HIPAA Compliance and Non-Business Associate Vendors - Strategies and Best Practices

www.shipmangoodwin.com

HARTFORD | STAMFORD | GREENWICH | WASHINGTON, DC

@SGHealthLaw

Negotiating Business Associate Agreements

February 19, 2015 William J. Roberts, Esq.

© Shipman & Goodwin LLP 2015. All rights reserved.

Copyright 2015

www.shipmangoodwin.com @SGHealthLaw Copyright 2015

About HIPAA •  HIPAA is a federal law that governs the use, disclosure and

safeguarding of individually identifiable health information. •  One of many state and federal laws that govern information

held by health care providers and health plans. Others include: v  Substance abuse confidentiality regulations; and v  State personal information laws.

2


When Does HIPAA Apply? •  HIPAA applies to most health care providers and health plans (“covered

entities”) and certain third parties who use PHI to provide services for or on behalf of the covered entity (“business associates”). v  Business associates often include attorneys, consultants, IT firms,

shredding companies and other vendors. •  Exceptions may include:

v  health care services provided by schools or colleges/universities; or v  certain health care providers that are cash-only.

3


What Information Does HIPAA Protect?

•  HIPAA applies to and protects “protected health information”, usually referred to as “PHI.”

•  PHI is health information about a patient created or received by health care providers and health plans. PHI includes information: v  Sent or stored in any form (written, verbal or electronic); v  That identifies the patient or can be used to identify the patient; and v  That generally is about a patient’s past, present and/or future treatment,

health status or payment of services. •  In other words: PHI is any health information that can lead to the identity

of the individual or the contents of the information can be used to make a reasonable assumption as the individual’s identity.

4


What Information Does HIPAA Protect?

5


Identifying Business Associates •  Any individual or organization that either:

v  Creates, receives, maintains, or transmits PHI on behalf of a covered entity for a function or activity regulated under HIPAA, such as claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, or repricing; or

v  Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, if the service involves the disclosure of PHI.

•  Those who store or otherwise maintain PHI. •  Certain data transmission services. •  Certain personal health record vendors. •  Subcontractors.

6


Identifying Business Associates •  Who is not a business associate?

v  Workforce members. v  Parties receiving PHI through litigation proceedings. v  Recipients of PHI disclosed when required or permitted by law, such as

disclosures to law enforcement or state agencies. v  Typically, cleaning/food services.

•  Managing Business Associates v  Keep a file of all business associate agreements – make sure they are

executed and kept current. v  Periodically review vendors to see if any business associate agreements

are missing.

7


Data Transmission Services •  Data Transmission Services

v  Business associates include health information organizations and e-prescribing gateways.

v  To qualify as a business associate, the data transmission service must have “routine” access to the PHI it is transmitting.

v  The “conduit exception” – if an entity is simply acting as a pass-through with no routine access, not a business associate. ►  Examples include telephone company, UPS and courier services.

8


Personal Health Record Vendors •  Personal Health Record vendors may be a business associate.

v  Not all vendors of personal health records will be your business associate.

v  Fact-specific determination. v  Key: If you are hiring a vendor to provide a personal health record

service for your patients, the vendor is likely a business associate.

9


Entities that “Maintain” PHI •  The definition of business associate includes entities which “maintain” PHI on

behalf of a covered entity, even if the entity does not access or view the PHI. v  Includes paper record and cloud storage firms. v  Whether the vendor accesses your PHI is irrelevant.

•  Entities that “temporarily” maintain or store PHI. v  If the conduit exception applies, no business associate relationship (i.e. UPS or

an internet service provider temporarily storing PHI while transmitting it, while not routinely accessing it).

v  Otherwise, temporary storage would create a business associate relationship (e.g. a shredding company which temporarily maintains PHI prior to shredding it).

10


Subcontractors •  The definition of “business associate” includes subcontractors that create,

receive, maintain, or transmit PHI on behalf of a business associate. v  Excludes workforce members. v  Examples:

►  Hospital engages a consulting firm to advise the hospital on quality and patient safety issues, and provides PHI to the consulting firm as part of the engagement.

►  Consulting firm in turn provides the PHI to a third party copy center, off-site shredding firm and cloud storage email platform.

•  HIPAA applies to all downstream subcontractors in the same manner as it applies to the business associates that directly contract with covered entities.

11


Vicarious Liability •  A covered entity may be liable for the acts or omissions of its business

associates, and a business associate may be liable for the acts or omissions of its subcontractors.

•  When are you liable? v  You may be liable if the business associate/subcontractor is your

“agent”. v  No bright line rules for when a business associate/subcontractor is an

agent – facts and circumstances approach. v  Key factor: If you can control the business associate’s or

subcontractor’s conduct, the business associate or subcontractor is likely your agent.

12


Vicarious Liability •  Reducing Your Exposure:

v  Attempt to structure vendor relationships to avoid vicarious liability. v  Consider how much ability to control a business associate’s or

subcontractor’s acts you need (if any). v  Agreements should be narrowly tailored to specific tasks and

obligations. v  Language saying “not an agent” is insufficient. v  Do you really need to disclose PHI?

13


Polling Question #1

14


Vicarious Liability •  Reducing Your Exposure (cont.)

v  Consider conducting due diligence prior to contracting with business associates.

v  Don’t assume the business associate complies with HIPAA. v  Consider requesting to see copies of HIPAA policies and procedures. v  Consider security review and audits.

•  Note: Do you have the time, money and resources to take the above actions? If not, consider a more modest approach, such as a vendor questionnaire.

15


Business Associate Agreements •  The business associate agreement or “BAA” is the agreement entered into

between the covered entity and the business associate to govern the business associate’s creation, use, maintenance and disclosure of PHI.

•  Typically a separate agreement that applies to one or more underlying agreements, such as service contracts. v  May also be an addendum or embedded in the body of the service

agreement. v  Generally, a best practice is to have only one business associate

agreement between one covered entity and one business associate to govern all agreements and relationships between the parties.

16


Business Associate Agreements •  HIPAA requires business associate agreements to address:

v  Compliance with the Security Rule; v  Compliance with the Privacy Rule (as applicable); v  Reporting breaches of unsecured PHI; v  Business associate’s subcontractors must agree to the same restrictions and

conditions that apply to the business associate; v  Impermissible uses and disclosures; v  Access to electronic PHI; v  Required disclosures to the U.S. Department of Health and Human Services

for the purpose of determining business associate’s compliance with HIPAA; and

v  Limiting disclosures to the minimum necessary.

17


Subcontractor Agreements •  Business associates must enter into agreements with each of their

subcontractors that receive or have access to PHI. v  May be called business associate agreements or HIPAA subcontractor

agreements. •  Negotiation Points:

v  Ensure that the subcontractor agreement allows the business associate to comply the obligations it owes to the covered entity.

v  Business associate should retain right to amend subcontractor agreement in the event the business associate with the covered entity changes.

v  Clarify who is responsible for a breach or HIPAA violation by the subcontractor.

18


Key Terms and Provisions •  When drafting, reviewing and negotiating business associate agreements, one

should be focused on certain key terms. While all parts of the agreement are important, these are the terms that are most likely to affect the parties’ liability and obligations: v  Breach notification and mitigation v  Cooperation v  Indemnification v  Insurance v  De-Identification v  Security Safeguards v  Change of Law

19


General Considerations •  Develop your own form business associate agreement.

v  Worth the exercise to determine what you want in the agreement and what your risk profile is.

v  Try to start with your own form and negotiate from there. •  When negotiating a business associate agreement, your goal should be to

protect your organization – not to argue/win on every point. v  In other words, stay focused and don’t over-lawyer. v  Recognize your bargaining power and market position and be realistic

in what you can achieve.

20


Polling Question #2

21


Breach Notification •  HIPAA requires covered entities to notify affected individuals of a breach

of their unsecured (i.e. unencypted) PHI. v  Notifications may also be necessary to the media or government

regulators. v  States may have their own notification requirements, such as to an

Attorney General or consumer protection department. v  Notifications must be made as soon as practicable but within no more

than 60 days of discovery. •  HIPAA requires a business associate to notify a covered entity of a breach

of unsecured PHI as soon as practicable but within no more than 60 days of discovery.

22


Breach Notification •  Negotiation Points:

v  While up to 60 days is permitted by law, regulators will not look fondly upon covered entities who give their business associates that much time – push for a shorter maximum reporting time frame.

v  If a business associate is concerned about producing a list of affected individuals within a very short time frame (e.g. 3 days), consider a bifurcated obligation – tell the covered entity of the breach first, and give the covered entity the necessary information later.

v  Make the business associate responsible for receiving timely reports from its subcontractors.

v  Consider state laws that may require quicker breach reporting, particularly when Social Security numbers are involved.

23


Breach Mitigation •  In addition to breach reporting, many covered entities expect more from their

business associates. In other words, if the business associate caused the problem, they own the problem.

•  Consider: v  Require business associate to take reasonable steps to mitigate any potential

harm from the breach, including such steps as the covered entity may reasonably require.

v  Include specific actions the business associate must take, such as attempt to retrieve any lost or stolen information or operate (or arrange for) a call center through which affected individuals can have their questions answered.

v  Require the business associate to make its records, personnel and advisors available to the covered entity for purposes of the covered entity completing its investigation of the breach.

24


Cooperation •  Investigations.

v  When under investigation by an Attorney General, the Office for Civil Rights, or another state or federal agency, cooperation by the business associate is often vital.

v  Include a provision in the BAA that requires the business associate to participate in the investigation and provide the information the covered entity needs. If the investigation is due to an act or omission of business associate, business associate’s cooperation should be at its cost and expense. Otherwise, covered entity typically is required to reimburse the business associate for its costs.

•  Access to Books, Records and Policies. v  At times, a covered entity may want to conduct “due diligence” on a business

associate to verify compliance with the BAA or HIPAA. To do so, business associate should be required to make relevant books, records and policies available to the covered entity on a confidential basis.

25


Indemnification •  Indemnification is the concept through which the party at fault makes the

other party whole; in other words, the breaching party will pay the costs, expenses, fines and losses the non-breaching party incurs as a result of the breaching party’s act or omission.

•  While many underlying agreements will address indemnification, it is often best to specifically address indemnification in the business associate agreement and how it applies to the use and disclosure of PHI.

•  Goal: to not incur costs or damages due to the act or omission of the other party. Costs and damages typically are incurred under a business associate agreement with respect to data breaches and HIPAA violations.

26


Indemnification •  Negotiating Points:

v  Business associate should be responsible for all costs the covered entity incurs due to a breach or violation of law/the BAA. If the business associate refuses such a “blank check,” the indemnification clause should specify the costs for which the business associate will be responsible (e.g. attorney fees, notification costs).

v  Caps? Many business associates will want a cap or a limitation on their liability. While often reasonable, seek to tie the cap to the amount of PHI or the risk profile of the arrangement. Also consider linking indemnification to insurance (to be discussed later on).

v  Be careful about limitations on liability contained in the underlying agreement.

27


Mutual Indemnification •  Often, one party will propose replacing a standard indemnification clause

with “mutual indemnification.” This means that each party will indemnify the other, typically for the same costs and damages.

•  Negotiating Points: v  Mutual indemnification is generally more beneficial to the covered

entity than the business associate because in a business associate relationship, the covered entity is more likely to be the one seeking to recover costs or damages.

v  In a business associate agreement, the business associate is the party more likely to violate the agreement because they have more obligations under the agreement.

28


Breach Reimbursement •  When indemnification is not on the table, or is unnecessarily delaying

negotiations, consider breach reimbursement as an alternative. v  Focusing business associate liability on breach reimbursement benefits

the business associate by limiting the scope of potential liability, and the covered entity by protecting it against its greatest monetary risk.

v  Consider: ►  Caps - tied to insurance? ►  Identifying specific costs to be reimbursed (e.g. call center?

attorney fees?). ►  Reimburse for subcontractor breaches.

29


Dealing with Sovereign Immunity •  Sovereign immunity is the legal rule that an individual or entity may not

sue or file a claim against a government agency or official unless the government consents to being sued. v  This rule applies in some, but not all, states. v  May include state agencies or state educational facilities.

•  Result is that if you contract with a state agency with sovereign immunity and the state agency is your business associate, and the state agency then loses a laptop with the names and Social Security numbers of 10,000 of your patients, you may have an exceedingly difficult time trying to get the state agency to indemnify or reimburse you for your costs.

•  Negotiating Point: Have the state agency assume responsibility for any breach response, notification and mitigation.

30


Insurance •  An indemnification clause is valuable only to the extent the indemnifying

party can pay what is owed. Given the high, and increasing costs, of data breaches and HIPAA violations, covered entities often feel more secure knowing that a business associate has appropriate insurance to cover indemnification obligations.

•  Negotiating Points: v  Generally speaking, insurance is more important when dealing with a

small, financially insecure business associate than a large, established company (e.g. a one-person start-up vs. large public company).

v  Not just any insurance will do – traditional liability and malpractice policies won’t cover breaches – require cyber liability insurance.

31


Polling Question #3

32


Insurance •  Negotiating Points (cont.)

v  Establish minimum insurance limits that the business associate must maintain throughout the term of the business associate agreement.

►  Consider tail coverage – some breaches are discovered only after the arrangement ends.

v  Don’t limit your indemnification to the insurance coverage – insurance doesn’t cover everything and you still want to be made whole regardless of the scope of the applicable insurance policy.

►  Consider a bifurcated cap – covered costs paid by, and to the maximum amount of, insurance; other costs paid out of pocket.

►  Note: Insurance typically does not cover fines or penalties. v  How much to require? Depends upon the amount of PHI, the risk profile of the

arrangement, and the bargaining positions of the parties.

33


De-Identification of PHI •  De-identification is the process by which certain identifiers are removed

from PHI so that the subject of the PHI can no longer be identified. •  Many vendors seek a right to de-identify PHI they receive to use for their

own purposes, such as research or quality improvement. •  When vendors first started doing this, covered entities often sought to

prevent de-identification in the business associate agreements. However, it has become much more common and largely accepted.

•  Negotiating Points: v  Require that any de-identification be performed in accordance with

HIPAA. v  Require covered entity identifiers to also be removed. v  Hold the business associate responsible for improper de-identification.

34


Security Safeguards •  Review what type and how much information you are providing to a

business associate – given the risk profile of the PHI being provided, should the covered entity require any particular safeguards to be employed by the business associate?

•  Consider the following: v  Mandate encryption when PHI is emailed or stored. v  Mandate confidentiality agreements with business associate employees

with access to the PHI. v  Mandate adherence to any applicable state laws or standards. v  Prohibit storage of PHI on personal devices or servers.

35


Change of Law •  HIPAA and its implementing regulations, as is true with many health care laws, are

routinely being amended, revised and re-interpreted. Because of this, an arrangement that is legal today may become questionable, more risky, or even illegal tomorrow.

•  To address this concern, consider the following: v  Covered entity retains the right to amend the business associate agreement in

the event of a change in law. v  Covered entity may do this unilaterally (preferred) or in consultation with the

business associate. Failure to agree to a timely and satisfactory amendment would terminate the business associate agreement and the underlying agreement.

v  Negotiating Tip: Don’t be held hostage by the other party – ensure an ability to modify or get out of an agreement should it become illegal or questionable.

36


Where Do BAA Negotiations Go Awry?

•  Negotiators often spend considerable time and effort on BAA terms which, while important, may not be a covered entity’s priorities. These may include: v  Governing law – if unable to get your preferred state, defer to the

underlying agreement, go with Delaware or leave blank. v  Assignment – consider whether you care if the vendor gets bought out

or sold – are you interested in the person or the company? v  Individual rights – many vendors won’t have a “designated record set”

and won’t be subject to the individual rights provisions. Consider if the provisions apply to the business associate arrangement prior to negotiating.

37

HIPAA Education Series sponsored by:

www.compliancy-group.com 855.85 HIPAA (855.854.4722)

Copyright 2015

Compliance In 3 Steps!

To find out more call: 855.854.4722or email: [email protected]

TheGuard

OutsideConsultant

Manualsor

Templates

RiskAssessment

Provider

OtherCompliance

Software


Questions?

39

HIPAA Compliance and Non-Business Associate Vendors - Strategies and Best Practices

Education

health plans

health care services

protected health information

hipaa hipaa

health status

electronic v

sghealthlaw copyright

certain health care