HIPAA, HITECH, BAAs and the Law: Concerns and Best Practices

HIPAA, HITECH, BAAs and the Law: Concerns and Best Practices

September 27, 2011 2:00 pm

(Save to cal)


This webinar discusses the legal implications of HIPAA, HITECH, and BAAs and their impact on IT Infrastructure and those who support it. 

Tuesday 9.27.11 @ 2PM ET

Moderated by April Sage, Marketing Director of Online Tech, with special guest speaker Tatiana Melnik of Dickinson Wright law firm.

Tatiana Melnik, Attorney, Dickinson Wright PLLC


Tatiana Melnik is an attorney with the Dickinson Wright law firm where her practice focuses on information technology, healthcare information technology, intellectual property and privacy issues. Ms. Melnik sits on the Michigan Bar Information Technology Law Council, the Automation Alley Information Technology Committee, and is a Managing Editor of the Nanotechnology Law & Business Journal. Ms. Melnik holds a JD from the University of Michigan Law School, and a BS in Information Systems and BBA in International Business, both from the University of North Florida. Ms. Melnik regularly writes and speaks on issues surrounding healthcare information technology. Ms. Melnik will be speaking at the 2011 HIMSS Fall Technology Conference in Indianapolis on Social Media and Healthcare.

To contact:
Email: tmelnik@dickinsonwright.com
Phone: (734) 623-1713

View Slides




April Sage: Hello everyone, this is April Sage with Online Tech. We want to thank you all for joining us today. I want to introduce Tatiana Melnik who will be joining us today. She will be sharing her expertise in the legal implications of HIPAA, HITECH, and Business Associate Agreements (BBAs). Tatiana, welcome!

Tatiana Melnik: Thank you so much for having me. Its great to be here.

April: We have had a fantastic response from this topic. We know that a lot of people are really concerned. We also know of there being a lot of confusion as well.

Can you assess the framework for me and tell us a little about what's HIPAA? What's HITECH? Could you make some sense of this "alphabet soup" and tell how we got to where we are today?

Tatiana: Sure. To give a quick background of it all, let's start with HIPAA. HIPAA stands for the Health Portability and Accountability Act. It was passed in 1996 and it was passed to protect patients health information, treatment information and anything associated with their medical records. Anybody that has ever been to the doctor obviously shares information with their doctor that they would consider private and they would not want that information to be disclosed to anyone else.

HIPAA was passed in order to put in certain requirements to protect "protected health information. There is a definition for protected health information, which means individually identifiable health information that is:

  1. Transmitted by electronic media.
  2. Maintained in electronic media.
  3. Transmitted or maintained in any other form or medium.

There are certain exceptions for education and employment records, but it covers most medical records out there today. HIPAA also applies to "covered entities" as well.

April: What is a covered entity Tatiana?

Tatiana: Covered entities are broadly speaking a health plan, health care clearinghouse, or a health care provider who transmits any health information in electronic form in connections with a transactions covered by this subchapter. This could literally mean anyone who touches or deals with health information.

April: So this would definitely fall under doctors' offices and hospitals, but this could also include anyone who writes software or anyone in the Health IT industry that's involved with record storage or record backup, whether it's hard copy or digital copy?

Tatiana: Absolutely. The key point with figuring out whether or not you are subject to HIPAA and HITECH is whether or not you have access and or obtain medical records or medical-related data. For example, if you're a software developer and you develop personal health record software where you process any sort of medical records, you're covered. You are required to either be a BAA or a covered entity, and with that you are subject to the requirements of HIPAA or HITECH. Before we go any further, I would also like to go over HITECH for those who don't know what that means.

HITECH stands for the Health Information Technology for Economic and Clinical Health. HITECH was passed in 2009 and it passed in large part due to the government's planning to help better monitor and improve the health care industry. Most companies have already gone into using Information Technology systems and services to process data faster, save money, and to do a ton of great things.

The Health Care Industry - while it has made some strides, seems to be lacking in this category, which is why the government stepped in to help. A concern, however, when adopting new technology, is the release of medical records being online and there is a chance of that information being released on the Internet. I don't want my medical records online for the world, and I'm sure neither do you. Part of this was to protect patients because Congress believed that ONC and the Department of Health and Human Services specifically was not enforcing HIPAA the way it should be. They weren't really fining people for violations, they weren't filing investigations as they should have been doing, etc... So, to alleviate the scare of the general public's medical records being released in electronic form, they put in very stringent breach notification requirements.

April: And so what has been the result of the HITECH act? I've noticed that we have been seeing a lot of news about data breaches involving health related information and news about a lot of fines as well. It seems like HITECH has been a gamechanger in terms of responsibility and what could actually and what can translate into accountability.

Tatiana: Absolutely. That's a really great assessment of the implications of HITECH. Another point to bring up here as well - as of September 26, 2011, 330 reports have been filed with ONC. Part of HITECH is a mandatory notification to the Secretary of Health and Human Services if a breach affects more than 500 people. Going off of this fact, more than 11 million records were affected in these 330 reports. This fact too, by the way, is going off of the implementation of this concept, which was put into play only a year ago.

You can just imagine what was happening before this was implemented. As a result of all of these notices, you had several Attorney Generals institute actions against these companies. Under HITECH, state Attorney Generals (not just the Secretary) have the power to sue companies and get monetary compensation for the victims of the breach. This has happened in states such as Connecticut, Massachusetts and several other states. We expect as times get tougher and states are looking for more money, it's just gonna be more reason to go after these companies where these breaches occur.

April: So it's no wonder why people are extra worried about security and their own responsibility. We see that across the industry where companies want to know where they are liable in that regard with medical-related data.

Tatiana: Yes. Its also because once you ask for that disclosure when something bad happens, everyone starts to come out of the woodwork. You do have certain liabilities as a covered entity and as a business associate. As a business associate, you have to report breaches to the covered entity. As the covered entity, then its your responsibility to investigate and notify the Secretary if necessary. The biggest issue under HITECH isn't necessarily the fact that you have to use an entity to report to a Secretary.

For example, you go online, you fill out a piece of paper and you're done; it's the fact that now you may have to notify all of the individuals that were affected. You'll have to send out notices to the victims in the state and that could be 30-40 states. Each state has their own different kind of requirements. Then, if the Secretary does decide "Hey, you've done something wrong" and they come to investigate your company, you'll comply with all of that as well. That can be a very expensive undertaking.

That doesn't mean you have to be concerned that someone may sue you. It's pretty much a given that somebody will. If and when that happens and the Secretary is notified of it, the standard practice is that you comply, get audited, and report to them for an additional 3 years. So those are additional obligations that you'll need to undertake.

April: So now we are talking about huge expense in terms of time, energy, and obviously money?

Tatiana: Yes, that's correct.

April: So I know you touched on some examples of companies who are subject to HIPAA and HITECH. I think an interesting question would be to look at the opposite spectrum and ask is there anyone who is not responsible for HIPAA or protected health information if they come into contact with it?

Tatiana: Yes. Even being a nurse, you still have breach circumstances. Let's say you access medical records from an individual that's not your patient. If Britney Spears is in my hospital and I want to know why she is in my hospital, if I access her medical records and I don't treat her or I'm not apart of her medical team, that's a breach.

In more directly towards your question, organizations who do not actually process the data are not subject. However, in light of the concern of breach notification requirements, organizations who trust other entities or businesses to store or process their data where they're not necessarily accessing protected health information will request a BAA because they are so terrified that something will happen and they won't have proper notice.

April: So what is a reasonable expectation for a hospital, organization or physician's office to expect when they're working with their vendors. Are all of the vendors also required to be HIPAA Compliant? Should it be the norm that a BAA is always signed?

Tatiana: It really depends on what the organization is doing for you. For example, if I'm a hospital and I have janitors on my staff, in their job description, there should be no reason why they should have access to protected health information. Nonetheless, I'm going to say that they are with the patients and they interact with them, which in my mind makes them subject. Even though you are not doing anything with the data, you are still there and could have access to that information.

In most organizations, they are going to require that a BAA be signed. Whether or not that's the right thing, that's arguable.

April: What we've also been hearing about is encryption for either storage, transmittal and processing. Is encryption a requirement of HIPAA or HITECH?

Tatiana: It's not. The HIPAA rules are actually quite flexible in how you can implement them. They are very specific in the kinds of things that you will have to do. For example, you HAVE to do a Risk Analysis, you HAVE to implement policies and procedures, you HAVE to train your employees. The means that you have to do that is up to the company and they do that because they recognize that not everyone is a multi-million dollar entity and has the resources to train their employees and apply policies and procedures. It gives them a certain sense of flexibility when going through the process.

However, under the breach notification requirement, you (as the covered entity or BAA) are automatically subjected to those notification requirements as the data is unencrypted. The Secretary of Health and Human Services provides guidance as to how the data is supposed to be encrypted.

April: So it sounds like it's evolving as a standard that is best practiced?

Tatiana: Yes, absolutely. There is a requirement as well. The Secretary of Health and Human Services does set forth certain requirements that you have to follow to encrypt the data. The National Institute of Standards and Technology sets forth certain standards and has guidance available as well. Not all data can be encrypted though. Paper data, for example, can't be encrypted, so your best option for that is to have a locked door where the paper data is stored, or not have it at all.

April: Let's go back to understanding some of the implication and risks personally and professionally of exposing personal health information. You mentioned earlier that even a cleaning service could be subject and responsible for any type of data exposure and aside from the cost of doing business, everyone is requiring a BAA to be signed. What are the risks in terms of fines or personal and professional liability?

Tatiana: Initially, you do have to put into effect the cost of entering into the transaction. You'll also need to negotiate the BAA. There's always going to be entities that say "We are not subject to this, we are not going to sign anything." If you believe that they are subject to this and they are not willing to sign anything, do yourself a favor and don't do business with them because in the end, your agreement is what protects you. You go and look at the identity provision and the risk provisions and find out who's paying for what. That's the point of having that agreement in place.

Aside from just the actual contracting costs, if there's a breach, you have to notify the individual. This could look really bad because now you have lost trust with your consumers and let's say that the breach affected more than 250,000 records - then you're going to have to go on a press campaign to make sure that everyone is notified of the breach. With this, it's very difficult to fix your image after something as catastrophic as this entails. There have been examples of certain entities that have had multiple breaches in a year. Within three months apart, they lost a laptop and had a server stolen. With that, now you have back to back consumers telling them of another breach. This will look really bad and it'll just get harder and harder to fix your image towards consumers.

Also depending on what happened, whether it was the fault of a doctor or a nurse, it can get reported to the licensing board depending on what has happened. There have been instances where doctors and nurses have been reported. There was an example of this in Minnesota where nurses took pictures of a patient and put them up on Facebook and they got reported to the state licensing agency because that's a violation of someone's privacy.

In terms of actual penalties, they can get pretty high. It's really important that you as a business owner that you are educated of your obligations under HIPAA. For example, if you are under certain obligations under HIPAA and you don't train your staff, it's very easy to say that's willful neglect. Willful Neglect gets you into a minimum penalty of $10,000 and a maximum penalty of $250,000. I would like to know the last time the government gave a penalty of $10,000. You are not going to be paying that minimum amount. You will be paying more towards the maximum amount because that's how you'll learn your lesson.

April: So Willful Neglect means that the company was aware of some issue and they had not done their due dilligence to address it?

Tatiana: That's right. It's very difficult to say in the times we live now that you "didn't know." With the media attention on HIPAA, HITECH, and healthcare in general, its difficult to say as a business owner that you were not subject to these obligations.

April: And it seems like someone who is interested in minimizing their liabilities is going to follow through the processess of due dilligence on a BAA and on data encryption just to limit their liability should something go wrong?

Tatiana: Absolutely, and that's really the best protection to just follow the rules. If you have a policy in place and if you can show that you train your employees on a regular basis. There are specific requirements for training. You may do your periodic 6 months to 1 year depending on how your organization does things, then you'll have some rogue employee that's like "Hey, TMZ would really like this information of Britney Spears. I should sell that!"

Even though this may happen, you will not be held to the same extent as an organization that just did nothing about it and says "We don't care." They are going to come in and investigate and find out that this really was a rogue employee. They're doing everything they can and honestly there is just nothing you can do to protect against employees who do bad things. If you are doing everything you can, that certainly does get recognized.

April: So companies who are involved in Health IT are presumably going to do everything they can to encrypt their data and keep things secure and always available, but things still might go wrong. Is there insurance that will protect companies against violations of secure data?

Tatiana: There is insurance that at the moment is on the expensive side because its a relatively new area. So insurance companies are still trying to get a grip on how much these kinds of expenses are going to cost. There isn't going to be insurance to cover you for your willful violation. If you get a fine from the government, to my knowledge, there is no insurance that will cover that in light of that being the punishment because if you don't feel the punishment, then why would you not do it again?

April: So it sounds like you also have a responsibility to communicate these policies to everyone? It's on the company to make sure EVERYONE is well informed.

Tatiana: Absolutely. It is very important that employees are trained and that after training, they sign some sort of certificate or document saying that I completed this training and I'm up-to-date on current standards and procedures in the industry.

April: So what are the 3 most important things that a company should do to meet the obligations under HIPAA and HITECH? What do you recommend?


  1. Know Your Requirements. Know whether or not you are subject to it and know the level and extent as to where you are subjected to it. Not every organization has to do the same stuff. For example, if you don't have paper records, then you don't have to worry about it. If you don't have electronic records, you don't have to worry about it.
  2. Have Policies And Procedures In Place.
  3. Make Sure You Have Those Agreements in Place.

I cannot overemphasize this. I always see people going into these relationships without having contracts in place. A contact really is your best friend in these situations. It doesn't have to be complicated or shell out every single detail, but you do need to shell out "Hey, you as a Business Associate or a Sub- Contractor, you need to tell me within a certain number days that there was a breach." You need to set out those parameters because if you don't and if you find out later that there was a problem, it looks much worse.

April: With the stakes as high as they are, it sounds like you want to do everything in your power to get the communication early and make sure everyone is on the same page.

Tatiana: Yes. Again, TRAINING. TRAINING. TRAINING. Keep in mind that the Department of Health and Human Services is not trying to put you out of business, but put yourself in your patients' shoes or whose information you are storing. Would you want your information released? You'd like to know that the company holding the information are doing what they can to protect it. You have to realize that you are transferring and processing people's private data.

April: So going off of the last question. What are the 3 things that companies SHOULDN'T do and make sure they avoid at all costs?

  1. Committing Breaches. Living in the digital age, its almost unavoidable that a breach will occur. The most important thing to do is to have a plan to be ready in case something like this happens.
  2. Do Not Ever Write Policies And Procedures That Do Not Actually Affect What You Do. If you currently have policies and procedures in place that have nothing to do with what you do, that's bad. That's being willfully negligent right there in a nutshell.
  3. If The Department Of Health And Human Services Calls You, Please Answer The Phone. Do not ignore their calls. They will not go away. The only reason why I bring this up is that not too long ago, there was a company that actually did that and became the first company to pick up a fine. Their fine was $1.3 million for the actual violation, and almost $3 million for ignoring the calls from Health and Human Services. So take that as a lesson and don't ignore their calls. Again, they are not trying to put you out of business, they are pretty reasonable people, you just have to answer the phone.

April: So now we are going to open the floor to other questions from our Webinar Guests. Also if you have any questions with anything, feel free to email contactot@onlinetech.com for any other questions. We will help you the best we can or get you in contact with someone who will be able to.

April: Are Insurance Agents and Brokers covered?

Tatiana: It depends on the kind of insurance they are providing. If they are providing Auto insurance, probably not. If its any sort of Healthcare insurance, absolutely.

April: Is there any good resource for free templates of policies and procedures?

Tatiana: No, but if you send me an email, I will send you some links for some places that do provide their policies and procedures that you can use as a model.

Again, make sure that whatever you adopt, you read and double check it to make sure it actually conforms to what you do as a company.

April: So it goes back to just making sure that any policy or procedure you have in place is directly relevant to what happens in your company?

Tatiana: Yes. I know that these models do definitely help in getting started with the process. There are also plenty of resources on University sites. I know for example Yale and the University of California do post their information online and if you email me, I can give you the links to these as well.

April: Great! Thank you. What's a reasonable amount to expect to pay for a Risk Assessment or a HIPAA Audit?

Tatiana: It's hard for me to gauge that question because it really depends on who you are hiring. There are many consultants who will provide these services for as low as $500 to upwards of $5,000-$10,000 if you want the in-house training, all of the policies and procedures drafted up for you, and if you need any other additional services. A lot of attorneys also provide those services, so then it depends on what plans they have available because a lot of law firms will have a package deal available for services similar to that.

April: Sounds like you'll need to check around and find out what your options are.

Tatiana: You really do. You should contact numerous organizations and see what they're charging because this market at the moment is VERY competitive and you can definitely find a good deal.

April: Who should be responsible in a Healthcare organization for monitoring HIPAA? Should it be those primarily involved in Compliance? HR? Legal? IT? Everybody?

Tatiana: Actually, there is a requirement under HIPAA that each organization have a privacy officer. That is the person that is supposed to be in charge of monitoring these types of things. For example, if you are an organization that deals with HIPAA and you see patients, you are supposed to offer them a notice of privacy practices. It's best for organizations to appoint 1 individual to monitor these types of developments because if you have multiple people, it gets very confusing.

April: Are there any special responsibilities that I need to be aware of as a Technical Writer for a Healthcare organization?

Tatiana: As a Technical Writer, you probably don't have access to protected health information. If you do, you are under the same obligations as anyone else who has access to that information. If you are in the hospital for example, again you are subject to the same stuff, but to the extent you don't have any access to anything PHI or are dealing with anything PHI related, then you have no obligation.

April: Does HIPAA or HITECH affect financial institutions as well?

Tatiana: Financial institutions have their own requirements. They are actually subject to multiple things. If you thought healthcare was regulated, the  financial sector is a whole new can of worms. So you're generally not going to be affected because the financial sector has its own requirements.

April: What's the best way to handle PHI in email?

Tatiana: Don't do it. Email is not a secure form of communication. Unless you're sending encrypted email, you should not do it whatsoever.

April: Recently Rite-Aid Drug Stores was fined over $1 million dollars for throwing away pill bottles and records without shredding any of it. The patient data ended up falling into the wrong hands. What methods do medical field clients need to take to protect the data such as in hard drives, USBs, and printouts?

Tatiana: Take a look at the new standards. There are actual requirements for what you're supposed to do in best practices. Those are the ones that are outlined and approved by the Secretary. Those are the ones you should look at. There are specific regulations for Data at Rest, Data in Motion, and Electronic Media.

April: Could you comment on the importance of Two-Factor Authentication for accessing Web-Based Applications that contain PHI?

Tatiana: My first thought would be to make sure it complies with its requirements and I believe that Two-Factor Authentication does in fact comply. The other issue I have with it is where is that other data stored? Where are you going to access that data? A lot of times you'll have situations where you'll have all of these protections on the front-end, but you are using shared hosting. For example, there is no barrier between your account and another account. My initial reaction, I think Two-Factor Authentication is a great framework, but make sure that you're not depending on it as the only way to secure your data.

April: Last question about software vendors outsourcing their data to a data center. Are both the vendors and the data center operators responsible for protecting that data and do each of them need seperate policies and procedures?

Tatiana: If they're handling data for Healthcare clients, yes. You'll need different policies and procedures based on the different roles.

April: So everyone needs their own specific policies and procedures that speak to their own business processes?

Tatiana: Right. In that situation if one organization is playing two roles, yes you should have different policies and procedures for the different roles. If you have two different organizations and one is outsourcing and other is receving the data, yes they should have policies and procedures in place as well.

Also, I would like to note that its not clear that a company like Online Tech are actually subject to the requirements of HIPAA. Microsoft, for example, has taken a position that they are not subject to HIPAA. However, recognizing that people are concerned about that using their service, they do actually sign a BAA.

April: Well thank you so much Tatiana. We have learned a lot of useful information and we thank you for taking the time out to be here and answer all of these questions for us.

Tatiana: Thank you so much for having me and thanks to everyone who attended.

Back to Top

Webinars    |    Online

Get started now. Exceptional service awaits.