Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
It's better to learn from others mistakes. A recent HIPAA fine underscores the importance of timely and accurate BAAs.
Late in September, the U.S. Department of Health and Human Services (HHS) announced that Care New England ("CNE") agreed to pay a $400,000 fine and implement a corrective action plan, in order to settle HIPAA violations. The investigation by HHS's Office for Civil Rights stems back to Nov. 5, 2012.
In addition to the notification from Woman & Infants Hospital of Rhode Island ("WIH") that unencrypted back-up tapes containing nearly 14,000 patients' protected health information (PHI), subsequent violations were discovered. As OCR Director, Jocelyn Samuels indicated, "[t]his case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule." Despite CNE and Woman & Infants Hospital of Rhode Island having a Business Associate Agreement (BAA) in place in March 2005, it had not been updated until Aug. 28, 2015 - nearly two-and-a-half years after the Omnibus Rule was published in the Federal Register.
Here are some of the key violation areas identified by HHS:
• WIH disclosed PHI and allowed CNE, its business associate, to "create, receive, maintain or transmit PHI, on its behalf, without obtaining satisfactory assurances as required under HIPAA;"
• An updated BAA that meets the requisite implementation specifications under the Privacy and Security Rules was not executed;
• A valid BAA had not been contemplated by the two entities in over a decade.
By now, anyone engaged in the creation, receipt, transmission or maintenance of PHI should know that an annual risk assessment and gap analysis is required. This assessment should give an entity a "punch list" of items that need to be updated. Similarly, a good way to do due diligence on a potential business associate or subcontractor is to ask them the following five questions: (1) Are employees trained annually; (2) Is there a requisite BAA or similar agreement in place; (3) Is an annual risk assessment conducted; (4) Is data encrypted at rest and in transit; and (5) Are there relevant policies and procedures in place?
These questions should provide both physicians and business associates with a starting point for obtaining reasonable assurances of HIPAA compliance. As fines are becoming more expensive and more prevalent, the old adage, "an ounce of prevention is worth a pound of cure" is seemingly more apropos.