Recently, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its first resolution agreement and monetary penalty against a business associate (BA).
A BA is an entity that receives protected health information (PHI) from a covered entity (an entity regulated by HIPAA such as a doctor or hospital). The definition of a BA is quite broad because so many entities perform services for covered entities and receive PHI. Examples include transcription services, billing services, legal services, and data storage services, among others.
In the recent case, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) was providing management and IT assistance to nursing homes. A CHCS employee’s iPhone was stolen, and the phone was not encrypted nor password-protected. The PHI on the phone included Social Security numbers, family member names, and medical data.
CHCS entered into a resolution agreement with OCR. The settlement included a monetary penalty of $650,000.
This case is notable for several reasons:
1. BAs are involved in many HIPAA data breaches.
It’s about time that HHS enforces against a BA because BAs are involved in quite a large number of data breaches. As one article notes, almost 20% of the data breaches tallied by OCR involve BAs, and “the real percentage is likely higher because a considerable number of breaches on the tally that involved BAs fail to spell out a BA connection.” Also, the 1,595 data breaches tracked on OCR’s website — dubbed the “Wall of Shame” — is not even a complete list of all the breaches.
2. HIPAA has an extensive reach.
HIPAA is unusual among privacy laws because it allows HHS to enforce to protect data after it is transferred to other organizations. Most other privacy laws do not do this. These laws rely solely on the contracts between the regulated organizations and those receiving data from the regulated organizations. But under HIPAA, when a covered entity transfers PHI to another organization to perform a service that other organization becomes a business associate (BA) and becomes directly regulated by HHS. This is in addition to the contract in place between the covered entity and business associate.
HHS enforcement thus follows the data. It follows the data all along the chain of custody too — so if a BA transfers the PHI to another organization, that organization is deemed a BA too and becomes directly subject to HHS regulation and enforcement.
Why is this part of HIPAA so important? There are several reasons. First, data is so readily and often transferred to a lot of different entities. Second, the contracts between those providing the data and those receiving the data are often not adequately strong. Third, the penalty from breaching a contract might not be sufficient to deter a BA — it might be lost business, but unless the deal was huge, the BA might not suffer enough pain if the relationship with the covered entity is severed. And in many cases, that relationship continues.
HIPAA wisely recognizes that personal data must be protected along the entire chain of custody. Otherwise, protection can weaken as data travels down the chain. More laws ought to emulate HIPAA in this regard.
3. HIPAA enforcement extends far beyond just hospitals and companies.
This case involved a non-profit BA. Nobody is exempt from HIPAA. HHS has enforced against state government agencies too.
4. It’s the low-hanging fruit that sparks the penalties.
In most cases, HHS does not insist on monetary penalties. Why did HHS seek a penalty against CHCS?
The reason is that the violations in this case involved failing to do key requirements of HIPAA — the lack of a policy for removing portable electronic devices with PHI and a failure to conduct a risk analysis. These are bread-and-butter HIPAA requirements.
The resolution agreement also contains a provision where HHS will monitor and evaluate the security awareness training. I always look at what the corrective action plan requires to figure out more precisely what HHS found wrong with a particular organization, as the facts in the resolution agreements are quite skimpy and vague as to what precisely went wrong and what precise provisions of HIPAA were violated.
HHS often goes after these core requirements — conducting risk analysis, having appropriate policies, and conducting adequate training. Those that get fined aren’t doing the basics.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 950,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.