The Department of Health and Human Services Office for Civil Rights (OCR) has shown once again that it is willing to enforce HIPAA against business associates, as seen in a recent settlement. The settlement highlights the importance of thorough risk analysis conducted by business associates and covered entities, as required by the HIPAA Security Rule, and serves as an indication that OCR remains ready to exercise its authority to enforce HIPAA’s requirements for business associates. Following the settlement, OCR released a fact sheet that provides guidance for HIPAA compliance and direct liability for business associates.
On May 23, 2019, OCR announced a settlement with a business associate relating to a 2015 data breach. The business associate provides software to healthcare providers that allows patients to access and manage their electronic health records through a patient portal. The company has agreed to pay OCR $100,000 to settle potential violations of HIPAA.
In July 2015, the company filed a breach report with OCR following discovery that hackers had used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million individuals. The hackers gained access to a server containing names, addresses, usernames, passwords, and health insurance information. An investigation by OCR revealed that the company did not conduct a comprehensive risk analysis prior to the breach. In addition to a $100,000 settlement with OCR, the company will also undergo a two-year corrective action plan that includes a complete, enterprise-wide risk analysis. As part of the corrective action plan, the company has agreed to:
- Conduct a comprehensive risk analysis of “the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of the company’s ePHI within 30 days of the effective date of the OCR settlement. OCR specified that the company’s risk analysis shall include an inventory of its facilities and categories of electronic equipment, data systems, and applications that create, receive, transmit, or maintain ePHI;
- Develop and implement a written risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis; and
- Provide annual reports to OCR of its compliance efforts with respect to the action plan.
In addition to OCR enforcement, the company has been the subject of the nation’s first multistate lawsuit against business associates involving a HIPAA-related data breach. On the same day as the OCR settlement announcement, the company also settled a lawsuit brought by 16 U.S. state attorneys general regarding the same breach. The company has agreed to pay $900,000 to resolve the multistate action over alleged HIPAA violations related to the 2015 data breach. The lawsuit was filed in December 2018, alleging the company had violated HIPAA, state unfair and deceptive acts and practices laws, data breach notification statutes, and personal information protection laws. The 16 state attorneys general named as plaintiffs in the lawsuit included Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin. In addition to the payment of $900,000, the agreement requires the company to implement multiple privacy and cybersecurity safeguards, such as the designation of a privacy officer and the implementation of multifactor authentication to access any personal health information.
The respective settlements evidence that business associates may be held liable for HIPAA compliance not only by OCR, but also by state attorneys general.
Confirmation of Direct Liability under HIPAA for Business Associates
On May 24, 2019, OCR issued a fact sheet on the Direct Liability of Business Associates under HIPAA. Consistent with the Health Information Technology for Economic and Clinical Health (HITECH) Act and OCR’s 2013 final rule, the fact sheet provides an important reminder to covered entities and business associates regarding the circumstances in which OCR can and cannot take enforcement actions directly against business associates for violations of HIPAA regulations. The fact sheet identifies 10 categories of HIPAA violations for which a business associate may be directly liable:
- Failure to provide records and compliance reports in cooperation with OCR investigations;
- Taking retaliatory actions against individuals for filing a HIPAA complaint;
- Failure to comply with HIPAA Security Rule requirements;
- Failure to provide a breach notification to a covered entity or another business associate;
- Impermissible uses or disclosures of PHI;
- Failure to fully comply with HIPAA’s right of access to PHI in a readily available form and format;
- Failure to make reasonable efforts to limit access to PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request;
- Failure to provide an accounting of disclosures in certain circumstances;
- Failure to enter into HIPAA-compliant downstream business associate agreements (BAAs); and
- Failure to take reasonable steps to address a breach or violation of a downstream BAA.
The guidance also notes that, by contrast, OCR lacks authority to enforce the “reasonable, cost-based fee” limitation in 45 C.F.R. § 164.524(c)(4) against business associates, because the HITECH Act does not apply the fee limitation provision to business associates. A covered entity that engages the services of a business associate to fulfill an individual’s request for access to his or her PHI is responsible for ensuring that, where applicable, no more than the reasonable, cost-based fee permitted under HIPAA is charged. If the fee charged is in excess of the fee limitation, OCR can take enforcement action only against the covered entity. It is important to note, however, that a business associate may have contractual obligations to the covered entity to comply with such limitations, thus shifting the burden to the business associate.
Business associates should conduct thorough, annual risk assessments. Risk assessments are required under the HIPAA Security Rule and can lead to protection from arguments that safeguards in place at the time of an incident or otherwise were inadequate.
In addition, business associates should keep in mind their direct liability for HIPAA violations when negotiating liability shifting provisions in their business associate agreements.