By Adrienne Dresevic, Esq., Clinton R. Mikel, Esq., and Leslie A. Rojas, Esq., of The Health Law Partners, P.C.
A significant rise in fines for privacy breaches and security lapses under the Health Insurance Portability and Accountability Act (HIPAA) is expected in the next 12 months, according to Jerome B. Meites, civil rights counsel at the U.S. Department of Health and Human Services (HHS). Covered entities should prepare now to ensure that they are compliant with the new HIPAA omnibus rule, in particular.
Upcoming HIPAA Audits
At the American Bar Association’s Physicians Legal Issues Conference, held in Chicago in June, Meites advised attendees that the coming year is likely to involve high impact cases intended to send a clear message to the industry that HHS demands HIPAA compliance from entities of all sizes. Since June 2013, nine entities paid a total of over $10.5 million to settle civil monetary penalty claims against them. Meites expects this number to rise exponentially in the coming year.
In fact, HHS’ Office for Civil Rights (OCR) has selected approximately 1,200 candidates for a new round of HIPAA audits set to begin this year and continue into 2015. Out of the 1,200 candidates, 800 are covered entities and 400 are business associates. The upcoming round of audits is expected to include new protocols brought about by the HIPAA omnibus rule, as well as an increased focus on an entity’s Security Rule Risk Analysis (potential risks and vulnerabilities involving Protected Health Information (PHI)).
How Can Covered Entities Prepare? Look to Business Associate Relationships
How can covered entities prepare for the next wave of audits? One step covered entities can take is to reconsider their relationships with business associates, old and new. Business associate relationships are critical to HIPAA compliance. Indeed, approximately 28-49% of HIPAA breaches involve business associates and how they use/disclose/safeguard data.
The HIPAA omnibus rule broadened the definition of who is considered a business associate. Under the new rule, a business associate is not only a person or entity that creates, receives, or transmits PHI on behalf of a covered entity, but also a person or entity that maintains PHI on behalf of a covered entity. This means that business associates now include patient safety organizations, data transmission organizations, vendors of personal health records, data storage vendors, health information organizations, and e-prescribing gateways. A covered entity must understand who its business associates are, how it interacts with them, and what the business associates do with the covered entity’s data.
Although the HIPAA omnibus rule went into effect on September 23, 2013, some existing business associate agreements are considered “grandfathered in” until September 22, 2014, when covered entities must revise these grandfathered agreements to meet the requirements of the new rule. To meet these requirements, covered entities should update their business associate agreements to provide that the business associate must: (i) comply with the HIPAA Security Rule obligations for electronic PHI and report breaches of unsecured PHI; (ii) comply with the HIPAA Privacy Rule in carrying out any part of the covered entity’s obligation under the Privacy Rule; and (iii) enter into agreements with subcontractors that comply with the requirements for business associate agreements and restrict subcontractors from disclosing PHI in a manner that would not be permissible to the business associate. Note that there is no obligation for the covered entity to enter into a business associate agreement with the subcontractor.
Additionally, the new rule provides that a covered entity may be liable for its business associate’s acts or omissions if the business associate is an “agent” acting within the scope of the agency. In light of the new rule, covered entities should pay particular attention to their cloud-based vendors. Covered entities must know where and how their data is stored in the cloud, as well as who has access to their data and for what purposes.
Moreover, covered entities must ensure that their updated business associate agreements are distributed as soon as possible. But be aware that along with a new agreement come new, increased negotiations with business associates.
HIPAA enforcement is relatively new and is increasingly draconian in its approach. This past year saw record fines under HIPAA, but the coming year may far exceed these numbers. The time is now for covered entities to ensure compliance with HIPAA, and their business associate relationships are a great place to start.
Adrienne Dresevic, Esq. graduated Magna Cum Laude from Wayne State University Law School. Practicing healthcare law, she concentrates in Stark and fraud/abuse, representing various diagnostic imaging providers, e.g., IDTFs, mobile leasing entities, and radiology and multi-specialty group practices.
Clinton Mikel, Esq. graduated from the University of Michigan Law School. Practicing healthcare law, he concentrates in Stark, fraud/abuse, telehealth/telemedicine, compliance, and the corporate and financial aspects of healthcare practice.
Leslie Rojas, Esq. graduated from Wayne State University Law School and is licensed to practice law in Michigan and Illinois. Practicing healthcare law, she concentrates on fraud/abuse issues, compliance with federal and state healthcare regulations, health information privacy and technology issues, and transactional and corporate aspects of healthcare.
The authors are members of The Health Law Partners, P.C. and may be reached at (248) 996-8510 or (212) 734-0128, or at www.thehlp.com.
For more regulatory news, visit www.ahraonline.org/news.