HIPAA Compliance for Lawyers
A "business associate" you can trust
A "business associate" is a person or entity that performs certain functions or activities that involve the use or disclosure of Protected Health Information ("PHI") on behalf of, or provides services to, a covered entity, such a hospital, health plan, provider, etc.
Under the Omnibus Rule, HIPAA business associates must comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Security and Privacy mandates and are subject to audits by the Office for Civil Rights ("OCR") through the Department of Health and Human Services ("HHS"). Business associates that do not meet the requirements after a HIPAA compliance audit may be held accountable for data breaches and suffer penalties.
OCR issued a fact sheet detailing ten ways a business associate can be held directly liable for violations of the HIPAA, as provided by the Health Information Technology for Economic Clinical Health ("HITECH") Act of 2009. Although covered entities are ultimately responsible for what happens to the covered entity's PHI, HITECH authorized OCR to hold business associates directly liable for certain violations of HIPAA.
The ten enforcement actions OCR may take against business associates include instances where the business associate:
- Fails to provide the secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permits access by the secretary to information, including protected health information (PHI), pertinent to determining compliance.
- Takes any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
- Fails to comply with the requirements of the Security Rule.
- Fails to provide breach notification to a covered entity or another business associate.
- Impermissible uses and disclosures of PHI.
- Fails to disclose a copy of electronic PHI to either the covered entity, the individual or the individual's designee (whichever is specified in the business associate agreement) to satisfy a covered entity's obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
- Fails to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.
- Fails, in certain circumstances, to provide an accounting of disclosures.
- Fails to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
- Fails to take reasonable steps to address a material breach or violation of the subcontractor's business associate agreement.
HIPAA Self-Assessment:
- Is the PHI and ePHI in your firm's possession safeguarded?
- Is there PHI and ePHI managed in off-site locations?
- Do you have controls over portable devices, such as laptops and flash drives?
- How do you dispose of devices (owned or leased) that contain ePHI?
- What oversight do you have over your sub-contractors and business associates?
- When was the last time you toured your locations reviewing for potential HIPAA violations?
- Are your Privacy and Security Policies and Procedures followed and up-to-date?
- Have you updated your Risk Assessment to include HIPAA?
- Are you prepared for an unauthorized disclosure or breach and do you know what to do when a disclosure occurs?
- Do you have a process in place to manage Office of Civil Rights desk and onsite audits?
B. Riley offers extensive HIPAA Privacy and Security expertise provided by professionals with deep specialization and experience in:
- Conducting mock OCR audits aligned with the OCR Privacy and Security Audit Protocols
- Conducting Security Risk Assessments as required by the Security Rule
- Reviewing your processes around business associate agreements, vendor management and breach management
- Reviewing and creating privacy and security policies
- Penetration testing of applications and networks
- Providing education to your legal team, staff, vendors, contractors and others on the importance of protecting PHI
- Reviewing your firms' business associate agreements