Business Associate Compliance with HIPAA: Findings from a Survey of Covered Entities and Business Associates

Authors: Deven McGraw, Partner, Healthcare Industry, Manatt | Susan Ingargiola, Director, Manatt Health | Kier Wallis, Manager, Manatt Health

Editor’s Note: The Health Insurance Portability and Accountability Act (HIPAA)¹ permits healthcare providers and health plans (known as Covered Entities) to share health information with third-party vendors, referred to as “Business Associates” under HIPAA’s regulations. In 2009, Congress made Business Associates directly accountable to regulators for compliance with most of HIPAA’s regulations. Regulations to effect that change were finalized in 2013.

To assess Business Associates’ compliance with their obligations to protect health information under HIPAA, Manatt Health has produced a new report, funded by the California HealthCare Foundation, that provides an overview of the types of services Business Associates provide to Covered Entities, describes the efforts Business Associates and Covered Entities are making to satisfy HIPAA’s privacy and security requirements, and makes recommendations to improve Business Associate compliance with HIPAA.

The report was informed by telephone interviews with 16 Covered Entities and 5 Business Associates.² Key themes that emerged from the interviews are summarized below. To download a free copy of the full report, click here.
____________________

Understanding the Legal Landscape Governing Business Associates

HIPAA is the principal federal law regulating health information privacy. It applies to Covered Entities, which broadly consist of healthcare providers, health insurers and healthcare clearinghouses. (Healthcare clearinghouses convert data from HIPAA standard formats to nonstandard formats—or vice versa—in connection with certain types of transactions carried out between providers and health plans.)³

The HIPAA Privacy Rule establishes the circumstances under which protected health information (PHI) can be accessed, used or disclosed and grants individuals certain rights to their own health information.⁴ The HIPAA Security Rule mandates appropriate administrative, physical and technical safeguards to help ensure the confidentiality, integrity and security of PHI stored electronically.⁵

In addition to Covered Entities, HIPAA also addresses Business Associates, who, on behalf of a HIPAA Covered Entity, perform functions or services that include PHI.⁶ An entity qualifies as a Business Associate if it “creates, receives, maintains or transmits” PHI “on behalf of” either a Covered Entity or another Business Associate (e.g., if it is a subcontractor).⁷ Specifically, a Business Associate is a person or entity who is not a member of the Covered Entity’s workforce but is performing a function or activity involving the use or disclosure of PHI.

Historically, HIPAA did not apply directly to Business Associates and their subcontractors. Instead, Covered Entities were required to obtain written Business Associate Agreements (BAAs), ensuring that their Business Associates would:

• Use PHI only for the purposes for which they were engaged,
• Safeguard PHI from misuse, and
• Help Covered Entities comply with their responsibilities under the Privacy Rule.⁸

That changed when Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. Business Associates now are subject to civil and, in some cases, criminal penalties for uses and disclosures of PHI in violation of HIPAA or their BAAs.⁹ Business Associates also are directly liable and subject to civil penalties for failing to safeguard electronic PHI in accordance with the HIPAA Security Rule.¹⁰

Importantly, HITECH grants HIPAA enforcement authority to state attorney generals, meaning that state authorities may pursue remedies for a HIPAA violation if the Department of Health and Human Services (HHS) or another federal department does not.¹¹ Generally, there is no private right of action under HIPAA (i.e., individuals cannot sue Covered Entities or Business Associates for HIPAA violations).

Many states have enacted their own statutes to protect the privacy and security of health information.¹¹ HIPAA preempts state laws that conflict with it or provide less privacy protection, but state laws that are more protective continue to apply.¹²

Summarizing Key Themes from Covered Entity Interviews

The 16 Covered Entities interviewed on Business Associates’ compliance with HIPAA include large health systems, integrated delivery networks, small physician offices, health centers, pharmacies, health plans and government payers. Following is a summary of the key themes that emerged from our discussions:

1. Number, Size and Characteristics of Business Associates Used by Covered Entities
   • The number and size of Business Associates used by Covered Entities varies widely, ranging from as low as 4 to as high as 10,000 among the entities interviewed.
   • Large covered entities find it a challenge to keep an accurate count of Business Associates, due both to volume and the fact that the origination and management of Business Associate relationships often occur throughout the organization. Business Associates can be hired and managed by various business units rather than the legal or compliance office, making it difficult to have confidence in the absolute number.
2. Types of Services Performed by Business Associates; Determining Which Vendors Are Business Associates
   • Business Associates perform a wide array of services for Covered Entities. The types of services Business Associates provide include transcription, accreditation, registry management, data center hosting, care management, utilization monitoring, provider credentialing, quality improvement, research, electronic health records and health information exchange, practice management and billing, claims coding, customer service, IT support, software application development and many more.
   • Covered Entities frequently characterize all vendors as Business Associates. This allows them to be conservative with respect to compliance and have a more efficient “one-size-fits-all” approach to managing vendors.
3. Business Associate Sophistication about HIPAA
   • Most Business Associates, especially larger ones, have roles or offices dedicated to HIPAA compliance. Covered Entities consider the absence of a dedicated role or office as a “red flag” that the Business Associate is not sophisticated about HIPAA.
   • Small Business Associates that are new to healthcare (e.g., software vendors) are more likely to be unfamiliar with their HIPAA obligations. When Business Associates are smaller, new to healthcare and/or unfamiliar with HIPAA obligations, it places significant stress on the relationship between the two organizations. In those cases, Covered Entities also have greater concerns about Business Associates’ ability and intent to comply with HIPAA.
4. Covered Entities’ Efforts to Evaluate Business Associates’ Capacity for Compliance (i.e., Due Diligence)
   • Covered Entities do not feel they have enough resources to evaluate thoroughly Business Associates’ compliance with HIPAA and their BAAs. Even when due diligence is performed, they struggle with balancing due diligence needs with the business need to execute contracts in a timely manner.
   • Given their limited resources, most Covered Entities perform investigations only of “high risk” Business Associates’ capacity for compliance (e.g., those Business Associates who access electronic PHI).
   • Covered Entities rely on their IT staff’s expertise when evaluating a Business Associate’s security policies and practices.
5. Covered Entities’ Interactions with Business Associate Personnel and Experience Negotiating BAAs
   • Large Business Associates have compliance departments that serve as the main point of contact both when negotiating the BAA and throughout the relationship. When a Business Associate does not have a compliance department, it generally relies on its business managers to coordinate with the Covered Entity on HIPAA compliance matters.
   • Covered Entities prefer to use their standard BAA templates. The standard templates often track to the BAA template created by the HHS Office for Civil Rights (OCR).
   • When BAA negotiations occur between a Covered Entity and a Business Associate, they often relate to provisions that are not mandated under HIPAA. These additional provisions frequently relate to indemnification and the time frame for breach notification.
6. Covered Entities’ Ongoing Oversight of Business Associate Compliance
   • Covered entities employ varying levels of oversight over Business Associates’ compliance with HIPAA and BAAs. Several entities report that when they weigh the costs of performing oversight with the risks of a breach or other violation, the costs outweigh the benefits of ongoing monitoring.
   • Most Covered Entities do not audit their Business Associates' compliance. Those that do tend to focus on their Business Associates’ compliance with HIPAA’s security requirements.
   • Most Covered Entities do not ask to see their Business Associates’ HIPAA-required risk analysis or policies and procedures. Several Covered Entities hypothesized that most Business Associates have not performed risk analyses, despite the legal mandate that they do so. On the other hand, many Covered Entities noted that their BAAs require Business Associates to attest that they have performed risk analyses and adopted the necessary policies and procedures.
7. Covered Entities’ Experience with Business Associates During a Breach
   • Differences in Covered Entities’ legal obligations under federal and state law make compliance with breach notification challenging for both Covered Entities and Business Associates. For example, California breach law differs from federal law in important ways, including but not limited to the time frame within which breach notifications must be made.
   • Covered Entities interviewed have not received many breach reports from Business Associates. Of those relatively few breaches, most were not IT security violations by outside hackers but rather some type of human error.
8. Rules Governing Business Associates’ Handling and Return or Destruction of PHI
   • Most Covered Entities do not allow Business Associates to store PHI offshore.If they do, they engage in a more thorough review of the Business Associates’ security systems.
   • Most Covered Entities do not permit their Business Associates to de-identify their PHI and use it for commercial purposes, even though that’s allowed under HIPAA. Some have not had to set policies on this issue, because no Business Associate has requested this authority.
   • Most Covered Entities do not have processes in place to ensure that Business Associates destroy or return PHI when the relationship ends. Of those that do, the business relationship manager, rather than the legal or compliance officer, generally plays an important role in the process.
9. Covered Entities’ Perceptions of Business Associate Compliance after HITECH
   • Vendors of cloud storage services are now more likely to consider themselves to be Business Associates. Since HITECH expanded the definition of a Business Associate, Covered Entities report that companies that previously argued they were not Business Associates have begun to sign BAAs.
   • Covered Entities’ perceptions of Business Associate compliance with HIPAA after HITECH’s enactment vary widely. Some view Business Associates’ direct accountability to regulators as a positive development. Others believe it makes little difference.
   • Some Covered Entities think that direct regulation of Business Associates under HIPAA has made BAAs unnecessary.Others still find BAAs worthwhile, because they provide legal protections, assign responsibilities for different tasks, address business provisions not covered by HIPAA, and reinforce the need for confidentiality.

Summarizing Key Themes from Business Associate Interviews

The five Business Associates interviewed for the report include technology and software vendors, as well as health information networks. Following is a summary of the key themes raised during our conversations:

1. HIPAA Compliance
   • Large Business Associates generally have more resources and are better equipped to comply with HIPAA. While all Business Associates report that finding staff with HIPAA compliance and security expertise is a challenge, larger Business Associates have the resources to recruit and hire individuals with relevant backgrounds. Smaller Business Associates end up relying on people with general or IT-specific compliance knowledge or outsourcing the HIPAA compliance function.
   • Business Associates are challenged to track and comply with the varying terms of BAAs across multiple Covered Entities. Some say that eliminating the requirement for BAAs would free up resources to focus on “real” compliance rather than updating agreements.
   • Business Associates may experience “audit fatigue” and lack the staff and resources to support frequent audit requests. Some large Business Associates seek third-party audits to try and satisfy audit requests from their customers.
   • Business Associates worry that small and solo physician practices are not prepared to comply with HIPAAand that downstream vendors sign BAAs without fully understanding their obligations under the Privacy and Security Rules.
2. Training
   • Training varies widelyamong Business Associates.
   • Larger Business Associates are more likely to offer established training and compliance programs. Smaller Business Associates may refer employees to standard training and education materials from OCR.

Summarizing Key Recommendations for Improving HIPAA Compliance

Our interviews revealed several key recommendations for improving HIPAA compliance. Both Covered Entities and Business Associates suggested that particularly smaller organizations would benefit from additional education and training. Both segments appeared willing to disseminate education and training materials within their organizations.

Some—though not all—of the Covered Entities and Business Associates also suggested a voluntary third-party certification process for Business Associates. The voluntary certification would ensure Covered Entities that Business Associates meet a minimum level of HIPAA compliance. If widely accepted by Covered Entities, the certification also could save Business Associates time and money by reducing due diligence/audit requests.

Other strategies and themes that were raised to support improved compliance include:

• Greater standardization—such as of BAAs, due diligence, risk assessments and certification—to minimize the burden of HIPAA compliance.
• Assessment tools to help Covered Entities evaluate and manage Business Associates.
• Resources to perform increased audits to ensure Business Associate compliance.
• Specific materials and guidance detailing HIPAA obligations for software application developers and other cloud-based vendors new to healthcare.
• Education or training clearly defining who is—and who is not—a Business Associate.
• The establishment of a Compliance Officer Peer Network to share best practices.
• A reevaluation of BAAs to determine whether they continue to be necessary.

Conclusion

Business Associates and Covered Entities play key roles in delivering healthcare. Many struggle with HIPAA compliance, however, as they focus the majority of their resources on their core businesses and caring for patients. Particularly smaller organizations are seeking additional training and education. In addition, some Covered Entities and Business Associates are considering how a voluntary third-party certification process might ease their burden, as well as set a “gold standard.” Finally, there is a growing demand for standardizing BAAs and developing innovative tools to help new and small Business Associates understand and comply with HIPAA.

Taking these actions could promote awareness among both Business Associates and Covered Entities of their obligations under HIPAA. As a result, they could ultimately lead to a broader culture of awareness and compliance.