The Health and Human Services (HHS) Office of Civil Rights has begun phase 2 of its compliance audits. The 2016 audits will target covered entities and their business associates. For example, an IT support business working for a healthcare organization is covered under HIPAA’s Privacy, Security and Breach Notification Rules.
Serious financial penalties for HIPAA noncompliance
In the largest HIPAA “settlement” (a fine, really), Advocate Health Care, an Illinois-based Health Care Group agreed to pay $5.55 million after the theft of laptops from one of its data centers. The laptops contained nearly 4 million personal health records.
Dragged into the fray was Advocate’s business associate, Blackhawk Consulting, who provided billing services for Advocate. A third party accessed Blackhawk’s network and compromised more than 2,000 billing records.
What is a business associate?
Under the HIPAA Health Information Privacy rules, a business associate is a “person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity (emphasis added).”
A business associate, for example, could, among other things, do claims processing, data analysis, billing and IT consulting. From medical transcriptionists to technical consultants performing utilization reviews for a hospital, HIPAA privacy rules apply, and the covered entity must execute a business associate contract.
The Business Associate contract
Part of Advocate Health Care’s compliance problems, had to do with their business associate, Blackhawk. Advocate failed to get the necessary assurances — a written business associate contract from Blackhawk. Said assurances involve safeguarding all protected information in the business associate’s possession.
The contract is required under 45 CFR 164.50(e). Generally speaking, the contract must:
Specifically describe how the business associate can access and use the protected health information
Clearly stipulate that the business associate will never use or disclose the protected health information, except as permitted in the contract and required by law
Require the business associate to use the necessary safeguards to prevent use or unauthorized disclosure of the protected health information other than covered in the business associate contract
When business associate breaches occur
If the organization (covered entity) employing the business associate discovers a data breach or other HIPAA violation by said business associate, the organization must take the following steps:
The covered entity must take steps to seal the breach and end the violation.
If the steps do not succeed, the covered entity must terminate the business relationship.
If termination is not practical, the covered entity must report the situation to the HHS Office for Civil Rights.
HHS has published a Sample Business Associate Agreement on their webpage.
Penalties for Business Associate HIPAA violations
Under HIPAA business associates, like their principal covered entities, are directly liable and can be penalized for:
Impermissible uses and disclosures of personal health information
Failure to inform the covered entity of unauthorized access to personal health information
Failure to grant access to electronic personal health information when an individual makes a proper request
Failure to disclose the information when lawfully required by HHS
Failure to execute a business associate agreement with their own subcontractors
Civil monetary penalties range from $100 to $50,000 per incident for inadvertent violations. If willful negligence is involved, the penalties range from $1,000 to $50,000 per incident. Penalties are capped at $1.5 million per year.
So, business associates, when it comes to handling electronic personal health information, carry much the same responsibilities as their client-covered entities.
A word from our sponsor
QualityIP is the trusted choice when it comes to staying ahead of the latest HIPAA developments, information technology tips, tricks and news. Contact us at (330) 931-4141 or send us an email at [email protected] for more information.