Closing the HIPAA loophole on associates
The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) created many rules that protect the privacy of patients and ensure the security of healthcare data.
But the law left a big loophole regarding third-party entities which legally have access to protected health information (PHI) from organizations that are required to be HIPAA-compliant. The U.S. Department of Health and Human Services (HHS) couldn’t directly enforce HIPAA compliance on business associates, so a new rule required HIPAA-covered entities – healthcare providers, health plans and data clearinghouses – to sign contracts with third parties mandating that these business associates (BAs) follow HIPAA requirements.
“Under the contractual scheme, HHS only had rights with respect to covered entities – which may or may not be properly enforcing their relationships with BAs,” says Gerry Hinkley, co-leader of Pillsbury Winthrop Shaw Pittman’s Health Care Industry Team and chair of the HIMSS Legal Task Force.
Given that hospitals and other large healthcare providers could have more than 100 business associates, the situation quickly became a mess.
“After about six years this proved to be totally unworkable,” Hinkley says. “HHS said, ‘There are too many of these BAs, it’s too dangerous. We want to regulate them directly.’”
The HITECH Act of 2010 put legal requirements for BAs handling protected health information under direct enforcement by HHS. It also contributed to more confusion because the new law did not eliminate obligations facing HIPAA-covered entities to ensure their BAs are in compliance.
“That’s the problem,” Hinkley says. “You’ve got an unusual regulatory scheme that’s about 10 years old and which has added, I would say, billions of dollars to healthcare costs by virtue of the requirement of this additional contract.”
At HIMSS15, Hinkley will present a one-hour session titled “Challenges Working With or Being a HIPAA Business Associate” designed to help healthcare providers and their business partners meet HIPAA compliance requirements.
He will be joined by co-presenter Deven McGraw, a partner in the healthcare practice of the law firm Manatt, Phelps & Phillips.
Topics scheduled to be covered in the session include an overview of the current HIPAA regulatory landscape, the need to review and update practices surrounding BA contracts, risk assessments and security rule compliance, training and oversight, and offshoring data.
McGraw will use the first half of the presentation to present examples of what’s going wrong in the field regarding HIPAA and BA contracts, Hinkley says, while he will talk in the second half of the session about problems HIPAA-covered entities face with respect to BA contracts, as well as offer best practices to follow.
Hinkley says it’s the fourth or fifth year he has presented this session at the annual HIMSS conference. The audience, he says, is “very sophisticated, usually compliance officers and privacy officers from HIPAA-compliant entities as well as BAs.
The session is valuable because it offers attendees an opportunity to learn from colleagues facing the same challenges.
“They want to hear gossip,” he says. “They want to hear about problems other people are having that they haven’t encountered yet so they can start thinking about them before they have them.”
"Challenges Working With or Being a HIPAA Business Associate" is scheduled for April 14 at 10 a.m. in Room S100A during HIMSS15 in Chicago’s McCormick Place.