HIPAA Breaches Affect All Involved Parties

*In light of escalating security breaches like the latest data breach at Nashville-based Community Health Systems, we are interested in finding out how practices are securing their patient data. Click this link to take a brief survey on medical practice cyber-security measures.

Recently, a question came to my attention regarding how a covered entity (e.g. physician or medical practice) may be liable if a HIPAA breach occurs due to a mistake made by a business associate (e.g. vendor or ancillary service provider). The answer stems back to the regulations related to the Privacy Rule, where the "chain of trust" was articulated. The basic premise behind the concept is that the confidentiality, integrity, and availability of the protected health information (PHI) should be consistent along the chain of those that handle it. Hence, a business associate and a subcontractor should be held to the same standards as a covered entity. This notion was expressly reiterated in a different manner in the Omnibus Rule.

As expressed in the HITECH Act 13404(b), which cited the HIPAA "Privacy Rule" provision 164.504(e)(1)(ii), "[u]nder the HITECH Act, the "snitch provision" of the HIPAA Privacy Rule applies equally to a business associate as it does to a covered entity. Consequently, both the covered entity and the business associate have an affirmative duty to take reasonable steps to cure a breach or other violation. Notably, the actions or inactions of one group, including subcontractors, may adversely affect another group." Some common areas where liability arises for all involved are: business associate agreements, required due diligence in a risk analysis, and cybersecurity.

In a business associate agreement (BAA), both entities are attesting that they are HIPAA/HITECH Act compliant. This means that all of the requisite items under the regulations have been assessed and implemented. Often, some entities try to "sneak in" language that enables them to cancel the primary agreement if the BAA is not complied with. Hence, this is an area of liability for both parties.

Another area is adequate due diligence. Cyber security experts constantly advise entities to know who is handling the PHI - both internally and externally. Moreover, due diligence is required under the risk assessment component of the HIPAA Regulations. Presently, many companies are issuing request for proposals (RFPs) for other organizations to fill out as part of their due diligence. If the company answering the questions lies about the types of security, administrative procedures and policies, and physical security, as well as who handles the data and where it is transmitted, all entities may be liable. Again, some of these items and liability can be addressed in a BAA.

In sum, because both a legal duty is imparted by the regulations and a contractual duty is mandated by a BAA, which is not an optional contract to sign, all entities in the "chain of trust" have liability. The best way to avoid liability is know who your partners are both inside and outside your organization.