Business Associates Beware – A Fine May Find You

HIPAA’s privacy and security requirements have been a part of the health insurance and insurance broker lexicon for many years. Most health insurance brokers have signed at least one – and often multiple – BAAs (Business Associate Agreements) over the course of the years. HIPAA HITECH, enacted into law in 2009 increased the responsibilities for business associates and statutorily obligated a business associate with HIPAA privacy and security provisions. Business associates have been required to comply with these provisions since September 2013 when rules implementing the law became final.

 For the first time a business associate has settled a HIPAA case with the HHS Office of Civil Rights (OCR). Catholic Health Care Services of the Archdiocese of Philadelphia has this dubious distinction and has  agreed to pay $650,000 to settle a case with OCR that resulted from the theft of a cellphone.

A cellphone that was neither password protected nor encrypted was stolen. This phone contained PHI including social security numbers, names of family members and information regarding diagnosis, treatment, medical procedures and medication information.

 As a part of the settlement of the case, the business associate had to agree to a corrective action plan. This plan can serve as a good checklist for all business associates to measure their HIPAA compliance efforts.

The corrective action plan includes:

  • Risk analysis and risk management to assess potential risks and vulnerabilities to the confidentiality, integrity and availability of e-PHI
  • Documentation of security measures that are implemented to reduce the identified risks
  • Revision and maintenance of written policies and procedures necessary to keep PHI secure
  • Communication of the updated policies and procedures to all employees on a timely basis
  • Written or electronic compliance certification from all employees stating that they have read, understand and will abide by the policies and procedures
  • Barring employees who have not signed or certified that they will comply with the procedures from having access to ePHI.

Among the more prescriptive aspects of the correction action plan is a lengthy list of the “minimum content” of the policies and procedures. These include:

  1. Policies regarding encryption of ePHI.
  2. Policies regarding password management.
  3. Policies regarding security incident response.
  4. Policies regarding mobile device controls.
  5. Policies regarding information system review.
  6. Policies regarding security reminders.
  7. Policies regarding log-in monitoring.
  8. Policies regarding a data backup plan.
  9. Policies regarding a disaster recovery plan.
  10. Policies regarding an emergency mode operation plan.
  11. Policies regarding testing and revising of contingency plans.
  12. Policies regarding applications and data criticality analysis.
  13. Policies regarding automatic log off.
  14. Policies regarding audit controls.
  15. Policies regarding integrity controls.

Brokers have taken important steps that recognize their responsibilities when handling personal health information (PHI) as HIPAA requires. This includes physical changes to offices to secure information, adoption of encrypted email and other measures.

However, now may be a good time to review the steps taken with an eye to what may have been overlooked or where more robust action is necessary. The steps of this corrective action plan are a good start to a thorough review. After all, the last few years have seen significant changes in the use of electronic mobile devices, including an explosion of employees using their own devices for work-related purposes.

For more information on HIPAA requirements click here.