By Lynda M. Johnson, Timothy C. Ezell and Tonya S. Gierke
Published in Arkansas Medical News (July/August)
Ponemon Institute recently calculated the average cost of a healthcare data breach in 2017 to be $380 per record. In addition, the most recent enforcement data provided by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) indicates that the OCR has settled or imposed Civil Monetary Penalties of nearly $79 million dollars since the enactment of HIPAA.
Not only does the OCR impose financial penalties, but depending on the circumstances, they may impose corrective actions or corrective measures. Because the financial and reputational effects of a breach of any size, regardless of who is at fault, can be devastating, it is imperative to protect your patients’ health information, not only through your own policies and procedures, but also through your relationships with your business associate and accompanying business associate agreements (BAA). This article discusses matters to consider before and during a relationship with a vendor who will be handling your patients’ protected health information (PHI), and thus become your business associate.
Know Your Vendor
Before you agree to do business with a particular vendor involving PHI, the following actions are advisable:
Ask the vendor about their privacy and security practices.
Request to see their policies.
Inquire about how they handle breaches and ask to speak to their privacy officer.
Responses to these questions and requests will give you feedback to help you determine the vendor’s commitment to HIPAA compliance.
Importance of Business Associate Agreement
If you have not before, engage counsel to help you prepare a reasonable and comprehensive form of BAA. Many times, vendors will agree to sign the provider’s form of BAA. If the vendor insists that your practice sign the vendor’s form of BAA, ask your counsel to review. Regardless of whether you sign the vendor’s BAA or the vendor signs your BAA, know what it says. There are certain requirements, responsibilities and obligations that the BAA should address for both parties, particularly in the event of a breach.
Breach Determination
Not all incidents involving protected health information are considered to be breaches and must be investigated very carefully in order to make that determination. It is important to allow enough time for both parties to fully investigate all facts, determine if a breach occurred and have adequate time to notify affected individuals. Determining whether a particular incident is a “breach” under the HIPAA regulations is an analytical and sometimes tedious determination. Engage counsel to assist with these determinations.
Breach Reporting
The HIPAA regulations regarding breach reporting are very detailed, requiring legal determinations of whether a breach has occurred; notification processes to persons possibly impacted by the breach; and possible reporting to the Department of Health and Human Services (HHS). A provider or covered entity has the most direct relationship with the patient whose information is at issue. As a result, they should maintain control for the content, manner and timeliness of any required breach notifications, whether to patients or to HHS. Failure to comply with the breach notification requirements could result in the possible assessment of additional financial penalties.
With that in mind, if your vendor or business associate is at fault in causing the breach, even though the provider or covered entity should maintain control of reporting, it may very well be appropriate, and/or contractually required through the BAA, that the vendor or business associate bear some or all of the cost of reporting (and possibly of fines or penalties). This is where a well-drafted BAA can be very valuable to a provider practice.
While your vendor or business associate may cooperate with a provider in an effort to maintain the provider’s business moving forward, the vendor or business associate may or may not be ready and willing to share in costs associated with a breach. It is important to involve counsel early in the process in the event of a possible breach. Counsel can assist you with determining whether a breach has even occurred and also help the provider or covered entity navigate through the contractual language of its BAA, particularly when the vendor or business associate may be at fault.
The information provided above is created by the attorneys in the Healthcare Practice Group at Friday, Eldredge & Clark, LLP. This is not a substitute for legal advice and should be considered for general guidance only. For more information or if you have further questions, please contact one of ourHealthcare Attorneys.
Lynda M. Johnson has practiced in the health law area since 1986, representing a wide variety of healthcare providers including hospitals, physicians, physician groups, nursing homes, and home health agencies. Recently, her practice has focused on the representation of hospitals and physicians in HIPAA compliance efforts and other areas of regulatory compliance. Her practice also includes issues involving Stark I and II and Anti-Kickback compliance, Medicare/Medicaid reimbursement, corporate compliance issues, physician and hospital organization issues, managed care, healthcare and hospital law, long-term care and home health.
Timothy Ezell practices primarily in the area of healthcare law, representing hospitals, physician groups and other medical service providers in various corporate and compliance matters. His experience covers matters relating to HIPAA, Stark, fraud and abuse, anti-kickback, EMTALA, Medicare reimbursement, compliance, joint ventures, provider sales and acquisitions, medical staff bylaws and credentialing issues.
Tonya S. Gierke is a healthcare attorney who utilizes her background as a compliance officer and her experience in medical record review to assist clients through complex legal issues. She is a Certified Inpatient Coder (CIC), Certified in Healthcare Compliance (CHC) and Certified in Healthcare Privacy Compliance (CHPC). Her combination of legal and clinical experience, along with her compliance certifications, make her a unique resource for hospitals and healthcare professionals.