Much of the commentary surrounding the two-week-old HIPAA omnibus rule has revolved around the impact it will have on healthcare providers with business associate agreements (BAAs) as well as the vendors that handle protected health information (PHI). But, digging deeper, what will it mean for BAAs already in place right now as well as quelling the number health data breaches? Potential liability concerns and fear of being held responsible for a subcontractor’s mistakes in a breach will be enough to change the BAA decision-making process for healthcare organizations, according to Dianne Bourque, partner at Mintz Levin and HIPAA expert.
As Dena Feldman of insiderprivacy.com notes, there is very specific language in the new HIPAA rule for BAs and subcontractors.
Under the final rule, a subcontractor is an entity that “creates, receives, maintains, or transmits” PHI on behalf of a business associate. HHS explained that downstream entities must be required to abide by the same requirements as business associates because, otherwise, business associates could avoid statutory liability. The final rule requires a business associate to obtain assurances from its subcontractors that they will appropriately safeguard PHI. This provision “mirrors” the one requiring covered entities to obtain similar assurances from business associates. Similarly, a business associate that is aware of noncompliance by its subcontractor must respond in the same manner as a covered entity that is aware of noncompliance by its business associate.
Bourque contends that the Office for Civil Rights (OCR) believes that a tremendous amount of the healthcare compliance and security breaches are a result of BA non-compliance. The HITECH Act did put more liability on BAs when it was enacted in 2009, but HIPAA didn’t hold BAs liable for data protection to the same degree in which they did covered entities (CEs). “What [OCR] made very clear in the final rule was emphasizing the importance of BA compliance by focusing on the penalties that apply to BAs the same way they apply to CEs,” Bourque said. “They view [BAs and CEs] the same way, no matter how far downstream the information is passed, the same obligations and liabilities apply.”
Moreover, OCR won’t be granting additional compliance time to any of these entities, which Bourque found to be curious for a few reasons. There are plenty of BAs that always deal with healthcare providers, so they should already have policies and procedures in place without issue. The same can’t be said, however, for subcontractors, especially those with multiple degrees of separation.
As you move further away downstream from BAs to subcontractors (i.e. the vendor who hires a vendor who hires a vendor), they may not work with healthcare providers and instead, for example, deal mainly with banks. Healthcare is a different bird and what I’m concerned about is these people way downstream have no idea what they’re signing up for. Or if they did already have a contract, OCR is allowing no extra time for compliance. I keep telling people that there’s no mercy for business associates or their subcontractors.
In turn, this may cause organizations to think twice about who they (or their BAs) hire as subcontractors. Bourque says they have to use a more discerning eye in these decisions because they’ll be out of compliance with the HIPAA rule in the instance they choose a vendor that hasn’t implemented reasonable safeguards. If that vendor would then turn over their PHI to an untrusted entity that’s unqualified to protect it, that would violate the rule.
I’m seeing a lot of healthcare providers, for example, asking to see policies and procedures before entering into an agreement. And we’re seeing them asking for the Right to Review books and records. And other things such as SAS No. 70 results to ensure they’re a trusted vendor. They have to do that because they’re on the hook if the BA drops the ball, even though the BA is directly liable.
Now that there’s direct wording that holds both BAs and subcontractors liable for breach notification, it will be interesting to see whether these regulations put a dent into the overall number of health data breaches. If not, one has to question whether the OCR went too far in both the timing and aggressiveness of the BA and subcontractor portion of the HIPAA omnibus rule.