Compliance accountability chains put you at risk and can complicate contract negotiations
Risk managers are doing the right thing when they try to include Health Insurance Portability and Accountability Act (HIPAA) compliance in vendor contracts, but they might meet resistance if the requirements are too onerous. The key will be finding the sweet spot where you have protected your interests as much as possible without making the contract untenable to business associates, experts say.
Resistance most likely will come from smaller companies, says C. Jason Wang, MD, PhD, associate professor of pediatrics at Stanford University in California. Wang recently wrote in the Journal of the American Medical Association (JAMA) that the 2013 HIPAA omnibus final rule creates an "unfunded mandate" on startup companies that might not have the wherewithal to negotiate business associate agreements.1
In the JAMA paper, Wang and his co-author call for additional guidance from the Department of Health and Human Services (HHS) on how contracts between healthcare entities their business associates should be construed. The final rule creates an accountability chain that includes business associates and their downstream subcontractors, Wang writes, but it does not account for what he says could be strong resistance from business associates.
Wang tells HIPAA Regulatory Alert that providers' worries about accountability could have the unintended consequence of limiting innovation and narrowing the field of companies with which a hospital is willing to work. If the hospital insists on strict compliance with HIPAA, evidence that the requirements have been passed down the line to subcontractors, and indemnity for violations, inevitably some companies will balk and say they cannot take on that responsibility, he explains. (See the story below for suggested contract clauses.)
"I really worry that if this HIPAA regulation is interpreted too far, it's going to impede innovation and get in the way of providers working with outside companies," Wang says. "That will be terrible for healthcare."
Conflicts might be inevitable, but the provider still must follow the law and include contract clauses to protect itself from liability, explains Stephen Wu, JD, a partner with the law firm of Cooke Kobrick & Wu in Los Altos, CA. The HIPAA rule explains most of what should be required of business associates, but Wu advises risk managers to take a stricter approach in some areas. The rule requires that business associates notify the provider of a breach within 60 days, for example, but he advices hospitals to require must quicker notification. He has worked with one hospital that successfully negotiated a two-day notification from a data management company.
"You're probably going to get something more than two days, but it should be way south of 60," Wu says.
The flow-down requirement for subcontractors can be the stickiest negotiating point, Wu says. Flow-down means that once you contract with a business associate, your requirements for HIPAA compliance must be included in the contracts with any subcontractors and their subcontractors
Including flow-down is not optional, Wu says, but you have some discretion in what you flow down. You must consider your contract requirements not only in terms of whether the business associate is able to comply but also whether its subcontractors can. "There are provisions that, in theory, should be flowed down to the business associates but which really aren't necessary when you consider the nature of the work. If the associate is handling patient data in a way that never involves them getting direct queries from patients, you could skip the provision about the associate being required to respond to requests by a certain time," he says. "You could take that off the table so they don't resist having to promise compliance on something they never do. But you could replace it with a clause saying they will cooperate fully if the patient makes a request to you and you need that information from them."
Money is always a sensitive topic, so indemnification and who pays for the breach of the protected health information can be difficult during negotiation, Wu says
In Wu's experience, the biggest controversy in these contract negotiations is the vendors claiming that they are not business associates at all. Contractors will argue that, for example, they merely maintain access to digital information for the provider but never open the files or have any knowledge of their contents. They will say that for that reason, they should not be considered business associates.
"You have to push back and tell them that because they are maintaining protected health information over time," Wu says. "That is the HHS decision, and they can't argue that point."
Wu advises risk managers to include a clause in the contract in which the vendor acknowledges being a business associate, along with a separate agreement to follow the compliance guidelines provided by the hospital.
One attorney urges risk managers not to go overboard with HIPAA compliance in contract negotiations. The legal risk to hospitals from missteps by business associates often is overstated, says Brad Rostolsky, JD, an associate with the law firm of Reed Smith in Philadelphia who has worked with healthcare providers to ensure data security. There is a risk of flow-down exposure, but that risk is significant only when the contractor is acting as an agent of the hospital, Rostolsky says.
"It is not true that contractors are generally on the hook for the actions of their business associates," he says. "We don't always have to negotiate as if something terrible is going to happen somewhere down the line and we're going to be liable to a great extent if we don't have a clause saying otherwise."
If a business associate is an agent under the federal common law of agency, then the covered entity is on the hook for the missteps of the business associate with regard to actions performed as an agent, Rostolsky says.
"When people try to implement more onerous language regarding indemnification and liability with business associates, I'd say that concern is valid up to a point, but may be a little misplaced," he says. "Don't be surprised when some of your associates come back to you and say that because of the cost of compliance they're going to have to raise their prices, or they're not going to be able to give you the indemnification you prefer."
Rostolsky advises structuring the contract up front so that, to the extent possible, the business associate is not an agent. To do so, the business associate must not be subject to direction by the covered entity on an ongoing basis. He cautions, however, that a single-minded focus on obtaining indemnification or other HIPAA concessions can backfire. "I've told people on both sides of this issue that if you push too hard, you can negotiate yourself out of business," he says. "Both parties in this negotiation have valid concerns and parameters for what makes good business sense, and you have to find somewhere to meet in the middle."
Covered entities also should be comforted by the fact that the government is going after business associates directly for HIPAA violations, Rostolsky says. That action doesn't mean they can't drag the covered entity into the fray as well, but Rostolsky says that will not be automatic if regulators can see that the associate was the responsible party and the covered entity acted properly in trying to ensure that the associate was in compliance.
As the Office of Civil Rights (OCR) continues enforcement activities against business associates, Rostolsky expects that "it will become implicitly clear that when a business does something improper, OCR will not hammer the covered entity for that unless there is an agent relationship."
Prepare now for coming HIPAA security audits
It won't be long before someone knocks on your door and says it is time for a Health Insurance Portability and Accountability Act (HIPAA) security rule audit. What you do between now and then can determine how well that visit turns out for you.
The government is refining its audit protocol after testing it at 115 facilities, notes Bruce D. Lamb, JD, a shareholder with the Gunster law firm in Tampa Bay, FL. The Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS) has stated that a permanent security audit program will begin Oct. 1, 2014. Some audits will be performed earlier than that as the OCR fine tunes its procedures.
"I expect some audits will be performed this year, with probably a pretty aggressive approach," he says.
The entities that are currently subject to audits are those that have certified compliance with the meaningful use criteria for electronic health records and received government funds for meeting that benchmark. During the testing, the procedure involved notifying the covered entity of an audit date, followed by an on-site inspection. There is no set time period for the length of the audit, but in the test audits so far, auditors were on-site for as long as five days.
The audit will begin with an interview of the privacy officer, and then the auditors will want to look at sample documentation. "They're not going to look just at rules and policies. They may ask for instances in which you released records to someone other than a patient," Lamb says. "Then they will check the adequacy of the documentation, whether you followed all the requirements to the letter."
Risk managers can use that same process in a mock audit to check their HIPAA compliance, Lamb suggests. A mock audit should include questioning hospital employees about policies and procedures for HIPAA compliance, because the real auditors certainly will. "They're not going to just look at your paperwork and talk to the compliance officer, the most knowledgeable person in the place about HIPAA," Lamb says. "They're going to walk up to medical records clerk and ask about certain tasks should be handled, and that person needs to be comfortable answering correctly. Most people need to be trained for that, or they'll trip up."
Lamb expects the HIPAA auditors to begin with the largest covered entities, hospitals, rather than smaller providers such as physician groups. To prepare for audits, the first obvious concern is having your organization in compliance with HIPAA. That compliance includes having a HIPAA privacy officer.
Covered entities should review each of the obligations in the test auditing process, Lam advises. The protocol is available online at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol. Conduct a self-assessment for compliance and correct any deficiencies, and create a specific plan of correction for anything that cannot be resolved immediately.
"Business associate agreements will be a target in these audits. You're going to need to provide them a list of your agreements, and I think some hospitals are going to be lagging in this area and not able to hand those over in the correct form," Lamb says. "HITECH [Health Information Technology for Economic and Clinical Health rule] required a lot of changes in your business associate agreements, and I'm not sure everyone went back and revised those. There will be a focus on anything that has changed recently, and the biggest thing there is HITECH."
1. Wang CJ, Huang D. The HIPAA conundrum in the era of mobile health and communications. JAMA 2013; online Aug. 26.
• Brad Rostolsky, JD, Associate, Reed Smith, Philadelphia. Telephone: (215) 851-8195. Email: firstname.lastname@example.org.
• C. Jason Wang, MD, PhD, Associate Professor, Stanford University, Stanford, CA. Telephone: (650) 736-0403. Email: email@example.com.
• Stephen Wu, JD, Partner, Cooke Kobrick & Wu, Los Altos, CA. Telephone: (650) 618-1454. Email: swu@ckwlaw.
Advocate sued over large data breach
Advocate Health Care in Downers Grove, IL, and a subsidiary, Advocate Medical Group, are facing a state class-action lawsuit filed on behalf of two named plaintiffs and four million people whose protected health information (PHI) was taken along with four desktop computers in a burglary in July.
Advocate reports that the computers were password-protected but not encrypted. In a statement released after the breach was made public, an Advocate spokeswoman said Advocate had been working to encrypt its PHI since 2009.
A 12-page complaint in Cook County Circuit Court in Chicago alleges negligence, deceptive business practices, invasion of privacy, intentional infliction of emotional distress, and consumer fraud, all violations of Illinois law. Advocate's errors included "its use of nonsecure, unencrypted computers and software to maintain the private and confidential patient data," the complaint alleges.
The lawsuit requests a jury trial and judgment of an unspecified dollar amount for actual damages, costs, and other relief the court deems appropriate. According to the complaint, the plaintiffs' records were part of the July 15, 2013, data breach at an administrative office of the 1,100-plus physician Advocate Medical Group in Park Ridge, IL.
Advocate reports that the breach included more than four million records, making it one of the largest breaches by a healthcare provider since the federal government began requiring public reporting of larger healthcare records breaches in 2009. The breach is being investigated by the Office of Civil Rights of the Illinois Attorney General's office.
Agencies release model notices of privacy practices
Covered entities can now choose from three new models of Notice of Privacy Practices documents to maintain Health Insurance Portability and Accountability Act compliance (HIPAA).
The Department of Health and Human Services Office for Civil Rights (HHS OCR) and the National Coordinator for Health Information Technology released the model notices recently. Those agencies noted that they were created based on input from consumers and key stakeholders, and they reflect recent regulatory changes in the HIPAA Omnibus Rule. The notices come in three styles and are customizable, allowing providers to enter their own information prior to distributing and posting to the web.
The agencies said many entities have asked for additional guidance on how to create a clear, accessible notice that their patients or plan members can understand. In response, the agencies have provided separate models for health plans and healthcare providers. The three options are:
• Notice in the form of a booklet, or a notice with the design elements found in the booklet, but formatted for full-page presentation.
• A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages;
• A text-only version of the notice.
The models reflect the regulatory changes of the Omnibus Rule and can serve as the baseline for covered entities working to come into compliance with the new requirements. In particular, the models highlight the new patient right to access their electronic information held in an electronic health record (EHR), if the provider has an EHR in their practice. Covered entities may use these models by entering their specific information into the model and then printing for distribution and posting on their websites.
More information on the privacy notice models, including templates to use in creating your own, is available at http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html.