As reported in the HIPAA Journal, the HHS has issued a clarification statement for when business associates can be fined for non-compliance. If you are a healthcare provider, or more especially, a solution provider or ISV offering a SaaS application for the healthcare market, there are a few things you need to know.
Let’s start with a couple of basics:
What is a Business Associate?
HHS defines a business associate as “a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.”
In other words, if you have a SaaS solution that handles or stores PHI (Protected Health Information), HHS would most likely consider you a business associate, and therefore, require your organization to comply with HIPAA/HITECH.
What is HIPAA/HITECH?
These are actually two separate Acts that both address Protected Health Information (PHI). HIPAA (Health Insurance Portability and Accountability Act) was created in 1996 at a time when the protection of electronic information wasn’t necessarily the highest priority. In fact, as the name implies, the original act was focused on ensuring individuals could retain healthcare coverage as they switched jobs. Overtime, HIPAA has been amended to include additional provisions for things like privacy and security.
Conversely, the HITECH Act, passed in 2009, is all about technology, but it’s primary focus was to motivate healthcare providers to implement electronic health records (EHR). Arguably, if everything is electronic, it’s easier for patients to access their information and for providers to share pertinent information providing all-around better services. It’s also easier for unauthorized individuals to gain access to electronic records, so from the beginning, HITECH has had a strong focus on security.
These acts are like twin stars, revolving around each other. If something happens in one, it affects the other and vice versa. They are so connected that most people just refer to them as HIPAA/HITECH or just HIPAA. However, if you’re an ISV selling solutions into this market, you need to be familiar with (and comply with) both.
What the Clarification Means
ISVs need to understand that the clarification issued by the HHS is not “news.” Business associates have always been liable for noncompliance. What the HHS fact sheet does is clear up some apparent confusion about when a business associate can be found in noncompliance.
The fact sheet can be downloaded here, but the ten points are listed below. Note that we’ve left the HHS footnotes in so you can jump directly to segment of the ruling being referenced for more details.
Business associates are directly liable for HIPAA violations as follows:
- Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.4
- Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.5
- Failure to comply with the requirements of the Security Rule.6
- Failure to provide breach notification to a covered entity or another business associate.7
- Impermissible uses and disclosures of PHI.8
- Failure to disclose a copy of electronic PHI (ePHI) to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.9
- Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.10
- Failure, in certain circumstances, to provide an accounting of disclosures.11
- Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.12
- Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.13
Why Issue the Clarification?
Here’s where we get into a little speculation. HHS issued the clarification to clear up some confusion. That’s always good, but reading between the lines, it’s entirely possible that this action is also a precursor to increased enforcement actions. It certainly makes it easier to hold business associates accountable for violations when the rules are clear.
How Much Are the Fines?
Fines vary based on the severity of the infraction. Tier 4, the most serious level, is described as “willful neglect of HIPAA rules and no effort made to correct the violation within 30 days of discovery.” The maximum penalty at this level is $1.5 million per year.
What Can You Do to Protect Yourself
The first question you need to ask yourself is: Do we have the skills and bandwidth we need to host a HIPAA-compliant environment for our customers? If the answer to that is No, you need to start a search for a cloud hosting provider ASAP.
You should ask this question even if you’re planning on providing your solutions on a public cloud platform. AWS and Azure have HIPAA compliance packages, but there is still a lot you are responsible for. Reading between the lines, many of the recent violations reported sound like they involved unsecured resources on a public cloud platform.
Those errors are most often the result of not understanding your role in securing a public cloud environment, not understanding the environment itself, or not having enough bandwidth to ensure a secure environment. For ISVs that are stretched thin, it could be all three.
If the answer to that question is Yes/Maybe, you also need to ask: Do we want to spend our time managing our cloud environments, or would we rather focus on creating amazing applications and a superior customer experience?
For the ISVs we work with, customers are always the top priority. By offloading the management of your cloud environment to a managed cloud provider, you can spend more time on the business you love.
If you decide to work with a third party, the final question you need to ask is: Do we have the right managed cloud provider? Not all providers have equal skill sets and capabilities. If you’re in healthcare, you should look for providers that are independently audited and have a number of healthcare customers who can attest to their abilities.
Here are a few case studies of healthcare ISVs we’ve helped:
Have question? Reach out to us, and we’ll put you in touch with one of our healthcare cloud advisors.