Sharing PHI Data? Legal Implications of BAAs & Avoiding HIPAA Pitfalls

Sharing PHI Data? Legal Implications of BAAs & Avoiding HIPAA Pitfalls

November 08, 2011 2:00 pm

(Save to cal)


Attorney for Dickinson Wright PLLC, Tatiana Melnik discusses the legal implications of BAAs (Business Associate Agreement) when patient information is shared, processed, or stored between companies.




View Slides

April Sage: Hi everyone, thanks for joining us again today. We are happy to bring back Tatiana Melnik who is an attorney at Dickinson Wright. Tatiana has extensive experience in Health Care and Technology Law. She is here with us today to answer questions specific to sharing PHI data and how to avoid pitfalls in meeting HIPAA compliance when you are working with partners and other legal implications of Business Associate Agreements (BAAs).

Thanks so much for joining us, Tatiana.

Tatiana Melnik: Thanks so much for having me.

April: We know people are sharing concerns, especially after recent events in the media with the Stanford hospital breach and TriCare breach. Data is showing that when a business associate is involved, sometimes the breach can be more severe. I think there is an awareness that people need to be protected, but maybe there is still some uncertainty as to when you need to have a Business Associate Agreement in place. Are there any examples of companies that are sharing PHI data, but it may not be readily obvious? Or applications where people do not realize that they should be protected?

Tatiana: That is a really good question. Before we go ahead and get into that, I would like to get a few definitions out of the way that I think will help answer this question. In general people usually know when they have Protected Health Information (PHI). It is one of those things that if you are in health care and you have people’s personal information, you know it. It is not an accident, but there are and have been instances where people do not really know that it is PHI or that it is legitimate, active medical data. I will give some examples of that a little bit later on.

The following definitions come directly from the HIPAA Administrations Simplification. I am also going to reference some of the material from the proposed final interim rule that was proposed last year and because it is an interim final rule it is actually in effect even though it was a late proposal. This is why you see a lot of people sending out the HITECH modifications to Business Associate Agreements (BAAs) and putting all of those processes in place already. That is what makes clear to us, as attorney’s and as practitioners in the area, where HHS, OCR and the whole health care government base is moving to additional protections for everybody who has contact with PHI.

So what is PHI? It is basically data that is transmitted or maintained in any format. It can be electronic, paper records or anything. It incorporates anything that has to do with individually, identifiable health information. This is how you know an attorney drafted it, because there is a definition within a definition. There are some things that are excluded specifically from the definition such as employment records and education related stuff. For the most part, stuff we are dealing with here is not going to be things that are excluded.

What is Individually Identifiable Health Information? Definitely a tongue twister, right? It is basically people’s health information. It has to do with the past, present, or future physical or mental condition of a person or the provision of health care services to them. Clearly that is really, really broad. That encompasses billing and it encompasses any type of processing. Under HITECH, HR vendors are specifically covered and explicitly covered under the specific statute. So again it is very, very broad. That matters, because as you asked before, are there surprises? Would people really not know if they have PHI? In some cases yes, because you do not know that what you have is live data. You do not know that what you have is medical data. I will give an example of this a little later.

I know that people are wondering: Am I business associate? Under what circumstances am I covered and do I have some responsibility even though I may have PHI, but I may not actually be using the PHI in some way? Am I just making some processes or I am just sending out billing information? I am doing something minor to the data, does that still count? The answer to that is yes it does, because it relates to the provision of health care services. It is people’s past, present, or future physical or mental health condition. And so yes, it is incorporated into that.

April: So even if there is not a lab result or a specific diagnosis involved, anytime you are dealing with records that involve patients you need to be aware?

Tatiana: Yes, absolutely. You need to be aware. And that Stanford example you mentioned, which I’ll use later on, is one of those circumstances where there was only one diagnosis in the data. It was someone's psychiatric diagnosis. Everything else was a person's name, an admission date (which does not seem like it would necessarily be PHI, because it is not their mental condition, but because it talks about them being admitted to a hospital then it is PHI) it is still protected.

April: Is there any situation that involves the exchange of PHI data that does not need to meet HIPAA compliance? Or should everyone assume that anything that involves patients should always be protected?

Tatiana: There is one major exception. And before I get into that, let me briefly talk about when you fall into the business associate category and then I will work my way into that exception, because you sort of have to understand the framework of when you are a business associate to know when you are not.

A business associate is a person who performs or assists in the performance of a whole bunch of functions for a covered entity. It is the person who is actually the originating entity who has the PHI, like a hospital. It involves the user’s disclosure of individually identifiable health information. Basically it means that if you do services for a covered entity and you handle in any way protected health information, you are going to be covered. That is a big deal. You can see in the statute in the administrative simplification regulations, there is a list of entities that are covered. That includes legal (attorney’s are covered), actuarial, accounting, consulting, and data aggregation services. There is a whole bunch and again these are services that typically have access to that kind of information.

So for example, our clients do not generally have us sign BAAs, because when they come to us they are in litigation and there are certain exceptions to litigation. But if you choose to sue a doctor or you choose to sue a hospital, you are automatically giving permission to display your information, because going to court is a public process. Your records are only hidden and sealed under certain circumstances. And there are exceptions to HIPAA, so when you request medical records, there are certain things you have to block out from medical records.

For example, your accounting. If someone is providing you with accounting services and they see people’s PHI, their treatment dates, how long they stayed at the hospital, because they need to know that to chart them, that is PHI. That is included.

One of the bigger changes to this space is the inclusion of subcontractors. So you have your covered entity, your business associate, and then you have a subcontractor that is some other service provider that provides services to the business associate. They are also covered. That is one of the things that the interim final rule makes very clear. They are covered and why are they covered?

I included this language from the interim final rule and it says: “The proposed provisions avoid having privacy and security protections for protected health information lapse merely because a function is performed by an entity that is a subcontractor rather that an entity with a direct relationship with a covered entity.” Basically what they are making clear is that everyone is covered. If you touch PHI you are responsible. To get to your question, who is responsible for complying? Everyone who touches PHI is responsible. Period. There are no exceptions to that. Except for the exception.

April: Okay, which is?

Tatiana: Who is not covered? Someone who acts as a conduit for PHI. What does that mean? Well, if you are the post office, or Online Tech in certain circumstances, or Google, or whoever else; you act as a conduit to transfer the data and you are not someone who on a normal basis would have access to PHI.

April: So someone who is passing PHI from place to place may not be liable or required to meet HIPAA compliance?

Tatiana: Right.

April: How does that work in the technology world when it is really tough to tell what a vendor can see and what a vendor cannot see?

Tatiana: It is very, very rare that you will have a covered entity that will agree with a service provider like Online Tech, Rackspace, or whoever to say: “Hey you are providing me services, but you do not have to sign a business associate agreement because you do not actually, technically have access to it.” In fact, you do, right? Because you house the servers, your people once in a while go in and make modifications.

Because of the damages and huge liability they will require that they sign a business associate agreement. Even if it is possible that they may not have access to the data. You will see this, for example with Microsoft’s HealthVault service.They will argue until they are blue in the face that they are not a business associate and yet they have put forth a business associate agreement that they are willing to sign. Granted it is a modified version of a business associate agreement. There is a very limited provision, but it is still there, because they recognize that no one will use their service without some degree of protection.

April: So, even if you might be lucky enough to fall in that category where you are excluded, if you want to do business in the health care/ IT space, you can expect that they are going to have you sign a BAA.

Tatiana: Yes. If you are storing or housing their data, or doing anything with their data they are going to require that you sign that business associate agreement.

April: Who or what does the business associate agreement protect?

Tatiana: The business associate agreement protects everybody. From my perspective, it is in your best interest to sign an agreement. If you do not have an agreement, I would like to make clear that even if you do not have one, you are still responsible. So having an agreement in place or not having an agreement in place does not mean that somehow you get out of being responsible for complying with HIPAA. It is just not the case.

It is not just me saying this. It comes directly from the Department of Health and Human Services. Again, this is in that interim final rule. This comes from a section where they have made a few changes to the current HIPAA administrative simplification where they set forth all of these requirements. They say: “The movement of these exceptions and refinement of the definition of a ‘business associate’ also would help clarify that a person is a business associate if it meets the definition of ‘business associate,’ even if a covered entity, or business associate with respect to a subcontractor, fails to enter into the required contract with the business associate.”

April: So the short version, whether you are willing to sign or not, you are responsible.

Tatiana: If you fall within that definition, you are responsible. Period. So the reason you want to have an agreement in place is: One, you are meeting your statutory obligation. You are obligated by statute to enter into a BAA. So, again, you are showing your compliance. Secondly, you have taken the time to evaluate your compliance requirements. There are certain things you as a business associate will not do.

For example, if you are creating internal software for a hospital where you are not making any disclosure outside, you do not need to have an accounting of disclosures, because you are not disclosing the data. There are certain things you will not have to do, so your agreement with the provider clarifies everyone’s responsibilities. Which is what you really need to do, because if you are not providing services, specific services, then you should not take on the responsibility of complying with those provisions, because that is extra work for you.

It protects everybody. It protects both parties. It is important that you read your business associate agreement. They are not the same, there are differences between them. They are generally very similar, because what is supposed to be in them is defined by statute or regulation. So they will be very similar, but people can add things to them. They can make modifications as I have noted and so you should be careful that you review what you are signing. You want to know what you are obligating yourself to do.

April: It sounds like the opportunity to draft, review and agree to a business associate agreement with your partners is a good opportunity to know exactly where to draw the lines and establish where the ‘sand boxes’ are so everyone is on the same wavelength from the beginning before something happens.

Tatiana: Absolutely. That is exactly what you want to do. On that note, I want to go ahead and briefly mention the Stanford case. Which is just amazing. Just a really great example of the kind of problems that arise and frankly this is something that arises in all kinds of contexts. This is not just specific to HIPAA. You always have people you contract with, you always have entities that provide services to you and someone just makes a mistake.

Unfortunately, in these cases it is a very expensive mistake. I would like to note under this case, there has been a lawsuit filed. It was class action in California, but it has not been filed under HIPAA. It was filed under one of the California statutes that is the Confidentiality of Medical Information Act. I bring that up, because HIPAA is not peoples only remedy. Almost every state, I think every state, has confidentiality laws related to PHI. And so it is important that you do not just have to comply with HIPAA. You have to comply with your state requirements as well, because both can get you too. You have to be careful that you know the area you are operating in.

In the Stanford case, you had data released on 20,000 emergency room patients. In this case, a person applying for a job received an excel spreadsheet from one of the people looking to hire her and asked if she would go ahead and do this for them. And she did not know how to do it, so she posted it to a tutoring web page and said hey can help me, please.

April: Oh, no.

Tatiana: Exactly. Clearly she was not qualified for the job, because she did not know how to do it. In the interim she compromised peoples data. So if you think about it, whose fault is it? Stanford has this business associate who provides services to them. The business associate hires a marketing company to hire someone for them to do this job. I will say, it is not clear whether this business associate hired a third party or if it was their own internal marketing person.

So they put this out looking for help and low and behold, it is live patient data. So this is what I mean when I say you may just not know what you have. You think you have test data and this is data you can use to test peoples skills. Well no, it is not test data, it is live data. And of course, who is in trouble? Who is getting sued in the class action? It is Stanford. That is why covered entities will never let you hold their data without you signing a business associate agreement, because of stuff like that.

Now they are going to look at their agreement and say “Hey business associate, look at this agreement. We have this giant idemnification clause, pay up.” That is part of entering into this agreement. So your standard business associate agreement, if you just follow the rules is not going to have an idemnification clause. If you are just signing BAAs left and right, you are not looking at those things. You have to make sure that you have some agreement that covers that relationship. If you are just signing the business associate agreement you need to make sure it is a full agreement. It has a governing law section, it has an identification section, talks about data destruction. All of the things an agreement would have when it comes to protected data.

April: Well at the level of these penalties, this is pretty serious business for a lot of vendors. Probably the difference between being in business and not.

Tatiana: Exactly. I know that a lot of vendors are looking for insurance options. I know there are insurance options available. The insurance industry is trying very hard to price point these, because this is a relatively new area. Cyber insurance has been around for a long time, but specifically to this, this is a relatively new area because penalties are mandatory. But there are options out there available. If anybody is interested in learning about these, just send me an email; I have a list compiled.

April: Super. We will post Tatiana’s contact information and share that link with anyone who wishes to ask questions about those resources. So, it sounds like health care vendors are much more at risk if they do not sign a BAA. There is no avoidance of risk or penalty if they do not sign a business associate agreement.

Tatiana: That is exactly right. So you have under the statute a clear requirement that BAAs should be signed. If you do not, as OCR and HHS has made clear, you are still responsible. But now what you are missing is an idemnification section. You are also missing warranties, you are missing idemnification, and all of these other things you should have. And if you did not sign that agreement, you do not have those protections.

April: And you have not done your do diligence.

Tatiana: I think Joe talked about this in the first session, where he gave a list of things that happens when a breach happens. You get that letter from OCR saying, please give us this, you have ten days. This includes your policy and procedures, and includes all of these things you cannot possibly prepare in that short amount of time.

April: So if you do not have that ready to go before an incident happens, they will just come hounding?

Tatiana: Right, because now you are willfully negligent, which means your penalties should basically double and they are mandatory. So, it is a problem.

April: BAAs are the way to go, that is what I am hearing. So is there a change in attitude of the large health care organizations related to their willingness to do business with companies where it is to the point where you are really not going to do business with a covered entity unless you enter into a business agreement?

Tatiana: Absolutely. It is really one of those things that is standard in the industry. It is a standard requirement and if you want to enter the health care market you need to be prepared to sign them. You should really have your attorney review the documents and make sure they conform to what it is you do. They are limited only to your specific services so you are not taking on unnecessary liability.

And that is really important, because you do not want to see that your BAA says you are required to do steps one through three but you only do step three. You should never take on the liability of steps one and two, but if you do not exclude that from your agreement, when a breach like this happens, I do not think that is going to matter. They are going to say you agreed to take those things on and you do not do them? Well, too bad.

April: So you need to make sure they are specific to your actual business and processes. So what about someone who signed a business associate agreement two or three years ago? Are they still valid? Or have things changed enough that those need to be revisited at this point?

Tatiana: No, they are still valid. Generally what will happen if you signed one a couple of years ago you should have gotten an update saying here is the new provision for HITECH. HITECH put in place breach notification requirements and those have to be appended to existing business associate agreements.

A lot of vendors and providers have taken the opportunity to actually review their agreements at this time and make sure that they are still consistent with what they are doing and that they are still consistent with the requirements and how BAAs have been determined and interpreted by judges when they have been litigated. But for the most part they are still really, really valid. All you need to do is to update the breach notification requirements.

April: Good to know. We had some of our webinar registrants submit questions upon registration and we noticed a theme that a lot of people are asking what happens when PHI is involved in clinical research?

Tatiana: First you have to evaluate what it is you are doing. There was also a question with telecommunications from people who are providing telecommunication services and what they have to do to comply. First you have to determine for the telecommunications whether or not you are a mere conduit. If you are AT&T and you are providing the backbone of the Internet, then you are a mere conduit and you are not entering into those agreements. If you are AT&T and you are providing your EHR system, then that is a little different.

So you have to figure out what you are doing. These questions are very, very fact specific. It really depends on what you are doing. If you do have your process in PHI, you are acting on PHI in some way your requirements are no different than anyone else. You need to do your risk assessment, you need to have your policies and procedures in place and you need to train your staff, because all of that is the same. It is the same process for anyone who has access to PHI. It is more of you just want to make sure whether or not you are actually subject to it.

April: Great to know. We have some more questions submitted here. One is, is a data center a business associate?

Tatiana: So with a data center you would have a situation like what you have with Online Tech, where they provide data center services. Some will argue that a data center is a mere conduit and so they are not subject to it. My take, having evaluated some of these issues in the technology space, depending on what this data center is doing for you. If they are managing your servers, if they are going in and making updates and making changes and doing all kinds of stuff, they are a business associate.

On the other hand if it is just colocation where you go in and plop down your own equipment and lock it in a cage and no one has access to it except for your personnel, then they are not a business associate. So it is very fact specific. But again, say I am a hospital. I am Stanford and I just got a class action suit against me, because of a screw up by a business associate. Am I going to trust what happens if you do not sign that agreement?

I am first going to wonder why you are not willing to sign an agreement that basically says you have to follow all of these security requirements? Are you not following these security requirements? What is going on? Of course your answer is going to be I do not want to take on additional liability that I do not have to take on. I do not have to do all of these things, because I do not provide all of these services to you. Yes I may do a risk assessment and all of this other stuff, but you are obligating me to take on other stuff under statute and federal law that I should not have to take on. And you as a covered entity are going say you are sure you can find someone else who can take that on and walk away.

April: I have noticed even in our experience here at Online Tech, that when clients come specifically looking for PHI data storage, it does not matter if it is colocation or managed servers, the first question out of their mouth is are you going to sign a BAA? Yes or no?

Here is another question. Is the bank where we store our backup tapes of PHI a business associate of a covered entity?

Tatiana: It depends on how you are storing it. I am assuming you have some sort of disk and you put it in some sort of vault. First, that should be encrypted.

April: Data at rest should be encrypted.

Tatiana: And if it is encrypted, probably not. I think a bank under those circumstances will not sign a business associate agreement, because they are locked away and who has the key? Probably just you or some third party, however you have it stored. So I would say depending on how it is stored, probably not.

April: Okay, but the story might be a little different if you are taking your digital PHI data and you are trying to back that up remotely using someone else’s storage service, then they are going to be on the hook.

Tatiana: Absolutely, yes.

April: Okay, that is good clarification. Is it typical for the BAA to have a cap on the liabilities a subcontractor has for the breach of an agreement?

Tatiana: That is actually a typical provision in many types of agreements. BAAs are usually documents where you will have your main services agreement and then you will have Exhibit A: the BAA. You may not have it in your business associates agreement, but you may have it in your agreement. If you do not, you can absolutely add that in to your business associate agreement.

April: Good to know. The next question is, many business associates have not completed a risk assessment and analysis, which is now required by the HITECH Act, paradoxically many covered entities are also in the same boat. Do you have any suggestions on where business associates can go to get that guidance or a template on how to complete such an assessment?

Tatiana: The Department of Health and Human Services has some really, really great materials. There is also a site called HIPAA COW, which stands for HIPAA Collaborative Organization of Wisconsin and so their acronym is HIPAA COW. They have some really, really great material ( I think it is also the Department of Health for North Carolina who also have some really great material. There are a good number of free options out there. HIPAA COW would be my first stop after the Department of Health and Human Services.

April: Great! Here is another question: I am a legal nurse, consultant who is self-employed and review medical records for claims and lawsuits. Do I need a business associate agreement with each client and do I need to update that on an annual basis?

Tatiana: You do. You need to have a business associate agreement, because that is protected health information.

April: What are your initial impressions or concerns with cloud computing types of business solutions to include online data storage providers since they are somewhat relatively new and not well versed with HIPAA and business associate requirements?

Tatiana: I have been around IT for a long time now and cloud computing really is not that new. It is just a different or new name for a service that has been around for a long time. For example, shared hosting is a similar type of structure where you are putting your data into a third parties environment. My initial concern, as it would be with a lot of attorney’s is compliance, because you want your information to be protected and stored. And you want to make sure that the service you are using complies with the requirements of HIPAA.

That means, for example, a large problem with shared hosting is you are sharing space with a lot of different people and you do not know what walls the provider has built between you and those other parties. How do you know what your guarantee is that they cannot get into your data from some other back door that people just do not know about or was not adequately secured. That is a similar issue you have with cloud computing. How do you know that those doors are secure? I think you will find more vendors now who are complying with the processes and who are carefully looking at their processes.

I know Online Tech has done a very good job of making sure they are compliant. They have done their homework on risk assessment and have gone through that process. You will find other vendors who want to get into this space who are doing the same thing, because they understand that covered entities and other parties are just not going to trust them without doing that process.

So I think that if you are looking to a vendor, a cloud computing vendor, the first thing you should ask them is have you done a risk assessment? If they say they do not know what is, you should walk out the door and go to someone else. If they say yes, you will probably want them to show you some sort of certification. Show me that you have done that and tell me who you used or whatever the process is.

April: So what would someone ask for specifically to see? I assume that there is some type of formal report that is the result of the audit or maybe that varies across the board.

Tatiana: It varies across the board, it really does. There is no one size fits all. What you want to make sure of is whoever the company is that is used for the risk assessment is a reputable provider and that they certify. Then you get that in writing from the vendor saying that, yes, we warrant and attest that this is true and we are liable if this is not true.

Again, your protection is your contract. But keep in mind that your contract is only as good as either the insurance policy or the providers pocket. If the person is judgement proof, then your contract really does you no good. So you want someone who has the means to live up to what they are promising. I have done the research and see a ton of this, there are a lot of people who will say a lot of stuff online.

They say we can provide this, we can provide that but when you do some research you find out they are a reseller for a third party. In fact they cannot provide that, because they do not provide that now. They are reselling services for someone else so they cannot actually live up to those promises, because they are relying on a third party who may be relying on some other third party and so forth up the chain. You just want to make sure that you do your due diligence because, as with the Stanford case, who pays the price?

April: Everybody.

Tatiana: Right.

April: So would it be unreasonable or is it unheard of for potential clients to ask for a copy of the final auditor report?

Tatiana: No. That is not unreasonable. You will want to have them sign some sort of confidentiality agreement or document because you probably do not want that disclosed. Depending on what was in the audit there may be certain protected or secret information that you definitely do not want disclosed such as your entire security process. You do not want that disclosed to just anybody, because that becomes a liability. So you may get one out that is a little audited or redacted so you want to be careful what you are revealing. There are certain things you do not want to reveal, because that is how you protect everybody. The less people know the better, because then they do not know your vulnerabilities.

April: That makes a lot of sense. Got to be careful all the way down the line here don’t you?

Tatiana: Absolutely. Here is one last slide here that I have as a regular question. Is it okay to send documents via email or fax? Email is not a secure form of communication. So no, it is not. There are many providers that offer secure services to send email and if you are going to do that, you should make sure you are using one of those services. Fax is okay so long as you have the proper warnings and disclaimers on the cover page that this is PHI and so forth, but be weary of fax to email, because again you are getting into email and email is not a secure form of communication.

April: Okay, good to know. Thank you so much everyone, you sent some great questions. Tatiana, thank you again for your time and expertise. It is always appreciated.

Tatiana: Thank you so much for having me.

April: Wanted to let everyone know that Online Tech and Tatiana will both be down in Indianapolis next week. So if you have further questions about the implications of HITECH, HIPAA or Business Associate Agreements or any questions about HIPAA compliant data center services come on over and see us. We will be at Booth #57.

Finally, we will be out at the HIMSS Annual Conference in Las Vegas, February 20th-24th. Hope we get get to see some of you there, in the meantime have a great day. Thank you again, Tatiana. If you have any further questions and would like to contact Tatiana, her information can be found below:

Name: Tatiana Melnik

Company: Dickinson Wright

Phone: 734-623-1713


Webinars    |    Online

Get started now. Exceptional service awaits.