Since inception, the Health Insurance Portability and Accountability Act of 1996, et seq. (HIPAA) has required that patient health information (PHI) be kept confidential. HIPAA meets this goal primarily through its Privacy Rule, Security Rule and Breach Notification Rule. “Covered Entities” such as physicians, hospitals and insurers were initially the only entities required to comply with these Rules. The increased use of digital media for storage and transmission of PHI lead to the passage of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) in 2009. One effect of HITECH was the requirement that Business Associates of Covered Entities comply with many of the regulatory requirements that had generally only been applicable to Covered Entities, fully implemented by 2013.
A Business Associate is defined by the U.S. Department of Health and Human Services as “a person or organization that conducts business with [a] covered entity that involves the use or disclosure of individually identifiable health information.” This is a very broad definition. Prior to HITECH, all a Business Associate needed to do to comply with HIPAA was to have a Business Associate Agreement (BAA) in place with the Covered Entity that it served, promising to protect PHI. Only the Covered Entity had to fully comply with HIPAA; however, since the omnibus regulations passed after HITECH became effective in 2013, Business Associates, including some biotech and life sciences entities, accountants, attorneys, IT professionals, billing companies, management companies, document management services, etc., have all become responsible for meeting a significant compliance burden under HIPAA, almost as if they were Covered Entities themselves.
This change was seismic in its reach. Bloomberg has predicted that health care will comprise 20% of the economy in America by 2021. (Health-Care Spending to Reach 20% of U.S. Economy by 2021, Bloomberg, June 13, 2012). This prediction appears to be on track. Adding Business Associates to the mix, ranging from biotech and life sciences companies, attorneys, accountant, IT providers, etc., expands the potential effect of HIPAA compliance to an enormous percentage of the US economy.
The breadth of the new Business Associate requirements have had a significant impact on biotech and life sciences companies, leading to three HIPAA risk profiles. First, these companies frequently provide direct care to patients (including instruction and support for their products) or assist Covered Entities in doing so as Business Associates. The risks here are clear – either as Covered Entities or Business Associates, these companies must comply with HIPAA. The primary risk (beyond failure to comply) is failure to maintain compliance (conducting annual risk assessments and training for employees, etc.) and failure to compile documentation of compliance for timely production when the government conducts an audit or investigation.
The second risk profile is when biotech or life sciences companies act as Business Associates to Covered Entities or other Business Associates in their operations or administration, gaining access to PHI. This risk profile is similar to the first profile, with the addition of being a ‘downstream Business Associates’ – that is, assisting other Business Associates and having access to PHI. The farther a company is removed from the patient, the easier it is to overlook their obligations as Business Associates. It is not uncommon to be downstream by three or more entities; this removal from the patient does nothing to ameliorate HIPAA obligations if there is a clear chain of Business Associates and access to PHI.
Third, and most dangerously, even when they do not interact with PHI, biotech and life sciences companies are faced with clients demanding they sign a BAA regardless, or clients who accidentally reveal PHI to them when no BAA or HIPAA compliance has been undertaken. Business Associate Agreements that are compliant with HIPAA’s requirements impose significant and expensive compliance obligations on an entity – they should only be signed when the entity is a Business Associate or has a significant risk of unintentionally becoming a Business Associate. Taking on these obligations when they are not required imposes an enormous administrative and financial obligation on an entity. Potentially more damaging is the fact that signing a BAA can act as presumptive evidence that the entity is a Business Associate, exposing it to liability in a breach investigation that it otherwise would not have.
Many biotech and life sciences entities do not intend to become Business Associates, but due to a misunderstanding of HIPAA regulations or client error, these companies can suffer the phenomenon called the ‘accidental business associate.’ This phenomenon is more likely when the company generally does not envision that it will access PHI. The problem is that even if PHI is accessed accidentally, whether it is the company’s fault or its client’s fault, HIPAA’s Business Associate requirements kick in. The trap has been sprung and generally cannot be cured after the fact. As it has not planned on being a Business Associate, the company generally hasn’t complied with HIPAA, and if an audit or investigation occurs, the company is exposed to significant potential penalties.
The penalties for a Business Associate’s failure to comply with HIPAA are severe – easily reaching hundreds of thousands of dollars for small firms – and the public is increasingly aware of its HPIAA rights and the potential for compensation due to a breach. Complaining of a breach is easy; a simple form filled out on the web site of the Office for Civil Rights (“OCR”) within the Department of Health and Human Services.
The true risk is not the consequences for the breach; the risk is the consequence for a failure to have complied with the panoply of regulatory requirements under HIPAA. When OCR initiates an investigation, they will not simply look at how the breach occurred, but whether the company has complied with its obligations under HIPAA. This can occur even if the breach being investigated occurred at a Business Associate of the company. OCR’s notification letter that initiates the investigation will generally request not only information on the breach, but the Company’s Business Associate Agreements, HIPAA policies and procedures and evidence of compliance with those procedures (i.e. was an employee at fault in a breach disciplined in accordance with the policies), documents showing HIPAA training of the company’s employees, the company’s annual risk assessment (review of where electronic PHI is kept and how it is transmitted and secured), the company’s plan of correction for issues found by the risk assessment and evidence of carrying out such corrections. Failure to be able to timely produce the requested materials can lead to significant consequences for noncompliance with HIPAA, even if the discovered failure has nothing to do with the breach being investigated.
Putting a compliance package together, doing the necessary training and protecting the company’s data through encryption (for both data at rest and in transmission) goes a very long way to satisfying OCR. The lesson for biotech and life sciences companies is that an ounce of prevention is worth a hundred pounds of HIPAA noncompliance cure.
Reprinted with permission from the 6/5/2019 issue of The Legal Intelligencer.© 2019 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.