DTCI: Business associate classification and HIPAA liability for lawyers

By Jarrod A. Malone

Malone

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the final HIPAA Omnibus Rule (Final Rule) and the Health Information Technology for Economic and Clinical Health Act (HITECH), lawyers who work with protected health information (PHI) may qualify as “business associates” (BA), which mandates strict compliance with HIPAA standards. As a result, many practice areas have been impacted by the “business associate” classification including general health care, litigation and risk management, False Claims Act litigation, medical staff and peer review, personal injury and professional liability. Law firms that work for these clients are governed by HIPAA and are subject to liability for any violations.

The Final Rule highlighted the need for law firms that qualify as business associates of covered entities to evaluate and assess if they are in compliance with the HIPAA regulatory scheme to avoid costly penalties resulting from violations.

Who is a business associate?

As Law Technology Today reported (“What HIPAA Compliance Means for Lawyers as Business Consultants,” published April 17, 2015,) HIPAA defines a business associate as a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of PHI. In the final HIPAA Omnibus Rule in 2013, the U.S. Department of Health and Human Services (HHS) significantly expanded the types of persons or entities that qualify as business associates. When business associates such as law firms come in contact with PHI from covered entities, they have to comply with regulations that include using the information only for the purposes for which they were engaged, safeguarding the information and helping the covered entity comply with its obligation under the privacy rule. PHI is interpreted broadly and includes any information about health status, provision of health care or payment for health care that can be linked to a specific individual. It includes any part of a patient’s medical record or payment history. Business associate agreements (BAA) are contracts between HIPAA-covered entities and business associates. BAAs are used to protect PHI in accordance with HIPAA guidelines.

Specifically, the final HIPAA Omnibus Rule extends direct liability for failure to comply with the HIPAA privacy and security rules to business associates (including subcontractors). While some commenters questioned the continued need for BAAs given the direct liability of business associates, HHS provided commentary in the final rule stressing the important functions that BAAs continue to serve. Moreover, HHS pointed out that HITECH ties a business associate’s direct liability to making uses and disclosures of PHI in accordance with the uses and disclosures permitted by the BAA. Thus, the BAA serves to clarify the permissible uses and disclosures and allows the covered entity to limit the uses and disclosures of PHI by a business associate based on the services or activities being performed by the business associate. HHS also indicated that the BAA can be used to contractually require the business associate to perform certain activities for which the business associate does not have direct liability, such as requiring the business associate to amend PHI in accordance with applicable HIPAA regulations. Further, HHS stated that the BAA serves to notify the business associate of its status under the HIPAA rules so that the business associate is fully aware of its obligations and potential liabilities.

With the above considerations in mind, HHS established in the final rule additional requirements for BAAs to address the new obligations of business associates. Specifically, under the final rule, BAAs must now specify that the business associate will:

• Comply, where applicable, with the security rule with regard to electronic PHI;

• Report breaches of unsecured PHI to the covered entity;

• Ensure that any subcontractors of the business associate that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to the information; and

• If a business associate carries out a covered entity’s obligation under the HIPAA privacy rules, the business associate must comply with the requirements of the HIPAA privacy rule that apply to the covered entity in the performance of such obligation.

HHS also clarified that subcontractors of business associates may only use or disclose PHI in a manner that would be permissible if it were being done by the business associate. In other words, any restrictions and conditions on the subcontractor’s use or disclosure of PHI must be the same or more stringent than those to which the business associate is subject and must be specified in the BAA between the business associate and the subcontractor. Any use or disclosure of PHI by a subcontractor that is inconsistent with the BAA is a violation of law and can result in direct, and potentially contractual, liability for the subcontractor.

What is the impact of the business associate classification on lawyers and law firms?

How do lawyers determine whether they qualify as a business associate under HIPAA? The lawyer qualifies if he or she provides legal services to such covered entity other than as a member of the workforce of the entity. The lawyer also qualifies if he or she works for an organized health care arrangement in which the covered entity participates. Moreover, for the lawyer to be considered a business associate, the service he or she renders to the entity or the health care arrangement must involve the disclosure of protected individually identifiable health information from the entity or arrangement (or from another business associate of such covered entity or arrangement) to the person.

The commentary in the final rule provides insight into what qualifies an entity as a business associate by stating, “a person becomes a business associate by definition, not by the act of contracting with a covered entity or otherwise. Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate and otherwise meets the definition of a business associate.” If the answer is yes, then lawyers and law firms must ensure compliance with the HIPAA regulatory scheme.

Similar to covered entities, business associates are required to comply with the security rule, including implementing administrative, physical and technical safeguards; establishing policies and procedures; and complying with certain documentation requirements. As such, business associates must comply with the privacy rule’s requirements and are directly liable for the following:

Impermissible uses and disclosures;

• Failure to provide breach notification to the covered entity;

• Failure to provide access to a copy of electronic PHI to the covered entity, individual or individual’s designee (whichever is specified in the business associate agreement);

• Failure to disclose PHI as required for the government to investigate or determine the business associate’s compliance with the HIPAA rules; and

• Failure to provide an accounting of disclosures to the covered entity, individual or the individual’s designee (whichever is specified in the business associate agreement).

According to the Department of Health and Human Services, the Privacy Rule allows covered providers to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.

As for the security rule, it mandates that business associates address the following areas about their required security risk management program: administrative safeguards; physical safeguards; and technical safeguards. Business associates must implement security measures to reduce risks and vulnerabilities. For example, one measure provided by the security rule is the identification of a security official who is responsible for the development and implementation of the policies and procedures required for the covered business associate. This individual designated by a law firm manages the implementation of security rule requirements and safeguards. Under HITECH, the government is required to conduct random audits of business associates to determine if they are complying with the privacy, security and breach notification rules of HIPAA. In the event this occurs, the security official will be the person the government initially speaks with.

As a business associate, a law firm must notify a covered entity if unsecured protected health information is breached, used, accessed, acquired, or disclosed in violation of the privacy or security rules.

How can lawyers and law firms ensure compliance as business associates?

Lawyers and law firms that represent covered entities as clients must comply with all relevant HIPAA regulations. As business associates, law firms must adhere with the requirements established by HIPAA including the required security risk management program consisting of administrative safeguards; physical safeguards; and technical safeguards.

First, administrative safeguards include implementing policies and procedures regarding security and confidentiality of PHI, training new and existing employees on security and protecting PHI, and adopting measures to identify and resolve security violations where individuals improperly access and/or disclose PHI. Second, physical safeguards such as facility access controls, secured floors, networks, offices and computers, security for work stations, and device and media controls should be implemented. Lastly, technical safeguards include computer access control, audit controls, data transmission security, secure password and encryption, network security, set up systems to automatically log off work stations, and assign unique user identifier to identify and track user activity.

What penalties stem from HIPAA violations?

Violations of an applicable HIPAA provision may result in civil and criminal penalties being imposed on the covered entity, the business associate or both. The penalty structure is tiered based on the knowledge a covered entity had of the violation. The tiers for violations are: 1) covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation; 2) the HIPAA violation had a reasonable cause and was not due to willful neglect; 3) the HIPAA violation was due to willful neglect but the violation was corrected within the required time period; 4) the HIPAA violation was due to willful neglect and was not corrected. The HHS Office for Civil Rights (OCR) will set the penalty based on a number of general factors and the seriousness of the HIPAA violation. The penalties for noncompliance are based on the level of culpability and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. The OCR has begun its Phase 2 HIPAA Audit Program to review the policies and procedures adopted and implemented by covered entities and their business associates regarding implementation of the privacy, security, and breach notification rules.

For example, in April 2016, the OCR reached a settlement in the amount of $755,000 with a North Carolina orthopedic clinic for failing to execute a BAA with a third-party vendor. OCR initiated its investigation after notification of a breach where the clinic disclosed PHI contained in X-rays to a third-party vendor. The clinic had orally agreed to allow this vendor to transfer X-ray images to electronic media in exchange for harvesting the silver from the X-ray films. Failing to execute a written BAA, the clinic gave the third-party vendor access to the PHI of 17,300 patients.

OCR and the clinic entered into a resolution agreement and corrective action plan that, in addition to the monetary payment, required the clinic to revise its business associates’ policies and procedures. This settlement highlights OCR’s efforts in investigating business associate relationships.

Practical takeaways

In light of this enforcement action and with Phase 2 HIPAA audits underway, law firms that qualify as business associates need to ensure compliance with HIPAA’s business associate provisions by reviewing current business associate relationships and executing written agreements (if not already in place) and by reviewing current policies and procedures related to business associates to ensure there are individuals who are monitoring, negotiating and documenting business associate relationships. As Martindale.com reported, (“New HIPAA Requirements for Business Associates and Their Subcontractors,” published Feb. 8, 2013,) law firms also need to perform a risk assessment to identify vulnerabilities or weaknesses in HIPAA compliance; implement appropriate administrative, physical and technical safeguards to address those vulnerabilities; develop and implement policies, procedures and forms addressing privacy and security obligations; and develop a template business associate agreement to use with covered entities.•

Mr. Malone is an attorney with Hall Render Killian Heath & Lyman and is a member of the DTCI Health Law Litigation Section. This article is educational in nature and is not intended as legal advice. The opinions expressed in this article are those of the author.