liabilitiesThis new BA liabilities guidance from OCR is important because it defines clearly all the things we hear misstated over and over.  Several of our Top 10 Wrong HIPAA Statements episode are addressed in the simple ten item list. Today we will discuss the announcement and what does that mean to BAs and their privacy and security programs.



Specific BA Liabilities According To OCR

The guidance starts very clearly with what it is all about and then hits the bullets.  “Business associates are directly liable for HIPAA violations as follows: “ says it can’t be much more specific and still be lawyers to me.

Let’s discuss each of the 10 points:

Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.

After we learned that OCR does flow downhill and uphill during investigations this one must have come up somewhere.  I would not be surprised, that is for certain.  For now, we will just assume they are simply pointing out that if they come knocking on your door they expect you to cooperate.

Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.

Since the discussion already lines up for next week centers around whistleblower efforts, this one certainly applies here.  Pointing out that the law requires certain actions does not mean someone should be fired or treated poorly pushing them to quit.

Failure to comply with the requirements of the Security Rule.

We always say that the whole security rule applies.  Many people seem to think the only parts that apply are the passwords and antivirus.  I can’t count the number of times that a BA contingency plan will say something along the lines of “not applicable to us because we don’t see patients”.  The flip side of that is that most CEs or upstream BAs are counting on the BA to be there to perform duties. Both sides have no idea what is expectation versus reality in these situations.

Failure to provide breach notification to a covered entity or another business associate.

I struggle with this one many times trying to get people to understand you don’t get to decide everything.  You need to let your upstream know what happened no matter how small.  Until you get that call from someone else instead of your downstream you can’t begin to understand how it makes you feel.

Impermissible uses and disclosures of PHI.

We don’t have to worry about the privacy rule because we are BAs – BAM – not true!  If you don’t know what you are allowed to do and prohibited from doing how likely is it that you will be certain to follow the rules?

One example I use to explain the importance of this one to IT providers is this:

A tech is doing their job working with a doctor’s office.  They connect to a workstation where the user is reporting a problem like they can’t print the patient information on their screen.  The patient on the screen just happens to be an acquaintance of the tech.

The tech doesn’t mention it or do anything then.  However, the next time the tech sees the patient they say “Oh yeah, I didn’t know you were seeing doctor X for your Z condition.”   Based on the training some folks get about HIPAA that interaction would be perfectly fine.  Let’s be clear.  IT IS NOT!

Anything you see or hear involving PHI should be kept confidential under HIPAA privacy laws forever.  It is best to just forget you know things than it is to remember you saw something about someone.

That is why I do everything by account number or medical record number, not patient name.  I do not need to remember a patient’s name or DOB.  I do not need to write them down or type them in a note.  Just a code that means nothing without access to systems.

Failure to disclose a copy of electronic PHI (ePHI) to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.

This one is probably mostly aimed at billing companies, clearinghouses, and EHR companies.  For years there has been a practice of withholding data or access to information due to conflict between the two companies.  If you are in control of any ePHI you are responsible for the CIA.  That includes the availability of it to the CE or upstream BA who owns the ePHI.  I will say the cases where the CE hosts the data themselves you don’t have the same issue.  If a CE is hosting their own data and they don’t pay for support or have a conflict with their IT company – it may be tough to make this argument when they refuse to help you until you pay them.

On the flip side, if you store ePHI you must be prepared to provide it when asked to do so.  They included a specific example relating to this item at the end of the list also.

For example, where the business associate’s agreement with a covered entity requires it to provide an individual with an electronic copy of his or her ePHI upon the individual’s request and the business associate fails to do so, OCR has enforcement authority directly over the business associate for that failure.

Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

Returning to the same issues in item 5 above.  Do you really need access to everything to do your job?  If all your techs have the ability to login with admin rights to servers holding ePHI you should be certain that is really necessary.  The same goes for billing companies, accounting firms, law firms, etc.  We tend to get concerned with convenience on our end just like CEs do.  Does every member of the team need access to client systems, networks, databases, applications, etc.?

Failure, in certain circumstances, to provide an accounting of disclosures.

An accounting of disclosures will be the thing that blows most BAs away.  They don’t seem to understand they are required to keep one.  Let’s point out an important difference here.

HITECH said that all disclosures even those for TPO must be tracked and available for inspection by a patient on request.   HIPAA originally said you only have to track disclosures outside TPO.

No one has figured out how to fully implement the HITECH requirement so HIPAA’s version continues to stand.  The request for comment that HHS/OCR published earlier this year included this topic.  They basically said unless someone has a great idea on how to do this we will table the requirement completely.  I personally see this as the appropriate way to proceed.  The people who put that element in the law had no idea the vast amount of data and systems required to meet that requirement.

The accounting of disclosures must include access to PHI that didn’t fall under TPO but also may not have constituted a breach of PHI.  That means if you have an incident that means an inappropriate person saw PHI but you determined for some reason you didn’t have to consider it a reportable breach it should still be in your accounting of disclosures.  A misdelivered FAX, accessing the wrong patient, a medical record sent to the wrong office, and possession of an unencrypted laptop that was not accessed would all fall under this requirement.

Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.

Not shocked here.  We know the first question OCR will ask about anything to do with privacy and security issues concerning BAs is “What is in the BAA?”.  As we discuss in our HBC session, people screw these contracts up all the time.  You can’t just use some template as your standard.  A BA technically needs three versions of their contract:

        1. Upstream to a CE
        2. Upstream to a BA
        3. Downstream to a BA

Hopefully, this is your standard.  However, many times you have to sign the other party’s contact.

As a BA you should keep in mind the most stringent requirements should be part of your policies and procedures.

As you may guess, keeping up with all these agreement conditions can be a nightmare.  That is why a startup we have been talking with has a great solution for helping manage the madness.  The guys at PHIFlow are building a system that “reads” the BAAs and finds the important conditions automatically.

PHIFlow is pretty slick.  They currently let you run 25 contracts through their tool for free.  If you are a BA you should definitely check them out.  Shout out to Greg and Jason.  They aren’t too bad for a couple of guys up in New York City.

A CE, on the other hand, doesn’t need different ones for cases since everyone is downstream to them and a BA even if it is another CE.  However, they may want different requirements based on the risk level and type of BAs they use.  The bigger CEs may find PHIFlow helpful, too.  Smaller groups could run all their contracts through in the free offer.  We expect even small CEs to have 6-10 BAs depending on how they run their business.

Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

The footnotes on most of these just sent you to the legal reference but this footnote added more specifics:

A business associate is not in compliance with the standards in §164.502(e) and this paragraph, if the business associate knew of a pattern of activity or practice of a subcontractor that constituted a material breach or violation of the subcontractor’s obligation under the contract or another arrangement, unless the business associate took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.

No, it is not better to just not know.  Remember, their failure will float up to you.
Pay attention here people.  We hear people complain about their upstream not doing what they are supposed to be doing all the time.  You shouldn’t be worrying about them.  “Worry about yourself!” as Rose says.  If you are doing your job and documenting what you are doing then that protects you from the upstream failures.  However, if your downstream is slack and you know about it then you are definitely on the hook.  No, it is not better to just not know.  Remember, their failure will float up to you.

It will be interesting to see if the massive AMCA breach turns out to have any of these issues.  If you haven’t been following this one don’t worry, we are doing our best.

AMCA is American Medical Collection Agency which is a BA.  They announced at the end of May that they experienced a data breach.  A hacker was roaming around systems with personal data including PHI beginning in August 2018 and kept messing around through March 2019.  Yes, that is a long time in there.  We often point out that it takes a long time to find the hackers once they are in there.

What happened next was that we see breach announcements coming from Quest. LabCorp, and BioReference.  Combined it includes 20 million patients.  We don’t know if this is the end of it either.  There will likely be more is my guess.  Maybe even between the time we record this and release it.

There are now over 10 lawsuits already in play.  Senators have launched inquiries.  Several States Attorney General have gotten involved (remember the teeth in the MIE settlement we just discussed came from the states).

Here’s one point I noticed in all the news.

  • Quest’s announcement said that AMCA was not their direct BA.
  • Quest contracts with Optum360 for RCM services.
  • Optum360 contracts with AMCA for payment collection services.
  • Do you think there is a possibility that AMCA will blame a BA for their breach?  That would put the problem three contracts below Quest.  Definitely, one to watch here.

Yes, this one is ANOTHER victory lap for my 2019 prediction.  Even if we blow it on the others this one will make up for it!

The final bit of the notice from OCR went off into specifics, though.  One directed at item 6 that we included above.  But the last paragraph specifically addresses the issues revolving around payment of patient access to records.  There is a whole industry that built up around Release of Information (ROI) services.  Big names like CIOX with big money are involved in legal maneuvers to protect their business model.  The whole mess with what can be charged for access to those records comes into play here, again.  Remember we discussed this in a previous episode about medical record release fees.

By contrast, OCR lacks the authority to enforce the “reasonable, cost-based fee” limitation in 45 C.F.R. § 164.524(c)(4) against business associates because the HITECH Act does not apply the fee limitation provision to business associates.  A covered entity that engages the services of a business associate to fulfill an individual’s request for access to their PHI is responsible for ensuring that, where applicable, no more than the reasonable, cost-based fee permitted under HIPAA is charged.  If the fee charged is in excess of the fee limitation, OCR can take enforcement action against only the covered entity.

Here OCR is saying they have no authority over BAs to enforce the limits on fees for ROI.  They say that the CE is still responsible for the legal requirements of cost-based fees.  But, no one can make the ROI companies charge just the cost-based fees.  Also, these ROI company’s fees cannot be considered part of your cost.  Too bad, since that was going to the easy way to address the issue.  {Add a reference to this point in the previous episode 199}