This webinar exceeded the limit of live attendees. For those unable to join today's webinar, we sincerely apologize. Please send any follow up questions to firstname.lastname@example.org and we will make sure to forward them on to Brian Balow for follow up.
Going to HIMSS 2013? Look for Brian’s presentation Wednesday morning, or pick up his business card at Online Tech’s booth #1369.
Here is a link to the slides and the recording is posted below. Thank you for your patience.
Brian Balow of the Dickinson Wright law firm discusses how the latest HIPAA modifications affect the healthcare industry and healthcare vendors.
Title: No More Excuses: HHS Releases Tough Final HIPAA Privacy and Security Rules
When: Thursday, January 31, 2013 from 2-3 PM ET
Description: On January 17, 2013, the Department of Health and Human Services released its long-anticipated modifications to the Privacy, Security, Enforcement, and Breach Notification Rules under HIPAA/HITECH.
These modifications leave no doubt that covered entities, business associates, and their subcontractors must understand the application of these Rules to their operations, and must take steps to ensure compliance with these Rules in order to avoid liability.
The webinar discusses of the modifications, their impact on covered entities, business associates, and subcontractors, and mechanisms for minimizing the risk of HIPAA liability.
April: Hi, everyone! Thanks so much for joining us for today’s webinar. This is April Sage from Online Tech, and I have the pleasure of welcoming back Brian Balow . Brian is a member with the Dickinson Wright Law Firm with extensive experience in the areas of information technology, healthcare law, and intellectual property. Brian has spoken at many health IT events relating to FDA regulations, HIPAA privacy and security, mobile device security, and implications of privacy and security in a BYOD environment.
Today, Brian joins us to talk about the implications of the new Final HIPAA Privacy and Security rules released from HHS. Brian, thanks so much for giving us an update and joining us today.
Brian: Thank you, April. I’m pleased to be here as always and appreciate the opportunity to speak today. I was talking to one of my colleagues when this came out. It was sort of like Christmas morning with a big, big gift under the tree, and you open it, and it’s got 562 parts. You got to go through the pain of actually putting it all together. We’ve been doing that steadily since the release on January 17th. I’m not going to say that I’ve read every single page of the 562, but I will tell the audience that I have read all of the portions about which I’m going to speak today.
That was valuable for me. It would be of value if you’re very interested in this area. It is valuable to read the commentary because the title of the presentation today is “No Excuses”. Part of it really was derived from a lot of the commentary in effect that I read in there. There were a lot of comments in my view that were submitted, that were seeking I guess some forms of absolution from HHS, and maybe some leniency in certain areas, and particularly as the final rule was being crafted as it pertains to business associates. They really weren’t giving in. HHS really did not really give in much, and the comments speak to that. That’s really how I came by the title for today’s presentation.
If you’ll bear with me for one minute, I’m just going to read a couple of those comments, and I will get into the bulk of the presentation regarding questions as to whether the satisfactory assurances requirement imposed on covered entities B2B business associates have business associates now be the B2B sub-contractors.
There were some requests I guess that there be some, that they take into account, that their cost of compliance for business associates arising from direct application of its security rule that maybe there ought to be some leniency, but the response was that effectively imposing the security rule requirements on business associates now was no different than what should have been happening previously under business associate agreements with covered entities. Consequently, and this is quoting from the commentary now, business associates and subcontractors should already have in place security practices that either comply with its security rule or that require only modest improvements to come is compliance with the security rule requirement.
It’s clear that the expectation was after the promulgation of the interim rule that HHS felt that the business associate community should have been doing what they need to do to comply with the security rule even though I didn’t directly apply them at that time. With that, I’ll turn to the slides now.
The final rule was released on January 17th. It’s effective on March 26th of 2013, but covered entities and business associate are granted an additional 180-day period beyond that effective date to comply with most of the Final Rules’ provisions.
Brian: Today, we’re going to discuss the privacy rule changes, the security rule, the breach notification rule, and the enforcement rule.
What we are not going to discuss today in the interest of time, and because I haven’t focused on these yet, are the marketing provisions that are contained within the privacy rule of required updates, the notices of privacy policies, which I know is of interest to those of you representing covered entities, individual’s rights under privacy rule, and the GINA provisions. Those are outside of the scope of today’s presentation.
I wanted to start out with some general matters that are at the front of the Final Rule and speak to this for a minute. First of all, patient safety organizations are now included within the definition of business associates. Secondly, HIOs, health information organizations, e-prescribing gateways and others that facilitate electronic protected health information transmission also can be business associates. I think this is an interesting point because there are a number of health information exchanges out there now, and I know there’s been some question as to whether they qualify as business associates. The reading of the rule now is if they access PHI on a routine basis and not merely as a conduit, they can in fact become a business associate. It is a factual enquiry.
Personal health record vendors can be business associates if they offer those personal health records to individuals on behalf of a covered entity. Again, that affects specific inquiry. Sub-contractors to a covered entity can be business associates to the extent that they require access to PHI. We will speak to this again later on in the presentation, but a covered entity must gain satisfactory assurances of compliance required by the rules from its business associates; and then the business associates in turn have to obtain the same from the sub-contractors. Again, to the extent that they require access to PHI. PHI that is stored.
This is interesting, too, and I think should be paid attention to in terms of policies and procedures. A PHI that is stored whether intentionally or not, in photocopy or facsimile and other devices, is subject to the Privacy and Security Rules. Keep that in mind. I think many of us have known that for some time, but I think it can be an overlooked aspect of a policy and the safeguards.
Brian: With respect to the privacy rule, the changes and the confirmations and clarifications contained in the Final Rule, the first is that it confirms, and then this is critical, and we all knew this is coming, but it does finally confirm that a business associate does have direct liability for specific provisions of the privacy rule. They are not directly liable for other privacy rule provisions.
For example, providing a notice of privacy practice unless it’s delegated to the business associate under a business associate agreement; but for the most part, if you are a business associate, you should operate under the assumption of this point that you are directly liable under the privacy rule. You need to know what you can and what you cannot do with PHI and make sure that you have the policies and procedures in place to ensure that you are adhering to that.
A business associate can, and this is expressed in the Final Rule, use PHI for proper management and administration of the business associate and to provide data aggregation services to a covered entity. That is an authorized use of PHI by a business associate. As was mentioned just previously, a business associate must enter into a business associate agreement, style agreement with its subcontractor prior to disclosing PHI. Again, it’s that a concept of a flow down from a covered entity to the business associate, then from the business associate down to the subcontractor.
Covered entities need no longer report an unsecured breach by a business associate of its obligations under a business associate agreement, under the interim rule. There was a requirement of reporting those unsecured breaches. If the business associate agreement was not terminated, there was a requirement to report that to the secretary. That’s no longer the case. The business associate must attempt to secure a subcontractor’s breach of satisfactory assurance type obligations, which is parallel to the covered entity obligations. This would be of business associates. Again, there’s this concept of, from covered entity to business associate then down to subcontractor, flowing that through the chain of agreements.
What are the required changes to business associate agreements? This is critical probably for most of you on this call. The agreements now must have provisions that indicate that the business associate must comply where applicable with the security rule regarding electronic personal health information. We’ll speak to the security rule in a minute here.
The business associate must report breaches of unsecured PHI to the covered entity. That now has to be in the business associate agreement that’s required of the covered entity. The business associate must flow down satisfactory assurance provisions to the subcontractors. Again, the covered entity’s agreement with the business associate has to have a provision in it that requires the business associate to flow down those provisions to its subcontractors, the business associate’s subcontractors.
If a privacy rule requirement that does not, by the rule, apply directly to a business associate if it’s delegated to that business associate under agreement with a covered entity. The business associate agreement has to provide that the business associate is liable to the covered entity if the business associate breaches that pertinent privacy rule requirement. It does not create direct business associate liability. However, again, those are only to find elements of the privacy rule that pertains specifically to business associates.
With respect to the security rule and similar to the privacy rule and critical to business associates, the security rule’s administrative, physical and technical safeguard requirements, as well as the rules policies and procedures and documentation requirements, now apply to business associates in the same manner as they applied to covered entities; and business associates will be severely and criminally liable for violations. Again, that last part is from the commentary in the Final Rule and they really are not giving any leeway on this for a business associate.
Brian Now, having worked in the area over the last few years and having interacted with covered entities and with business associates, I know that there has been a lot of hand-wringing and a lot of concern on the part of especially the smaller business associates that requiring them to adhere to the requirements of the security rule would be unduly burdensome both in terms of shared cost, but the basic administrative requirements that it would place on them.
I think that while that’s maybe a fair concern with respect to a very limited number of business associates, with the resources that OCR has provided on its website and will continue to provide on its website, and the guidance that it has provided, I think that the argument is getting more and more difficult to make. If you, at HHS anyway and OCR, is that, look, you really have a couple of years to get your house in order. We’re now coming out and telling you that we need it once and for all, and we’re going to give you, even an additional 180 days from the effective date of this, which is the end of March, to make sure that you got it done.
I think the view is that if a business associate is not prepared to do that and perhaps they should operate in a different market, as harsh as that sounds. Most of us on this call also are aware of the more active enforcement activity by the OCR. That’s no secret. We’re also aware of the enforcement activities by the State Attorney’s general. If you got your head on the sand at all up to this point, or just sort of whistling in the dark hoping this might go away, I think that time has passed. It really is time to pay attention to this; and if your house is not in order, to start down that path.
The second point here is that it’s the business associate’s, and not the covered entity’s obligation, again, to obtain the satisfactory assurances from a subcontractor regarding protection of electronic protected health information, again, to the extent that it’s being shared with a subcontractor; and finally allows that … Formally required but [inaudible 00:15:43] business associate agreement provisions are no longer required.
There was some overlap in terms of the business associate agreement provisions that were required under the privacy rule and security rule, and the Final Rule makes clear of it. You don’t have to do to pay those provisions since they apply equally to a business associate. It only needed to be stated once.
April: Brian, can I ask a question from the audience at this point?
April: The Rule says that business associates must report breaches to the covered entity, but the preamble says that subcontractors who are business associates must report breaches to the business associate with which it has a direct relationship. Should we interpret the rule as meaning what the preamble says it means?
Brian: That’s how I would interpret it. Again, there’s this concept of a stepped relationship from the covered entity to the business associate, from the business associate to the subcontractor. We are going to talk about the breach notification requirements later on in the presentation, but the obligation is on, clearly on the business associate to notify the covered entity. The timeframe for the covered entity then to the report based off of that starts when it receives its report from the business associate of the breach. That’s how I would interpret it. Again, everything that I read on the Final Rule clearly lines this up as a step to a relationship.
April: Okay. Thanks, Brian.
Brian: We are now going to speak to the breach notification Rule. The first key part of this, this is the definition of breach. This is maybe the one area where I saw the biggest modification take place from the interim Final Rule. What it is, is really a move away from the risk of harm standard that had been in place previously in terms of evaluating whether in fact there had been a reportable breach of PHI.
The standard now under the final rule is that a breach is considered … an impermissible use or disclosure of PHI and is presumed to be a breach unless the covered entity or the business associate can demonstrate a “low probability” at PHI was, should say compromised.” Again, this is a move away from the risk of harm standard that had been in place previously.
The commentary indicates that there was concern that the risk of harm standard was too subjective. The desire on the part of HHS, and I think many of the commenters, was that there be a more objective standard. In fact many of the commenters were really looking for what they term a ‘bright line’ rule, or even a sort of strict liability rule, where there really wasn’t any analysis to be done on the part of either the covered entity or the business associate as concern the level or the concern circulating around the breach, but simply if there was a known disclosure at PHI that it would have to be reported.
However, HHS did not agree with that. A review of the comments did not agree with it. They decided though that they’ll try to move to a more objective standard. What it requires is that a covered entity or a business associate conducts a risk assessment to determine if PHI was in fact compromised.
What’s involved in that risk assessment? There are four factors that HHS requires to be examined. The first is the nature and extent of the PHI involved including the identifiers that were in the PHI and the likelihood of re-identification. Clearly they want the CE or the BA to take a look at exactly what was disclosed. Look at the data sets. Looking at those data sets is, what’s the risk that someone could take that information and glean who it belongs to, use the information for some and proper purpose. That’s the first factor to look at is again the nature and extent of the PHI involved.
The second factor is considered the recipient of the information. In assessing whether in fact the PHI is compromised, who is it? Who is the unauthorized disclosee of the information? The commentary speaks to … if it’s someone who’s already got independent HIPAA obligations with respect to handling PHI, then in a case like that, perhaps it’s a low probability that it will be compromised to that PHI. On the other hand, if it gets into the hands of someone who clearly would have a nefarious purpose for obtaining that PHI, then that is not a low probability.
The commentary also speaks to examining whether the person, unauthorized disclosee of the information have the capability or the capacity to re-identify using what they obtained and be able to use what they’ve obtained to really gather more information about the person to whom the PHI belongs. That’s the second factor.
The third factor is what’s the PHI actually acquired or viewed. It’s critical issue obviously, and I think much of these tracks for those of us who work generally in privacy and data security. This is tracking in many ways the kind of analysis that’s done under state data breach notification laws. What’s the PHI actually acquired or viewed.
I think often times, there is this presumption that it must have been, but this is really an opportunity for covered entity or business associate to take a look at the circumstances and determine was this in fact the case. Then the fourth factor is the extent to which the risk has been mitigated.
If a breach is caught early on in the process, and an example I think that was given is if, as some of us may have done once or twice in our professional careers if you happen to send an email obtaining information in it to the wrong addressee, and you immediately either email or pick up the phone and call that addressee and say, “Hey, I inadvertently sent you an email containing certain information, or fax or anything like that; and it really wasn’t intended for you. Would you do me a favor and delete it and confirm back to me?” That’s an example that’s given where you can pretty quickly mitigate the risk associated with an unauthorized disclosure.
Again, what are we looking at when we do this risk assessment? What we’re really looking at is, again, was there a “breach” for purposes of the breach notification requirements under the final rule?
The obligation is for the covered entity or the business associate to go through this. There is commentary in the final rules speaking to the HA, the Secretary’s expectation that covered entities and business associates will conduct these risk assessments in good faith, and won’t try to reach conclusions; won’t try to, for example, have an end conclusion they want to get to and try to back into that in the way that they conduct the risk assessment.
There were some comments that were brought forward about; should there be a requirement that a business associate or covered entity, engage in independent outside consultant to perform its risk assessment? The HHS indicated in a rule that’s not required because, again, the expectation is that this will be done in good faith. They will be documented properly, and therefore can be sustained if there’s an investigation into the risk assessment.
Brian: What’s required with respect to notification in individuals? The first element of this is defining what it means to discover the breach. That’s not defined as when the covered entity knew or by exercising reasonable diligence would have known .. would have been known to any person other than the person committing the breach, who was a workforce member or agent of CE. The test is, at what point if someone who is a workforce member or an agent of a covered entity using reasonable diligence would have known of the breach? That’s the point at which it’s discovered either when it’s known or really when it should have been known through the exercise of reasonable diligence.
The timeliness then of a notification is without unreasonable delay, but not more than 60 days after the date on which it is discovered. They retained the law enforcement delay exception so that if you have a circumstance where you think there’s been an unauthorized or a breach of PHI, and you go to your local law enforcement to disclose it. They ask that you not do anything in terms of reaching out to the affected individuals while they conduct an investigation. You can delay the notification to the individuals.
What needs to be in the notification is what happened, when it happened, and when it was discovered. Again, using the definition of discovery, “a description of the compromised PHI”. Let them know what was disclosed; the steps that they should take … the affected individual should take to mitigate the effects; the potential effects of that disclosure.
For example, in the case where billing information was disclosed. There might be credit card information in there notifying the appropriate credit card companies and credit reporting authorities. Then the steps the covered entity is taking to mitigate the risk and to investigate; and contact information where the affected individuals can get more information, toll free numbers, email addresses or information on a website where they can, again, get direct contact with a covered entity.
April: Brian, we had a question near and dear to you, which was, How are law firms affected by these rules if they are representing hospitals or healthcare organizations?
Brian: We are affected by it and that’s a very good question, and in fact we just had a discussion about that internally. We are affected if we’re acting as a business associate. It’s interesting to me because I think that one of the questions that get lost in all of these, the HIPAA Privacy and Security Rule is that definition of business associates. I should know it now, off the top of my head. I don’t, I in fact have in a Word document that I pull up when I need to refer to it, but the point that I’m getting at is just because someone has a relationship with the covered entity doesn’t necessarily mean they’re acting as a business associate. There does need to be, obviously, there does need to be access to PHI.
It also needs to be a relationship where there’s access to PHI that’s not for one of the authorized purposes, such as the treatment of a patient. Obviously law firms are not involved in treating patients, or we’d all be in trouble, but the point is, it does affect the law firm if we are receiving PHI from our clients. In doing so, performing services for that covered entity that fall under the definition of a business associate. It does affect us.
Now, my point internally in our firm is, we should not be shy about having that discussion with our covered entity clients. I don’t think it’s a business associate’s position to have a formed business associate agreement in the relationship because it is a covered entity’s obligation to be sure they have a BAA in place where it’s required; but we should be open and have the discussion with our clients. Do they feel that it’s necessary? Are we going to be obtaining information in a manner that would require us to sign up a business associate agreement? Okay?
April: Great. Thanks, Brian.
Brian: The second notification issue is, if there is a breach, is the notification of media, which is the one that everyone fears I think the most, and for good reason. First of all, we’re talking about a breach that involves unsecured PHI. At this juncture, I really should back up and speak to a fundamental issue on all of this. Again, I think it’s one that sometimes gets overlooked. Maybe not, but I think it does get overlooked, and that’s … let’s all keep in mind that the breach notification obligations at least as it relates to electronic protected health information only pertain if it’s not encrypted.
If you have any level of sophistication in your organization and you have already done so, I would really encourage you to look at putting in place encryption that conforms with the standards that have been put out by the Secretary. You can find those on the OCR website. I mean, they’re easy to find. I think this was involved in creating those encryption standards, but there are a lot of providers out there, and it’s not a costly proposition to put in place, a program for encryption. If you’ve done that, then you don’t have to worry about, at least as it pertains to electronic PHI. You don’t have to worry about breach notification.
Notification of media: it pertains to unsecured PHI we just talked about. There have to be 500 or more affected individuals of any one state. I think that’s important, they have to be all in one state. I think the final rule extended that to American Samoa and one other territory or possession. I can’t remember which one, but the definition of state or jurisdiction. There has to 500 or more individuals in one state or jurisdiction.
The notification has to be given within 60 days of discovery. Actually, it’s unreasonable delay or 60 days as it is with individuals. It has to be reported through a prominent media outlet. There was some commentary or comments that asked that the HHS defined what they mean by that. They declined to do so, and indicated that’s going to depend on the market in which the covered entity resides.
Finally, they indicate on the commentary that a press release that you draft, that you post on your own website does not need this requirement. You can just draft your own press release, stick it on your website, and say that you met the notification immediate requirement.
Brian: Next obligation is notifying the Secretary of a breach. That obligation kicks in when there are 500 or more affected individuals. Here, it’s anywhere. It’s not just within any given state or jurisdiction. Then interestingly, the requirement is that the immediate notification, but then reading the final rule, what they mean by immediate is really contemporaneously at the time when the individual notices are sent. It’s not a requirement that you notify the Secretary before you notify the affected individuals. If you’re compliant that the notice requirements were affected individuals and you send a notice of the same type for the secretary, you’ve complied with its requirement.
If the breach affects less than 500 individuals, you are required to maintain a log of those breaches and who’s affected, and then report on the HHS website annually within 60 days at the end of the year. If you had three, let’s say three incidents, which I would hope you would never have, but if you had three incidents in any given year and the number of affected individuals was less than 500, you would keep a log of those incidents. At the end of the year, within 60 days at the end of the year, you would go on the HHS website, fill out the form that’s provided there, and then you’re compliant.
Now there was, again, some comments raised about, “Couldn’t we just submit the log and not have to fill out an individual form for each incident?” HHS replied, “No, that’s not how we’re going to do it. At least for now.” You may have to fill out multiple forms if this applies to you.
Finally, the notification requirements by a business associate. That, first of all, and we’re going to speak more to this when we talk about the enforcement rule, a business associate knowledge of breach is imputed to a covered entity if the business associate is an agent of a covered entity. Meaning that covered entity’s clock starts ticking when the business associate discovers the breach. Again, this is only under the circumstance when a business associate is acting as agent. Again, I’ll speak more to that in a couple of minutes here. Otherwise, the covered entity’s clock in terms of the notification obligations begins ticking when it receives notice of the breach from the business associate.
Brian: Okay, the enforcement rule, and you probably have looked at this, this is oftentimes the first place people go I think when these rules come out. They take a look at the chart with the civil monetary penalties on it, but there are four civil money penalty tiers that are based on culpability. I wanted to copy and paste the chart into this PowerPoint, but I was unable to do so. I’m just going to read through them real quickly for you right now. The first level is did not know of the circumstances in each. In that case each violation is subject to a penalty of $100 to $50,000 per violation, with an aggregate cap for all such violations of an identical provision in a calendar year of $1.5 million. I think that’s important because again if all such violations of an identical provision. If you are violating more than one provision, that cap won’t apply. It’s not $1.5 million in the aggregate for all violations; it’s got to be a violation of an identical provision.
The second tier is reasonable cost. In that case, each violation is subject to a penalty of $1,000 to $50,000 per. The third is willful neglect that gets corrected within 30 days. That’s a $10,000 to $50,000 per violation. Again, all of these have the $1.5 million aggregate cap. Then finally it’s a willful neglect that’s not corrected; $50,000 per violation with a $1.5 million cap.
Now for the second tier, there was a change in the rule because there were some, there was lack of clarity in terms of what was meant by reasonable cost. The second tier violations, and they now define it to mean “an actual mission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known that the actual admission violated an administrative simplification provision,” which means privacy rule, security rule, but in which the covered entity or business associate did not act with willful neglect.
Now it’s sort of an interesting standard if you sit back and read it. I’m not going to get into a lot of discussion on it right now, but to me it’s sort of saying anything short, anything, really anything between complete ignorance and no culpable intent and willful neglect. Sort of anything that falls between those two is going to be deemed to be reasonable cause, and therefore subject to the second tier penalty.
Covered entities and business associates are now liable. We touched this a minute ago as principles for the act of business associates for covered entities or subcontractors for business associates acting as agents under federal common law principles. I think this is important to understand because there are probably relationships out there between a covered entity and a business associate, and between a business associate and a subcontractor that really have not been evaluated under this agency construct.
I think it’s important for covered entities especially to take a look at their business associate relationships and examine them and evaluate them as to whether they in fact do create an agency relationship because if they do, you need to be aware that you are liable directly for the acts of that business associate when it acts as an agent for you.
Now what I don’t know, and I didn’t see in any of the commentary, is whether there’s any danger to indemnity provisions that are contained, customarily contained in business associate agreements. Right now, they protect covered entities from the actions of a business associate. I don’t know how those indemnity provisions are affected, if at all, if there is a fining of the business associate as an agent of the covered entity.
I think that’s something I’d like, if anybody on the call today has any view on that, any input on that, if you’d raised that when I get done with the presentation, I think that would be great because again, I’m not clear on how they will play out, but I do think it is important to understand the nature of your relationship with your business associates.
Brian: The basis for the penalty determinations, and this is what OCR will look at, first is the nature and extent of the violation. Second is the nature and extent of the harm caused by the violation. Third is the history of prior compliance would probably really prior non-compliance. Before this financial condition of the covered entity or the business associate, which may be the one area where I saw some leeway given to the smaller covered entities or business associates. Now, again, that’s simply one factor that will be looked at in determining what the level of penalty should be, but it is in there.
Then the fifth, which might also fall in that category, are other matters “as justice requires.” I view that as giving the OCR discretion under any given scenario in terms of how it might apply the penalty determinations, but the mechanism again is to start with culpability. Once you’ve determined what that is, and what tier you fall within, that violation falls within, then these are applied to determine where I’m at scale of penalties you’re going to fall.
Brian: I thought I put together a to-do list because that’s probably what you’ve all been waiting for anyway. I do want to qualify today’s conversation by saying … the final rule’s been out for not a long time at this point. I’d been through it a couple times preparing an internal newsletter and external newsletter for this, preparing the PowerPoint presentation for today’s webinar. I can’t say that, again, I’ve read every single word that’s in the final rule or that I’ve read every one of the regulations that came out of it. I read most, but I would encourage all of you on a to-do list.
Number one, print pages 491 to 562 of the final ruling, and put it in a binder. Those are the actual regulations. Then secondly, read. I didn’t really don’t think there’s any substitute. While the commentary is useful in kind of gaining the mindset of HHS and OCR in reaching the conclusions they did when putting out the final rule, and I do find it interesting to read that. I don’t think there’s any substitute for actually reading the regulations that are there.
Now it’s strongly encouraged any business associates that feel like maybe they’re behind the eight ball a little bit or down the curve a bit to do that as well, particularly as those regulations pertain to the privacy rule and the safeguards and the security rule, and what’s required under there.
Brian: A to-do list for covered entities, at least as I see it sitting here today. Number one would be reviewing policies and procedures particularly for conformance with breach notification rule changes. Secondly, as I discussed earlier, examine your business associate relationships in light of the agency liability issues. In doing that, you may make a determination that, in fact, you do have an agency liability with a business associate that you really don’t want to have an agency relationship with because you don’t want to be on the hoof for that business associate’s actions; and therefore, may want to modify your business associate agreement to make clear that the tasks and the services to be performed by that business associate are such that they would not create an agency.
Now I do want to mention that the commentary was also very clear. On that point that simply stating in your VAA with your business associate that they are not an agent, it’s not going to work. They made clear that when they’re examining that issue, they are going to look at federal common law principles and agency, and that form will never prevail over substance.
The third is to review your business associate agreements and make sure that they contain all of the new required provisions in them. On that … I do believe that the OCR has posted and updated VAA or new provisions for VAAs that are … conform with the final rules. You should take a look at their website on that. You will an update notice of privacy practices. We did not speak to that today. I have not read those in any detail, but I do know that there are some new requirements in there, so we want to do that.
Fifth we discuss this considering cryption of your ePHI archive if it’s not already done. Sixth, and this is critical, conduct training that the final rule is out when you got your ducks back in order in terms of making sure that you’re up to speed on this internally. Make sure your training is done so that the people in your organization will require to know this, do know it; and the people who implement your policies and procedures know it. Then the seventh point, I touched on already, use the OCR resources.
Brian: On the next to-do list is for business associates. Number one, and I touched on this, determine if in fact you are a business associate in terms of a kind of services that you provide. If you feel that you’re not, then you need to be prepared to defend that position when you enter into relationships with covered entities. I don’t mean that in an adversarial way. I mean that in a totally objective way. Secondly is to evaluate your current operations for compliance would be applicable privacy and security rule provisions that we talked about a minute ago. Third, ensure you have appropriate subcontracts in place with the proper content because you are now required to do that. Fourth is just as with covered entities, conduct your training. Fifth, just as with covered entities, use the OCR resources.
You have our disclaimer on the next slide, and then contact information on the last slide. I know April and I talked about this, this morning before we get on. This is a lot of information. I did not drill down intentionally into a lot of detail on this. There’s a lot more I’d like to communicate out. We are, like I’ve said, we’re finishing up our initial newsletter on this, and that will be available and published within the next day or so. That is a bit more detailed, but we were thinking that if the audience was interested and we take a poll after the fact that if you’re interested in more detail and specific parts of this, that we could certainly sync back up sometime in the near future and do that.
I appreciate your patience in listening to me today, and I guess we’ll open it up for questions. Thanks!
April: Sounds good. Thanks so much, Brian. That was a great download. We do have several questions, so we’ll get through as many as we can, as time permits. If for some reason we aren’t able to get to all of them, or if you come up with a question later, please do feel free to reach out to either Brian or us at Online Tech, and we’ll make sure that those questions get to Brian. We may be able to convince Brian to give us a second session here if interest suggests that.
Let’s start with some questions here. A confirmation about the law firm questions. If a law firm acts as a PHI in connection with providing counsel on a healthcare operation to a covered entity or business associate, then a law firm is a business associate. Correct?
Brian: Counsel regarding healthcare operations. That’s the question?
April: If a law firm accesses PHI in connection with providing counsel on healthcare operations to a CE or VA, then the law firm is a business associate.
Brian: I would consider them a business associate, correct.
April: Okay. What was the website where we can find new encryption standards?
Brian: I will tell you that … bear with me a minute, it’s actually in the Final Rule. While I’m looking for it, why don’t you go to the next question.
April: Okay, and I’ll tell you what, we can … we’ll post that link, Brian, with the slides and recordings if you’re not able to find that.
Brian: I got it. Here it is. If you have the Final Rule, it’s on page 316, three-one-six. I’ll read you what it says. It says, “We encourage covered entities and business associates to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other PHI guidance specifying the technologies and methodologies that render …” Blah-blah-blah. It’s published at 74 Federal Register 42740.
April: Repeat that, Brian.
Brian: 74 Federal Register 42740.
April: Great! I’ll post that in the chat room, and we can also post that on the website as well. All right, let’s go on to the next question here. If it is unclear whether a business associate agreement is required, but a covered entity insists one is signed even if the subcontractor may disagree, given liability is now inherent, what risk is involved in signing of business associate agreement just to appease the covered entity?
Brian: The understanding that the disclaimer slide indicated this is not legal advice on this call, I think the … whoever asked the question sort of touched down the key, sort of the key element of this. If you are not a business associate, you’re not directly liable on the privacy rule of the security rule. I mean that’s the threshold question, are you or are you not? If you are not, then you are not.
Now, I would say though that if the covered entity nevertheless wants you to sign a business associate agreement, I would review the agreement to be sure that there are not other provisions in it that go above and beyond in terms of obligations, that go above and beyond simply mirroring what the satisfactory assurance requirements are under the privacy rule or the security rule. It may be. In fact, the commentary in the Final Rule absolutely recognizes that it’s completely within the covered entity’s right if they want to shift other liability over to the business associate.
There’s no substitute ever for reading what’s in it, and if you have questions about it, then I would raise them with a covered entity, but I don’t like … and I understand the practical reality of the appeasement concern. The risk is, again, if there are additional obligations in the VAA that do not, they go above and beyond what would be required under privacy rule or the security rule in understanding what they are.
April: Okay, thanks, Brian. The next question is, what if there are multiple breaches, which an aggregate are more than 500. Can they be reported on the website because even though each was less than 500 in total it was more than 500?
Brian: My reading of it is per incident. My understanding is that you could have more than 500 affected individuals in a given year, but through several different incidents. In that case, the reporting requirements of the Secretary is to log all of those, and then report them within 60 days after the end of the calendar year.
You’re going to be required, as I understand it anyway, to fill out separate forms with respect to each incident. Now the commoners wanted to just keep the log and then submit the log at the end of the end of the year; but HHS has indicated that’s not going to be the case.
April: Okay. If an encrypted laptop or flash device containing PHI is lost, would a risk assessment still need to be performed?
Brian: The risk assessment is only under the breach notification requirements. If the PHI is encrypted consistent with the guidance, then it doesn’t need to be performed; does not need to be performed.
April: Okay. The next question is, if a business associate provides software to covered entities, which allows properly authenticated covered entity workforce members to view PHI, would a covered entity’s improper use leading to a breach be construed to be a business associate breach as well? What if a breach is due to a software flaw instead?
Brian: There where you got to have to read again.
April: If the … Okay, let’s skip that one. If a business associate provides software to covered entities, which allows members of the covered entity’s workforce to properly authenticate, but through the covered entity’s improper use led to a breach, would that be construed to be a business associate breach as well?
Brian: Doesn’t sound like in that case that the software provider is acting as a business associate. Now I’m going to read, “Business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on the behalf of or provides services to a covered entity. Okay?
Brian: My view is that, I think in the fact finder you just gave me, it sounds to me like the software provider is not independently accessing PHI.
April: Part two of the question was, what if the breach was due to a software flaw?
Brian: Again, I could see liability potentially there; contractual liability there. In terms of that being a breach of the privacy rule or the security rule, again, because it’s not the business associate that’s using the PHI or not the business, but software provider that’s using the PHI under that circumstance, I don’t see how that creates direct liability under HIPAA for that software provider.
April: Okay, so may create liability, but not necessarily with the HIPAA Privacy and Security Rule.
April: Alright. Next question. Please explain why the fact that a business associate is an “agent” of the covered entity houses effects indemnification?
Brian: That’s my question. I’m not sure if it does or it does not, and I have not had an opportunity to research that issue. Here’s my concern: There are certain cases in which things like disclaimers of liability or whole harmless clauses, that kind of thing, are not enforceable because of public policy. Okay? There are certain risks shifting contractual elements that in some cases may not be enforceable because of public policy.
What I don’t know is if there’s anything under the Federal Common Law, or if there’s any view from the Secretary, HHS or OCR that says, “You know what, we’re saying that we want covered entities to have primary liability as principals for the acts of their business associates, who they are employing as their agents. We do not want the covered entities to be able to escape principal liability for those acts of those business associates, who are acting as their agents. We’re treating the business associate as the covered entity in that circumstance, which is what Agency Law says.
What I don’t know is whether they would have heartburn or going to try to push back on the concept of a covered entity saying we do want to use this business associate in an agency rule, but we’re going to protect ourselves from that primary liability by requiring that business associate to indemnify us if they do something in that rule that creates liabilities. While we may be getting the covered entity directly liable for that, we’re just going to turn around and go back to the business associate under our indemnification and be made whole for it.
Again, I don’t know how that’s going to be viewed, how that would be viewed. Maybe it’s a non-issue, and maybe it’s perfectly okay. Those are perfectly enforceable clauses to put in a business associate agreement, but it’s a question that I think is out there and will be addressed at some point.
April: Okay. I know we’re running over here. We’re going to try to sneak in a couple more questions. I don’t know if we’re going to be able to get all of them, but again, if we miss your question, we’ll make sure to connect you with Brian to get that answered. Let’s try to sneak in one or two more short ones.
When a covered entity outsources its data storage to an outside provider, for purposes of the Security Rule, is the data center provider liable for a data breach? What about if the data is encrypted? Does the liability go away because of the encryption?
Brian: Well the breach notification obligations go away because of the encryption. Look at the overall administrative and physical and technical safeguard requirements and yes, I think if a data storage entity is storing PHI. Then yes, it is going to be subject to the data Security rule. Look at all the safeguard requirements, administrative, physical and technical, and encryption is clearly one way under the technical element of the safeguards to ensure you are doing what you should be doing to protect the unauthorized disclosure of the PHI. It is one element. We know that there are qualified data storage providers out there. Data storage providers. They put in place the sat assurances the safeguards that are required under the Security Rule.
April: I didn’t event stage that question Brian. Honest. It came from the audience.
Brian: Including Online Tech in case you were wondering.
April: I had no doubt about our liability, Brian.
Folks I apologize we have some more great questions. We are over time. We have commitments for the next hour. Forgive us, we are going to wrap up the webinar and will pass all of your questions on to Brian for follow ups. If you are interested for follow up content, I’ll see if I can talk Brian into joining is at a later date.
For those of you coming down to New Orleans in March, check the agenda. Brian is going to be giving a presentation Wednesday, morning. Correct Brian?
Brian: Yes, that’s right.
April: Come look for us in New Orleans at Booth 1369. We will also have contact info for Brian if you can’t find him Wednesday morning. We look forward to connecting with you all on a future webinar or future conference. Brian thank you so much. Your information has been invaluable and appreciate all of your preparation to give us an update.
Brian: Thank you April and thanks everyone for listening.
April: Touch base with everyone soon. Thanks again Brian.
Brian Balow, Dickinson Wright Law Firm
Brian Balow is a member of the law firm Dickinson Wright PLLC, where he concentrates his practice in the areas of information technology, healthcare law, and intellectual property. Brian has worked with Fortune 100 clients over the last fifteen years on Information Technology-related matters, including the drafting and negotiation of agreements, formulation and implementation of policies and procedures for the management of IT (including outsourcing-related issues), counseling and advising on privacy and data security issues, and assisting clients in favorably resolving disputes with IT vendors (including disputes with the BSA and SIIA).
More recently, Brian has spoken and written extensively on healthcare IT and telemedicine issues (including HIPAA/HITECH issues). In 2012, Brian presented on social media in healthcare issues at HIMSS12 in Las Vegas and to the National Council of State Boards of Nursing in Idaho, on regulation of mHealth technology at the SoCal HIMSS Health IT Innovation Summit in Yorba Linda, California, and on BYOD issues at the HIMSS mHealth Summit in Washington, DC. In December of 2011, Brian contributed the chapter entitled “Allocation and Mitigation of Liability” to the ABA Health Law Section’s “E-Health, Privacy, and Security Law” treatise.
Brian is a 1988 cum laude graduate of the University of Georgia School of Law, where he was twice a scholarship recipient and was Managing Editor of the Georgia Journal of International and Comparative Law. Following graduation, Brian served as a judicial law clerk to the Hon. James Harvey in the United States District Court, Eastern District of Michigan.