizations and notice of a patient’s right to receive notice of HIPAA breaches.

The new rules take effect March 23, 2013, but covered entities and business associates will have until September 23, 2013 to comply. Before then, providers will need to take certain actions to remain compliant, including:

Modify their Notice of Privacy Practices.
Update and/or execute new business associate contracts, including contracts for subcontractors and health information organizations. Existing compliant contracts do not need to be modified until September 2014.
Revise privacy, security and breach notification policies to incorporate the new requirements.
Modify authorizations and other forms as necessary to track the new rules.
Ensure their electronic medical records programs have the functionality to address the new regulatory requirements.
Take even greater care to protect patient information given the new standard for evaluating whether breaches are reportable.

Business associates will also need to implement HIPAA privacy and security policies and safeguards applicable to business associates. HHS estimates that complying with the new requirements will cost affected parties a total of $114 million to $225 million during the first year. The new rule can be accessed at: http://www.ofr.gov/OFRUpload/OFRData/2013-01073_PI.pdf. HHS’s press release can be accessed at www.hhs.gov/news/press/2013pres/01/20130117b.html.

July 11, 2012

HIPAA Compliance: Security Rule Enforcement on the Rise

Most healthcare providers are acutely aware of and generally comply with the HIPAA Privacy Rule; however, they and their business associates may be less familiar with and likely fail to satisfy HIPAA Security Rule requirements. The Privacy Rule generally prohibits covered entities from using or disclosing a patient’s protected health information (“PHI”) without authorization. (45 C.F.R. § 164.500 et seq.). In contrast, the Security Rule applies to electronic health information (“e-PHI”). It requires covered entities and their business associates to implement specific administrative, technical, and physical safeguards to protect the integrity, availability, and confidentiality of e-PHI, e.g., by ensuring that computers and other electronic devices satisfy regulatory standards pertaining to passwords, firewalls, backups, transmission security, etc. (45 C.F.R. § 164.300 et seq.).

In the past, the Office of Civil Rights (“OCR”) seemed not to actively enforce the Security Rule, but that is changing:

In March, Blue Cross Blue Shield of Tennessee (“BCBS”) agreed to pay $1.5 million for security rule violations arising out of the theft of unencrypted laptops. Among other things, BCBS failed to conduct the required security assessment and implement access controls required by the Security Rule.
In April, a Phoenix cardiology group agreed to pay $100,000 for, among other things, failing to designate a security officer, conduct the required security assessment, implement safeguards required by the Security Rule, or execute business associate agreements with vendors who stored or accessed e-PHI.
In June, the Alaska Department of Health and Social Services (“DHSS”) agreed to pay $1.7 million after a USB hard drive was stolen. The OCR’s investigation showed that DHSS did not have adequate policies and procedures in place to safeguard ePHI, and had not completed the required risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the Security Rule.

These actions sound a wake up call to all providers and business associates—large, small, or public—who have ignored or become lax with Security Rule compliance. As OCR Director Rodriguez stated, “We hope that health care providers pay careful attention to [these] resolution agreement[s] and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” The OCR is now required to impose mandatory penalties of $10,000 to $50,000 per violation if a provider is determined to have acted with willful neglect. Based on the recent cases, failing to implement safeguards required by the Security Rule may evidence willful neglect.

If they have not done so recently, providers and their business associates should review their Security Rule compliance. Among other things, they should conduct a security assessment to determine their system vulnerabilities, and implement the safeguards specified in the Security Rule regulations. To obtain a checklist for Security Rule compliance, please click here. In addition, the OCR has published several tools to help entities comply:

The OCR’s recently published HIPAA Audit Protocol is a good roadmap for compliance; it is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html.
The OCR’s Final Guidance on Risk Analysis is available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalintro.html.
The OCR’s series of technical guides for implementing the security rule is available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html.

Putting in place the required policies and practices and documenting appropriate training will go a long way to avoiding Security Rule penalties. More importantly, they will help providers avoid potentially devastating consequences of a security failure, system crash, or the loss of electronic data which the Security Rule is designed to protect. In that regard, Security Rule compliance is not just a regulatory mandate; it is a prudent business practice.

April 25, 2012

Avoid New HIPAA Penalties

Recent changes to the HIPAA privacy and security rules dramatically increase health care providers’ and their business associates’ potential liability for HIPAA violations.

HIPAA Civil Penalties Are Now Mandatory. In 2009, the penalties for HIPAA violations were increased 500 times their prior limits. Effective February 2011, the Office of Civil Rights (“OCR”) is required to impose HIPAA penalties if the covered entity or its business associate acted with willful neglect, i.e., with “conscious, intentional failure or reckless indifference to the obligation to comply” with HIPAA requirements. The following chart summarizes the penalty structure:

Conduct of covered entity or business associate	Penalty
Did not know and, by exercising reasonable diligence, would not have known of the violation	$100 to $50,000 per violation; Up to $1,500,000 per identical violation per year
Violation due to reasonable cause and not willful neglect	$1,000 to $50,000 per violation; Up to $1,500,000 per identical violation per year
Violation due to willful neglect but the violation is corrected within 30 days after the covered entity knew or should have known of the violation	Mandatory fine of $10,000 to $50,000 per violation; Up to $1,500,000 per identical violation per year
Violation due to willful neglect and the violation was not corrected within 30 days after the covered entity knew or should have known of the violation	Mandatory fine of not less than $50,000 per violation; Up to $1,500,000 per identical violation per year

The federal government is serious about the new penalties: the OCR has imposed millions of dollars in penalties or settlements since the mandatory penalties took effect. State attorneys general may also sue for HIPAA violations and recover penalties of $25,000 per violation plus attorneys’ fees. When implemented, HITECH amendments will allow patients to recover a portion of any settlement or penalties related to a HIPAA violation, thereby increasing patients’ incentive to report HIPAA violations.

The good news is that if the covered entity or business associate does not act with willful neglect, the OCR may waive or reduce the penalties, depending on the circumstances. More importantly, if the covered entity or business associate does not act with willful neglect and corrects the violation within 30 days, the OCR may not impose any penalty; timely correction is an affirmative defense.

HIPAA Violations May Be A Crime. Federal law prohibits any individual from improperly obtaining or disclosing protected health information from a covered entity without authorization; violations may result in the following criminal penalties:

Prohibited Conduct	Penalty
Knowingly obtaining or disclosing protected health information without authorization.	Up to $50,000 fine and one year in prison
If done under false pretenses.	Up to $100,000 fine and five years in prison
If done with intent to sell, transfer, or use the information for commercial advantage, personal gain or malicious harm.	Up to $250,000 fine and ten years in prison

Physicians, hospital staff members, and others have been prosecuted for improperly accessing, using or disclosing protected health information.

Entities Must Self-Report HIPAA Breaches. The risk of penalties is compounded by the fact that covered entities and business associates must self-report HIPAA breaches that pose a significant risk of financial, reputational or other harm to the individual whose information was breached. If the business associate learns of such a breach, it must report the breach to the covered entity without unreasonable delay. The covered entity must report a breach to the affected individual or their personal representatives and the federal Department of Health and Human Services (“HHS”). If the breach involves more than 500 persons, the covered entity must also publish information about the breach through local media.

What You Need To Do To Avoid Penalties. Given this increased exposure, health care providers and their business associates should do the following to avoid HIPAA penalties:

1. Assign HIPAA responsibility. Covered entities must designate persons to serve as their HIPAA privacy and security officers, and document the designation in writing. The privacy and security officers are responsible for ensuring HIPAA compliance.

2. Know the use and disclosure rules. The basic privacy rules are simple: covered entities and business associates may not use, access or disclose protected health information without the patient’s valid, HIPAA-compliant authorization unless the use or disclosure fits within an exception. Covered entities and business associates may use or disclose protected health information for purposes of treatment, payment or certain health care operations without the patient’s consent; however, they may not use or disclose more than is minimally necessary for the permitted purpose. Additional exceptions apply to specific situations. The OCR maintains a very helpful website to aid covered entities’ compliance: http://www.hhs.gov/ocr/privacy/.

3. Know patients’ rights. HIPAA grants patients certain rights concerning their health information. Among others, patients generally have a right to obtain copies of their protected health information; request amendment to their information; and obtain an accounting of impermissible disclosures. Covered entities and business associates must know and allow patients to exercise their rights. Cignet Health was fined $4.3 million for, among other things, failing to timely respond to patient requests to access their health information.

4. Maintain written policies. HIPAA requires covered entities and business associates to develop and maintain written policies that implement the privacy and security rule requirements, including those dealing with confidentiality and patients’ rights. Having the required policies is a key to avoiding penalties. According to HHS, maintaining the required written policies is a significant factor in avoiding penalties imposed for “willful neglect.” Rite Aid paid $1,000,000 to settle HIPAA violations based in part on its failure to maintain required HIPAA policies. This week, a Phoenix cardiology group was fined $100,000 in part because it failed to have written policies required by HIPAA. To obtain a checklist of required policies, contact me at kcstanger@hollandhart.com.

5. Develop compliant forms. HIPAA requires that certain documents used by covered entities and business associates satisfy regulatory requirements. For example, HIPAA authorizations must contain certain elements to be valid. Covered entities must provide patients with a notice of privacy practices that contains certain statements. Other forms may be developed to ensure compliance with patient rights. Ensure your HIPAA forms satisfy the regulatory requirements.

6. Execute business associate agreements. Although HIPAA now applies directly to business associates, HIPAA still requires covered entities to execute “business associate agreements” with their business associates before disclosing protected health information to the business associate. Under proposed rules, business associates must execute similar agreements with subcontractors to whom the business associate discloses protected health information. The business associate agreements must contain certain elements. Breach of the business associate agreement exposes the business associate to contract claims by the covered entity in addition to civil or criminal penalties imposed by the government. Covered entities are generally not liable for the actions of their business associates unless the business associate is acting as the agent of the covered entity. Make sure your business associate agreements confirm that the business associate is an independent contractor, not your agent.

7. Train employees and agents. Having the policies and forms is only the first step; covered entities and business associates must train their employees to comply with the policies and document. HIPAA requires that new employees are trained within a reasonable period of time after hire, and as needed thereafter. Documented training is a second critical step to avoid HIPAA compliance. According to HHS commentary, covered entities may avoid HIPAA penalties based on the misconduct of a rogue employee so long as the covered entity implemented appropriate policies and adequately trained the employee.

8. Use appropriate safeguards. The government recognizes that patient privacy cannot be absolutely protected. HIPAA does not impose liability for “incidental disclosures” so long as the covered entity or business associate implemented reasonable administrative, technical and physical safeguards designed to protect against improper disclosures. The security rule contains detailed regulations concerning safeguards that must be implemented to protect electronic health information. The privacy rule is less specific. The reasonableness of safeguards depends on the circumstances, but may include, e.g., not leaving protected health information where it may be lost or improperly accessed; checking e-mail addresses and fax numbers before sending messages; using fax cover sheets; etc.

9. Respond immediately to any breach. This is critical for several reasons. First, HIPAA requires covered entities and business associates to investigate any privacy complaints, mitigate any breach, and impose appropriate sanctions against any agent who violates HIPAA. It may also require covered entities to terminate an agreement with a business associate due to the business associate’s noncompliance. Second, an entity may be able to ameliorate or negate any risk of harm to the patient by taking swift action, thereby avoiding the obligation to self-report HIPAA violations to the individual and HHS. Third, a covered entity or business associate can avoid HIPAA penalties altogether if it does not act with willful neglect and corrects the violation within 30 days.

10. Timely report breaches. If a breach of unsecured protected health information poses a risk of significant financial, reputational or other harm to the patient, business associates must promptly report the breach to covered entities, and covered entities must notify the patient within 60 days. If the breach involves less than 500 persons, the covered entity must notify HHS by filing an electronic report no later than 60 days after the end of the calendar year. If the breach involves 500 or more persons, the covered entity must file the electronic report when it notifies the patient. The written notice to the patient must satisfy regulatory requirements.

11. Document your actions. Documenting proper actions will help you defend against HIPAA claims. Covered entities and business associates are required to maintain documentation required by HIPAA for six years.

As I write this article, the Office of Management and Budget is reviewing new HIPAA regulations. Covered entities and business associates should watch for the new regulations and implement any additional changes as necessary.

For questions regarding this update, please contact:
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: kcstanger@hollandhart.com, phone: 208-383-3913