Health Insurance Portability and Accountability Act
By David Glusman, Partner, Advisory Services
There are many new things happening with regard to the Health Insurance Portability and Accountability Act of 1966 (HIPAA), not least of which is a resolution of the claim with regard to a Business Associate. On June 24, 2016 Catholic Health Services of the Archdiocese of Philadelphia, a nonprofit organization, on behalf of itself and Catholic Health Client Services (CHCS), settled a claim under HIPAA. This appears to be the first time that the Department of Health and Human Services (HHS) has utilized HIPAA with regard to a Business Associate.
As more fully described in the settlement agreement, CHCS has acknowledged its requirement to comply with the HIPAA rules. CHCS provided management services to six nursing homes in New York. In 2014, HHS was notified of an unsecured electronic protected health information breach. The settlement agreement cites that "...CHCS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of any Personal Health Information (PHI) held by CHCS," and further that "...CHCS failed to implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level..."
CHCS has agreed to pay HHS $650,000 to resolve this matter, although CHCS did not admit any liability. CHCS has also entered into an agreement defined as a "corrective action plan." If CHCS does not comply with the corrective action plan, HHS may reopen the investigation and prosecution. CHCS is required to "...develop and maintain, and revise as necessary, its written policies and procedures to comply with the federal standards that govern the security of individually identifiable health information."
Generally, any individual or organization that signs a business associate agreement under the terms of HIPAA is required to maintain the same level of security and confidentiality on PHI as any healthcare provider. Thus, whether the business associate is providing data processing, management consulting or other services, the business associate must assure that, if they come to acquire or have access to any PHI, they have adequate and appropriate levels of security and that they maintain the integrity and security of the data. As an example, billing organizations will routinely have name, address, and Social Security number, date of birth and health insurance information in order to file claims. All of this is PHI. Among the other requirements of a business associate agreement, and to maintain compliance with HIPAA, would be maintaining both physical security as well as electronic security on the records. The need to initially install rigorous physical, procedural and electronic safeguards before any PHI is received is imperative. Regular and periodic review and updating, especially of electronic security, is required. Almost every time the public hears about a data breach in a healthcare organization, PHI may have been compromised.
This case settlement is indicative of the government’s continued surveillance and enforcement with regard to third-party maintenance of adequate and appropriate security on PHI. While a breach of electronic security will not automatically lead to fines or other remediation requirements by the government, any material breach is likely to be followed by some level of federal government investigation to determine whether, prior to the breach, appropriate and adequate safeguards were in place such that, under a "reasonable man" standard, the data should have been considered "safe."
This makes it imperative for any organization holding PHI not only to believe that they have adequate safeguards, but also to have documentation of their reviews and regular updates to the security system, including the use of outside experts to assist in designing and developing the system, as well as to validate its ongoing integrity.