The Basics of HIPAA Compliance
For decades, the U.S. Department of Health and Human Services has issued regulations under the Health Insurance Portability and Accountability Act (HIPAA). This legislation requires health care providers, plans, clearinghouses and business associates to maintain the privacy and security of individually identifiable health information . What does that mean? Basically, it’s a list of rules regarding what health information you can share, with whom and for what reasons. While most of this legislation is directed toward health providers and plans, it’s important to realize that contractors are held to the same standards. In 2013, new security rules were added as part of the HITECH Act.
The Importance of HIPAA Agreements for Contractors
Contractors are used by hospitals, physician groups, clinics, health insurers and other entities that are subject to the HIPAA Privacy & Security Rules and the Health Information Technology for Economic and Clinical Health (HITECH) Act. It is for this reason that they must be made subject to a legally enforceable agreement with the HIPAA entity.
In addition, contractors that do business with public agencies must comply with HIPAA where the agency is subject to state laws requiring treatment of confidential information in a manner similar to HIPAA. This is especially true in California where certain state agencies may not enter into contracts without adequate protections for confidential information.
Contractors may also be required to enter into HIPAA data sharing agreements under state laws impacting their ability to perform contractor activities. For example, the Personal Physician Services Agreement (PPSA) developed for long term care facilities doing business with the Department of Developmental Services (DDS) as a provider of regional center services requires that a PPSA provider have a data sharing agreement with DDS.
The Components of a HIPAA Agreement
To ensure full compliance and to minimize risk, any agreement with a contractor, vendor, or business associate should contain critical elements that not only outline the expectations of both parties but also conform to the HIPAA standards. These elements serve to protect both the covered entity and the business associate, ensuring that the health information remains confidential and secure.
As with all legal documents, the language and framework of the HIPAA agreement should be clear and concise while still covering all essential provisions. Key components include confidentiality clauses, electronic data protection requirements, permissible uses of protected health information (PHI), and security requirements.
Confidentiality clauses provide an overview of how PHI will be protected and how breaches should be handled in order to minimize risk. Topics addressed under confidentiality include:
- Permissible and impermissible uses of protected health information: Under this section, the types of information that can be shared with the covered entity are outlined, along with restrictions on how the information can be used. In general, business associates may not use PHI to report on quality or effectiveness to the covered entity, unless the purpose for and the fact that the identity of the subject is known has been identified in the PHI.
- Data protection plan: This section exists under a number of different names, but its purpose is to outline the security measures that will be put in place to ensure that electronic data systems are well protected. Items covered under this plan may extend to physical hardware, software, and any other devices that may house PHI.
- Security requirements: This section provides more granular details on the specific security measures that will be employed by the contractor to protect electronic data. Depending on the level of access available to the business associate, the security requirements should include the following:
- Breach notification: This can be tricky if the requirements of the HIPAA Privacy Rule are not clearly outlined in the contract. A breach of HIPAA requires that the business associate notify the covered entity of the breach in a specified timeframe. Outside of the one-hour time limit for reporting unauthorized access to data, the timeframes for reporting to the covered entity are roughly aligned with the time frames for protected entities under the Privacy Rule.
Contractor Agreements vs. Business Associate Agreements: What’s the Difference?
It is vital that any organization using a contractor to perform a business function that includes the use of its patient information understand the differences between a business associate agreement and a standard contractor agreement. This insight is critical to complying with HIPAA, avoiding breaches of patient information, and protecting your organization from liability.
A business associate contract is required for any contractor that will handle protected health information in any way. If the contractor is a covered entity itself, then a business associate contract is not necessary. However, simply because a contractor may be a licensed healthcare provider does not mean that a business associate contract is not required. For example, a medical facility that operates as a pharmacy would be considered a covered entity since it handles information protected under HIPAA. However, a medical facility may use a janitorial service to clean its offices. The janitor may come into contact with protected health information in the course of business for the covered entity, even though the janitor does not handle protected health information directly. In this case, the use of a business associate contract is still required since the janitorial service is receiving protected health information by virtue of their contract with the covered entity.
A contractor agreement on the other hand, is strictly a commercial contract between the parties. A contractor agreement requires that the contractor maintain insurance and comply with all applicable law in carrying out its duties. A contractor agreement is primarily concerned with the legalities of the work itself and does not usually concern patient information.
How to Verify HIPAA Contractor Compliance
Depending on your business model, you may engage independent contractors to perform various functions for your business. If any of these contractors will have access to the protected health information (PHI) of your patients, they must be held to the same strict standards as covered entities and business associates. For most businesses, the best way to ensure that contractors are in compliance with HIPAA is to engage them in service capacity through a business associate agreement. Business associate agreements set forth the HIPAA compliance obligations of the contractor , including what type of PHI they may have access to and how they must handle that PHI in accordance with HIPAA standards.
When vetting business associates, it is important to ensure that they have appropriate safeguards in place to protect the PHI of your patients. This includes administrative, physical and technical safeguards designed to protect the storage and transmission of such data. This will certainly include providing regular training to their own employees on HIPAA compliance. Likewise, these same business associates should be audited on a regular basis to verify that their own actions are compliant.
The Implications of Contractor Non-Compliance with HIPAA
Any contractor delivering a service that interfaces with privacy issues may be subject to HIPAA. While there are certain exemptions and "safe harbors" to how contractors interface with a covered entity’s protected health information (PHI), it is these contractors that become the focus of regulatory enforcement actions. For example, in 2012, the OCR launched an investigation against a contractor who failed to implement appropriate security measures to protect patient health information, and imposed a significant fine on a prominent university. As these incidents show, the penalties can be substantial. The average HIPAA fine during 2014 for a breach of PHI was $61,429, with the highest fine being $1.2 million.
Outside of active enforcement actions, contractors may be held liable to a patient or client for a breach of privacy. For example, if a doctor hires a transcription service and, due to the transcription company’s negligence, patient health information is disclosed to an unauthorized individual, this could result in a lawsuits from the patient to the doctor under a theory of vicarious liability. In addition, patients can bring claims directly against a contractor if they disclose a patient’s information without a HIPAA exception. Another potential consequence of non-compliance with HIPAA and other privacy regulations, is loss of public trust. In particular, for contractors this can translate into financial attrition as businesses discontinue doing business with a noncompliant vendor.
HIPAA in Contracting: Real-World Examples and Guidelines
The importance of HIPAA compliance may be difficult to appreciate and understand in the abstract but real-world scenarios of both success and failure to comply can shed light on the requirements for compliance.
A small construction business faced the challenge of providing cleaning services for patient rooms, gathering data from printers and scanners through networking to inform utilization of these tools, and maintaining the standards of HIPAA. The business realized that compliance required developing robust policies and procedures so that any employee who might have access to protected information would have the tools to identify it, and knowing what to do if they discover that a patient’s PHI is present where it shouldn’t be. In required training sessions, the business provided focus to employees by teaching them that it is unacceptable to share this information with anyone without permission of the PHI’s patient or their authorized representative. The business further engaged an IT consulting firm to combine hardware and software solutions into a network designed to limit network access, maximizing the opportunity to separate patient database access from all the other data which employees require for their job functions.
A small engineering firm was trying to save money by having its contract engineer retrieve client emails remotely from smartphones and manage them in-house instead of having its IT professional manage them. The owner didn’t understand the HIPAA impact of this process. Establishing HIPAA compliance is a challenge in the best of circumstances but it can be fatal to be cavalier about it. The owner thought the employee could manage this function because he had previously worked as a commercial email service provider. Unfortunately, he knew nothing about HIPAA when he made this transition and, unbeknownst to this small business, this was a data breach with potential for a lawsuit, civil penalties, and regulatory enforcement actions. Because the breach was detected and responded to before it got out of hand, no serious harm occurred. However, the resulting damage to the company’s image to its clients and to government regulators was serious and the company’s internal remediation cost serious dollars. The owner now understands that there is no substitute for proper training for everyone at all levels who comes in contact with PHI. He also learned that IT service providers do not generally understand the precise meaning of those little letters "HIPAA." So, you can’t rely on your IT people to do your HIPAA compliance work because they probably don’t understand the HIPAA requirements for complying with contracting obligations and protecting your compliance. Instead, the owner understands now that this is an obligation that calls for all hands on deck.
Best Practices for HIPAA Contractor Agreements
1. Consult with Your Company’s Legal Counsel
HIPAA is complicated and confusing. The business associate agreement is a complex contract that is often negotiated between a covered entity and a contractor. The contract should be drafted by your company and reviewed by legal counsel to ensure compliance with HIPAA the terms and requirements of the contract, and all applicable state laws. Engaging your company’s legal counsel to draft the HIPAA contract will save you from having to modify the contract later if you fail to include a required term.
2. Don’t Use "boilerplate" Contract Provisions
While some HIPAA agreement requirements are non-negotiable, parties may be able to agree to contrary terms on certain issues. For example, while disclosures to a Business Associate’s subcontractor are permitted under HIPAA and must be included in a business associate agreement such as a Subcontractor/Business Associate agreement , your company may not want to permit the Business Associate to disclose any information to a subcontractor. A law firm will likely know that the subcontractor provision in the business associate agreement can be negotiated.
3. Businesses Should Consult with Their Privacy/Security Officers
Before signing any HIPAA agreement, companies should take steps to ensure that its privacy and security officer agrees with the terms of the contract. For example, is the business prepared to execute a business associate agreement that obligates it to conduct a certain number of security risk assessments or audits?
4. Create a Policy for Managing and Revising HIPAA Related Contracts
Do you review contracts annually? Do you require your vendors to comply with these agreements? Does your company have a policy in place to review contracts before they expire to prepare a new agreement? Do you have a centralized office that handles all contracts?