Regulatory Challenges

Recent updates to HIPAA’s regulations could bring new compliance challenges to providers and business associates. Although a data breach may be directly attributed to a vendor, both covered entity and vendor are at risk for regulatory penalties and reputational damage.

While HITECH ascribed direct liability to business associates for violating certain privacy and security obligations under HIPAA, covered entities are not free of risk for their business associates’ acts. In fact, the Omnibus Rule expanded a covered entity’s liability for the acts or omissions of its business associates, to the extent that vendor is acting as its agent.

What is required to comply with HIPAA?

As a covered entity and business associate, you are required to assess the risk to the confidentiality, integrity and availability of electronic protected health information (ePHI).  This includes assessing the safeguards that your vendors have in place to protect ePHI that they store, access, transmit or process for you.

How to best assess the risk of your vendor's access to ePHI?

According to The National Institute of Standards and Technology (NIST), here are some best practices for assessing your vendors’ access to ePHI:

  • Risk Analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
    • Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
    • What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
    • What are the human, natural, and environmental threats to information systems that contain e-PHI?
  • Establish Process for Measuring Contract Performance and Terminating the Contract if Security Requirements Are Not Being Met
  • Conduct periodic security reviews

See NIST SP 800-66, Section #4 "Considerations When Applying the HIPAA Security Rule." Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf - PDF

From <http://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html

Regulatory Penalties 

The HIPAA Omnibus Rule has several requirements and conditions for business associate agreements. Under HIPAA, a covered entity is liable for the acts or omissions of an agent, including a business associate, acting within the scope of such agency.

The following chart summarizes the tiered penalty structure:

Conduct of covered entity or business associate

Penalty

Did not know and, by exercising reasonable diligence, would not have known of the violation

$100 to $50,000 per violation;
Up to $1,500,000 per identical violation per year

Violation due to reasonable cause and not willful neglect

$1,000 to $50,000 per violation;
Up to $1,500,000 per identical violation per year

Violation due to willful neglect but the violation is corrected within 30 days after the covered entity knew or should have known of the violation

Mandatory fine of $10,000 to $50,000 per violation;
Up to $1,500,000 per identical violation per year

Violation due to willful neglect, and the violation was not corrected within 30 days after the covered entity knew or should have known of the violation

Mandatory fine of not less than $50,000 per violation;
Up to $1,500,000 per identical violation per yea

Here’s what lawyers say regarding requirements and penalties:

Significantly, the Omnibus Rule removed an exception that sheltered a covered entity from direct liability for a vendor’s HIPAA violation if the parties had in place a compliant BAA and the covered entity had no knowledge of, and did not fail to act upon, the vendor’s breach of the BAA. In effect, when a provider delegates an obligation under HIPAA to a business associate, such provider may be held liable for the business associate’s failure to perform such obligation, regardless of whether the parties have a compliant BAA in place. Further, a provider’s lack of knowledge about a business associate’s HIPAA violations is no longer a partial defense to liability."

In the event of a lapse or misstep by a vendor affecting the security of such PHI, the covered entity could be liable not only for the notification obligations triggered by a breach, but also for any penalty imposed by OCR for a violation caused by the vendor’s acts. https://www.healthlawyers.org/Events/Programs/Materials/Documents/FC14/l_kelly.pdf

Given the increased penalties, lowered breach notification standards, and expanded enforcement, it is more important than ever for business associates to comply or, at the very least, document good faith efforts to comply, to avoid a charge of willful neglect, mandatory penalties, and civil lawsuits.