Proposed HITECH Regulations: Will Subcontractors of Business Associates Be Subject to the HIPAA Privacy and Security Rule?

Posted on July 13, 2010 by Joseph Lazzarotti

Further to our discussions of the proposed regulations to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), we summarize here a proposed changed to the definition of “business associate.” A significant part of the “HIPAA community” (covered entities, business associates and their agents and subcontractors) already is aware of the expanded application of HIPAA to business associates under HITECH. This expansion went into effect February 18, 2010, and, in fact, many business associate agreements currently are being modified in an attempt to reflect the statutory provisions. The HIPAA community, however, may not yet be aware of the proposal to further expand the direct application of the privacy and security rules under HIPAA to subcontractors performing functions for business associates.

A New Class of Business Associate

Prior to the HITECH Act changes, business associates and their agents and subcontractors were not directly subject to HIPAA. Instead, HIPAA required covered entities to obtain certain written assurances from their business associates. One of those written assurances was that business associates would ensure that their agents and subcontractors would agree to be subject to the same conditions and restrictions contained in the business associate agreement entered into with the covered entity.

The proposed regulations would include subcontractors in the group of “business associates” to the extent that they require access to protected health information. Such subcontractors are those persons who are not members of the business associate’s workforce, but perform functions for or provide services to a business associate. This would be the case even if the business associate has failed to enter into a business associate contract with the subcontractor. The regulator’s goal is to ensure the privacy and security protections will not lapse merely because a function is performed by an entity with no direct relationship with a covered entity, although the regulations seek public comments on the definition of subcontractor.

The proposed regulations state (emphasis added):

[W]e propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance. We note, and further explain below, that this proposed modification would not require the covered entity to have a contract with the subcontractor; rather, the obligation would remain on each business associate to obtain satisfactory assurances in the form of a written contract or other arrangement that a subcontractor will appropriately safeguard protected health information. For example, under this proposal, if a business associate, such as a third party administrator, hires a company to handle document and media shredding to
securely dispose of paper and electronic protected health information, then the shredding company would be directly required to comply with the applicable requirements of the HIPAA Security Rule (e.g., with respect to proper disposal of electronic media) and the Privacy Rule (e.g., with respect to limiting its uses and disclosures of the protected health information in accordance with its contract with the business associate).

As the example above shows, if made final, the proposed regulation would further HIPAA’s reach and affect many businesses that may not currently view themselves as directly subject to the requirements or penalties under HIPAA. Many companies, including those that service the healthcare industry, such as health plans, likely will need to revisit their HIPAA-compliance measures.

Tags: , , , ,

Shredding and Data Destruction Companies - A HIPAA-Covered Entity's Best Friend

Posted on July 12, 2010 by Joseph Lazzarotti

We recently reported here that the Department of Health and Human Services (HHS) is issuing proposed regulations to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”). These proposed regulations contain a number of important points to think about for HIPAA covered entities (and business associates), even though these rules are in proposed form. One is avoiding HIPAA violations involving “willful neglect," which under the HITECH Act will require a formal investigation and civil penalties.

To date, the Secretary of HHS has attempted to resolve complaints and certain violations by informal means, as required by § 160.312 of the current regulations. A significant change to the HIPAA enforcement scheme in the HITECH Act requires that if a preliminary investigation of the facts of a complaint indicates a possible violation due to willful neglect, the Secretary is required to commence a formal investigation. If the formal investigation finds a HIPAA violation involving willful neglect, the Secretary must impose a civil money penalty.

What is “willful neglect”?

Willful neglect is defined at § 160.401 as the “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” The term not only presumes actual or constructive knowledge on the part of the covered entity that a violation is virtually certain to occur, but also encompasses a conscious intent or degree of recklessness with regard to the entity’s compliance obligations.

So what does that mean, what are some examples? The proposed regulations provide the following examples:

  1. A covered entity disposed of several hard drives containing electronic protected health information in an unsecured dumpster, in violation of § 164.530(c) and § 164.310(d)(2)(i). HHS’s investigation reveals that the covered entity had failed to implement any policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process.
  2. A covered entity failed to respond to an individual’s request that it restrict its uses and disclosures of protected health information about the individual. HHS’s investigation reveals that the covered entity does not have any policies and procedures in place for consideration of the restriction requests it receives and refuses to accept any requests for restrictions from individual patients who inquire.
  3. A covered entity’s employee lost an unencrypted laptop that contained unsecured protected health information. HHS’s investigation reveals the covered entity feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by § 164.400 et seq.

In addition to having actual or constructive knowledge of one or more violations, the covered entities in the examples above, particularly Example 1, failed to develop or implement compliant policies and procedures and, thus, demonstrated either conscious intent or reckless disregard with respect to the compliance obligations under HIPAA.

Based on the proposed regulations, covered entities can no longer expect the velvet hand of the regulators to resolve a violation informally in all cases. Covered entities that fail to have policies and procedure and make a good faith compliance effort likely will find themselves subject to mandatory formal investigations and penalties.

Covered entities like the one in example 1 above might want to consider certain precautions, including:

• maintaining a record retention policy,
• maintaining media re-use policy,
• maintaining a data destruction policy,
• maintaining an e-discovery policy, and
• and engaging a good data destruction/shredding company.
 

Tags: , , , ,

Dealing with Data Breaches: Health Net Suit Highlights Need for Effective Security Incident Procedures and Training

Posted on February 2, 2010 by Jason C. Gavejian

As we have discussed before, data breach notification is one of the most rapidly emerging areas of law. Good security incident procedures as well as effective training can help avoid the risk of data breach. (Sample data breach training). 

A case in point: Connecticut's Attorney General has filed a civil action against Health Net of the Northeast Inc. (“Health Net”) for failing to secure approximately 446,000 individuals’ patient information on a missing portable computer disk drive, and for failing to provide prompt notice of the breach. Among other things, the suit alleges Health Net violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, when it failed to provide prompt notice, failed to encrypt the data, failed to provide for and implement appropriate policies to safeguard the information, and failed to supervise and train its workforce on safeguarding protected health information and personal information. 

As this suit demonstrates, state Attorneys General will use the authority granted by HITECH to enforce the privacy and security protections of HIPAA for protected health information, as many breaches involving such information may not be covered by state data breach laws. Such enforcement will only add to the cost of a data breach, which, according to the 2009 Ponemon Institute Annual Cost of a Data Breach study, continues to rise.

While a company’s first line of defense always should be a comprehensive data security policy, preparation should include an effective security incident procedure. Several key questions, some of which will form the foundation for any good security incident procedure, must be answered immediately following a breach: 

  • How did the breach occur?
  • Are measures in place to contain the breach?
  • What information was compromised? 
  • Whose information was compromised?
  • Will the local authorities be alerted?
  • What potential breach notice laws are implicated?
  • Does notice of the breach have to be provided?
  • If so, to whom and how will notice be provided?
  • Does the company have applicable insurance to cover the notification process?
  • Will any monitoring service be provided for affected individuals?
  • Are measures in place for public relations implications?

However, a security incident procedure is only as strong as the awareness you create among your employees as to what constitutes a data breach and who to notify in the event of a possible breach. Therefore, in addition to an effective security incident procedure, it is essential that training, like the sample above, be provided to employees on a regular basis.   

Tags: , , , , , , , , ,

New Hampshire Enacts Strict Data Breach Notification Law Affecting Health Care Providers and Business Associates

Posted on December 29, 2009 by Joseph Lazzarotti

New Hampshire’s new breach notification law builds on the breach notification requirements under the HITECH Act by requiring health care providers and business associates to notify individuals of disclosures of their protected health information that are prohibited by New Hampshire law, even if such disclosures are permitted under HIPAA or other federal law. This new health information protection was enacted with other measures relating to privacy of electronic medical records and allowing individuals to opt out of sharing their names, addresses, and protected health care information with e-health data exchanges.

H.B. 619 becomes effective for data breaches occurring on and after January 1, 2010. Individuals may sue for violations of the notification requirement and, significantly, seek damages of not less than $1,000 per violation. The law also expressly requires business associates to cover the costs of notification if the use or disclosure triggering notification was made by the business associate.

Now, when New Hampshire health care providers and business associates experience a possible data breach, they will have to consider a number of laws to determine the appropriate response. These include H.B. 619, the state’s general breach notification statute, and the breach notification rules under the HITECH Act and implementing regulations. This is even more complex for health care providers and business associates operating in multiple states as at least five other states (Arkansas, California, Delaware, Missouri, Texas) and Puerto Rico require notification in the event some form of medical information is breached.
 

Unlike New Hampshire’s general data breach notification statute, this law applies only to health care providers and business associates. H.B. 619 incorporates the definitions of “business associate” and “protected health information” under the HIPAA privacy regulations, but the term “health care provider” includes:

any person, corporation, facility, or institution either licensed by this state or otherwise lawfully providing health care services, including, but not limited to, a physician, hospital, office, clinic, health center or other health care facility, dentist, nurse, optometrist, pharmacist, podiatrist, physical therapist, or mental health professional, and any officer, employee, or agent of such provider acting in the course and scope of employment or agency related to or supportive of health care services.

Of course, health care providers and business associates remain subject to the state’s general breach notification law. That law requires all businesses to notify state residents of an unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by the business. The general notification law contains a “risk of harm” trigger – that is, no notice is required by covered entities that have determined misuse of the information has not occurred or is not reasonably likely to occur. H.B. 619 contains no such “risk of harm” trigger.

 
Tags: , , , ,

Cloud Computing - Did the City of Los Angeles Make the Right Move?

Posted on November 17, 2009 by Joseph Lazzarotti

“Cloud computing” takes many forms, but, fundamentally, it is a computer network system that allows consumers, businesses, and other entities to store data off-site and manage it with third-party-owned software accessed through the Internet. Files and software are stored centrally on a network to which end users can connect to access their files using computers that are less powerful and sophisticated than those we use today.  This technology reduces the need for expensive multiple servers and PCs with enough capacity to store massive data and application files. Some believe the PC of the future will need simply the capacity to connect to a web browser for the user to access his or her applications and files.

For more information on how cloud computing works, click here. For information on the FTC investigation of cloud computing, click here.

If you are not already computing in a cloud, you likely will be hearing more about “cloud computing” soon. Last month, for example, the City Council for the City of Los Angeles voted to move city employee e-mail and other applications from city computer networks to a cloud service provider – in this case, Google Inc. City officials cite significant cost savings (which they estimate to be in the millions) as one of the reasons for the switch. They acknowledged that concerns over data privacy, security and management remain.

We’ll agree that significant cost savings can be achieved through, among other things, reduced infrastructure. Questions and concerns many have with cloud computing, however, relate to the privacy, security and management of the information in the cloud. These include:

  • What if the cloud starts to rain – a cloud computing data breach – who is responsible for notifying affected persons (and bearing the costs)?
  • Which company owns the data placed in the cloud?
  • If the data in the cloud is employee e-mail, is the employer still permitted to access and monitor email communications? Will new policies/notices be needed?
  • Will company proprietary information be safe?
  • Who has access to the data? Who should have access?
  • Is the cloud service provider a business associate under HIPAA, prepared to comply with the HITECH Act? What other legal compliance requirements are there?
  • Do we still need to maintain a back-up of data in the cloud?
  • Where is the data stored? Is it in the United States, or in a foreign country subject to different data security standards? Does one location as opposed to another provide better access or security? What if data is stored in multiple places, will we be able to locate what we need when we need it?
  • How big is the cloud? How much can we store?
  • What if the cloud goes down? How do we get our data and access the applications needed to run our business?
  • How do we move between clouds? Can our data be held captive when contract negotiations fall through?
  • Can we put our clients’ data in the cloud? Do we have to tell them where it is?
  • What happens to the data if the cloud service provider or the cloud customer goes out of business?
  • Will applications in the cloud work the same way, be as flexible, and respond with the same speed as those on current PCs?

Organizations such as the Cloud Security Alliance have been formed to grapple with some of these issues. Indeed, the City of Los Angeles has had to respond to some of these concerns. So, while cloud computing may yield substantial cost savings and appear tempting, these and other questions and concerns should be addressed before moving in that direction.

Tags: , , , , , ,

HIPAA Enforcement Regulations Updated for Penalty Increases and Enhancements under the HITECH Act

Posted on November 2, 2009 by Joseph Lazzarotti

The Department of Health and Human Services (HHS) published interim final regulations on October 30, 2009, to update existing enforcement regulations under HIPAA for statutory revisions made by the Health Information Technology for Economic and Clinical Health (HITECH) Act. These regulations become effective November 30, 2009, and only address the provisions of the HITECH Act already in effect.

The interim final regulations, among other things, implement the increases in civil penalties and the four categories of violations and corresponding penalties established by the HITECH Act. Also, under the Act and the regulations, penalties will apply even where the covered entity did not know (and with the exercise of reasonable diligence would not have known) of the violation. However, HHS has the authority to reduce penalties in certain circumstances.

There have been a number of recent changes that enhance and strengthen HIPAA's enforcement provisions - the HITECH Act, the interim final regulations discussed above and agency reorganization. These measures suggest an increasing likelihood of enforcement concerning the HIPAA privacy and security regulations.  As a result, health care providers and health plans should be reviewing their compliance with HIPAA and preparing for additional guidance expected to be issued shortly.

Tags: , , , ,