Who Are BAs?
■ BAs generally include entities engaged in certain administrative activities or services for or on behalf of covered entities (CEs), which required access to protected health information (PHI), including claims processing, billing, benefit management, utilization review, management services, and consulting services. A BA creates, receives, maintains, or transmits PHI on behalf of a CE or another BA.
■ Organizations should keep in mind that the definition of a BA also includes the following organizations:
- - Organizations providing PHI data transmission to CEs such as health information exchange organizations, regional health information organizations, and e-prescribing gateways.
- - Vendors contracting with CEs to provide PHR systems to patients.
■ This definition of what constitutes a BA subjects many vendor and service provider organizations to the HIPAA laws governing the privacy of medical or health information.
■ BAs can also include developers of health-related mobile apps and personal health trackers and devices. The Federal Trade Commission (FTC), in conjunction with OCR, the HHS Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA), created a web-based tool to help developers of health-related mobile apps and similar technology understand what federal laws and regulations might apply to them. The guidance tool asks developers a series of questions about the nature of their app, including about its function, the data it collects, and the services it provides to users. Based on a developers answers to those questions, the guidance tool points the app developer toward detailed information about certain federal laws that might apply. These include the FTC Act, the FTC’s Health Breach Notification Rule, the Health Insurance Portability and Accountability Act (HIPAA) Rules, and the Federal Food, Drug and Cosmetics (FD&C) Act. The tool can be found here (https://www.ftc.gov/ tips-advice/business-center/guidance/mobile-health-apps-interactive-tool).
What Can Happen to BAs That Fail to Comply with HIPAA?
to Comply with HI PAA?
■ BAs are subject to mandatory periodic audits by the Office for Civil Rights, the US Department of Health and Human Services (HHS) agency responsible for monitoring and enforcing the HIPAA privacy and security rules. BAs found to be noncompliant will be considered to be in violation of the law and subject to the following:
- - civil monetary penalties of between $100 and $10,000 per violation, with maximum penalties of $1.5 million per calendar year;
- - criminal penalties for HIPAA violations; and/or
- - a mandatory HHS investigation and assessment of civil monetary penalties (in cases of willful HIPAA violations).
■ Civil actions brought by state attorneys general for HIPAA violations that involve residents in their individual states.
BA Requirements under the Security Breach Notification Requirements
■ BAs must notify the CEs with whom they contract of any breaches of “unsecured PHI” and, to the extent possible, identify the individuals whose information was compromised. Upon receiving notice of a reportable “security breach,” the CEs have the responsibility to notify the individuals whose information has been breached. In some circumstances, the CEs must also provide notice to HHS and to local media. Notification must take place without unreasonable delay or no later than sixty calendar days from discovery, as required by law. BAs will bear the burden of proof for demonstrating that any delay in notifying the CEs of a security breach was reasonable. Except as required by law enforcement officials, BAs must notify the CEs no later than sixty calendar days from the date of discovery.
■ Tlie HITECH Act defines security breach to include the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information, with certain exceptions for inadvertent acquisition, access, or use of PHI by employees and agents. It is important to note that unless an exception applies, inappropriate acquisition, access, or use of unsecured PHI by employees is considered a reportable security breach.
■ Security breaches apply only to unsecured PHI. HHS has issued a guidance document (HHS Guidance) defining the technologies and methodologies to secure PHI, thus rendering the data unusable, unreadable, or indecipherable.
Essentially, PHI must be either encrypted or destroyed per the HHS Guidance to be considered secured. If PHI is secured in accordance with the HHS Guidance, then unauthorized access to, use or disclosure of such information will not trigger the security breach notification requirements. However, such breaches may still be subject to state law notification requirements.
■ CEs are required to notify patients without unreasonable delay and in no case later than sixty calendar days after discovery of the breach. The date of “discovery” may not necessarily be the date of actual discovery, but rather, the date that one should have discovered the breach using reasonable measures. Therefore, CEs and BAs should ensure that reasonable measures are in place to catch potential security breaches, as well as to train employees properly to be able to spot these potential breaches. BAs must timely report security breaches to CEs to enable them to notify the individuals within this deadline. It is likely that CEs will amend BAAs to impose tight deadlines on BAs to report security breaches to the CEs.
■ BAs are required to include certain information about affected individuals to the CEs to enable the CEs to properly notify affected individuals. The notification should include a brief description of the incident, including the date of the breach and date it was discovered, and the type of unsecured PHI that was breached. CEs will likely require BAs to include additional information regarding the breach, as CEs may need additional information to satisfy their requirements for providing notification to the affected individuals. In some circumstances, CEs may look to contractually obligate BAs who are the subject of a security breach to make the required notifications on behalf of the CEs. The BAs will need to ensure their notification is compliant with HIPAA requirements.
■ HIPAA does not preempt more stringent state laws. Essentially, this means that BAs subject to state security breach notification laws must continue to comply with those laws. BAs should consult with legal counsel for assistance with defining these obligations and conducting necessary preemption analysis.
■ BAs must develop policies and internal procedures to ensure a coordinated system for internal reporting of breaches of unsecured PHI, prompt internal investigation of alleged breaches, and reporting to the CEs with whom they contract.
■ BAs that use subcontractors will have to ensure that they contractually bind their subcontractors to report security breaches in sufficient time to allow the BAs to report back to the CEs. BAs may want to bind their subcontractors contractually to additional terms to help protect against security breaches such as requiring them to develop similar policies, procedures, and processes for investigating and reporting breaches.
-  Vendors that provide PHR systems, but do not do so on behalf of CEs, will be subject to security breach notification under the HITECH Act, which will be enforced by the FTC, rather than HHS.