Recent clarifications on HIPAA liability underscore the importance of maintaining protected health information and taking precautions when working with third parties.
At some point, all healthcare providers need to engage third parties to perform activities or functions on their behalf. In so doing, providers need to ensure those third parties maintain confidentiality of information learned in the course of their services. Providers must be even more vigilant when those third parties have access to certain patient information.
Providers who are considered covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are required to properly protect an individual’s health information in compliance with the requirements set forth in the HIPAA Privacy, Security, Breach Notification and Enforcement Rules (the HIPAA Rules).
Specifically, the Privacy Rule allows such access to and disclosure of protected health information (PHI) by third parties, defined as business associates, only if the provider obtains satisfactory assurances in writing from the business associate that it will:
1. use the PHI only for the purpose for which it was engaged by the provider,
2. safeguard the information from misuse and
3. help the provider comply with some of its duties under the Privacy Rule.
The provider, and in certain situations its business associate, have direct liability under HIPAA, meaning that should either party breach certain aspects of the HIPAA Rules, the HHS Office for Civil Rights (OCR) may bring an enforcement action directly against that party. Recently, the OCR issued a fact sheet that specifically identifies the only situations where a business associate has direct liability under HIPAA. Those 10 situations are:
1. Failure to provide the secretary of HHS with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the secretary to information, including PHI, pertinent to determining compliance.
2. Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
3. Failure to comply with the requirements of the Security Rule.
4. Failure to provide breach notification to a covered entity or another business associate.
5. Impermissible uses and disclosures of PHI.
6. Failure to disclose a copy of electronic PHI to either the covered entity, the individual or the individual’s designee - whichever is specified in the business associate agreement - to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.
8. Failure, in certain circumstances, to provide an accounting of disclosures.
9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
The fact sheet is important because it reminds us there are situations in which a business associate could cause a breach of HIPAA but not be directly liable to OCR. In those situations, it is the provider who would likely be directly liable to OCR for the business associate’s actions.
As an example, the HIPAA Rules prohibit a provider from charging fees to their patients in excess of a specified limitation for copies of or access to their PHI. In the event the business associate agreement authorizes the business associate to fulfill a request by an individual for access to his or her PHI, and the business associate charges a fee that exceeds the amount permitted under HIPAA, then the provider would be directly liable to OCR for those actions.
To address these situations, providers should incorporate language into the indemnification provision of their business associate agreements requiring the business associate indemnify the provider “for any actions or omissions of the business associate that cause the provider to fail to satisfy its obligations under the HIPAA Rules.” Additionally, to the extent a provider has insurance covering HIPAA-related liability, the provider should seek to ensure it includes liability caused by actions or omissions of its business associates.
Rose J. Willis, JD, is a Member at Dickinson Wright PLLC. She focuses her practice on healthcare regulatory, transactional and corporate law in her representation of healthcare providers and suppliers and other participants in the healthcare industry. Rose regularly counsels healthcare industry clients on matters involving mergers and acquisitions, software agreements, physician referral rules, certificates of need, privacy and security of health information, corporate documents and compliance program elements.