“WHY” the Final Rule & Health Data Breach

Just the facts…

An Article by Judith Lindsay

The July 2014 report from the Office of Civil Rights (OCR) as published by Melamedia, LLC, (www.melamedia.com) stated from June 18 through July 17, 2014 that there were 1026 health data breaches affecting 500 patients or more, totaling over 499,753 patients. Of those, 297 incidents involved a health care related Business Associate.

The number of patients affected overall since the OCR started publishing data is an astounding 32,150,360. The total population of the United States in 2013 was 316.13 million. That is one in ten of the total U.S. population, who has had their personal health information (PHI) involved in a reported data breach.

Data Breach

Did you know that currently there are over 76 health care related business types that are considered a Business Associate? The Omnibus Rule revised the definition of a business associate to include an entity that “creates, receives, maintains, or transmits” PHI on behalf of a covered entity. 45 C.F.R. 164.502(e). Further, DHHS clarified the definition of the subcontractor in 160.103 to read “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.”

The new compliance language has been challenging for both the Business Associate and medical provider (covered entity).  As I perform my compliance assessments for my clients, the area of Business Associates, along with the contract/agreement, does not meet the regulatory requirements 9 out of 10 times. Furthermore, many of the Business Associates have not provided the needed contract/agreement to our mutual client.  In speaking to many Business Associates, I have found a lack of knowledge or education of their possible liability; to negligence and outright disregard of their obligation under HIPAA. 45 C.F.R. 164.504 (e).

One such Business Associate responded to my email: (they) “do not know the real purpose of these things and there are all kinds of versions (business associate agreements) floating around the internet.” I provided him with the Health Information Privacy section for Business Associates from DHHS as well as an updated sample Business Associates agreement. As I do with all the Business Associates that I speak to, I suggest that they consult their attorney, as there is liability for any violations determined to be their companies doing. Companies should be diligent and prudent in understanding their possible liability and financial loss to their company, should it be determined the company is the responsible party for a data breach of private health information. (PHI)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule from DHHS, 45.CFR 164.502 (e) states “that a covered entity must obtain satisfactory assurances from its business associates, that the business associate will appropriately safeguard the protected health information(PHI) it receives, creates, maintains or transmits on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”

The Final Rule brought heightened requirements for Business Associates who are directly liable for impermissible uses and disclosures of PHI but not for all the requirements of the HIPAA Privacy Rule. Business Associates may use or disclose PHI only as permitted or required by their Business Associates contracts/agreements or as required by the law. Generally, a Business Associate may not use or disclose PHI in a manner that would violate the Privacy Rule if done by the covered entity.

Covered entities are obligated to enter into contracts/ agreements with Business Associates and the Business Associates subcontractor. They must obtain satisfactory assurances that they will comply with the privacy requirements.

The Business Associates contracts/ agreements must include newly required statements.

·         Business Associates will comply with the Security Rule with regard to electronic PHI.

·         The Business Associate will report data breaches of unsecured PHI to covered entities.

·         Business Associate will ensure subcontractors that create or receive PHI on behalf of the Business Associate agree in writing to the same restrictions and conditions that apply to the Business Associate with respect to such information.

The Omnibus Rule states that both covered entities and business associates are liable under 160.402(c) regardless if there is a contract or agreement between the Business Associate and the covered entity. The Business Associate will be held jointly and directly liable for any violations, facing the same criminal and civil penalties as the covered entity under the Enforcement Rules.

In recent guidance from DHHS they state “we refer Business Associates to our educational papers and other guidance on compliance with the HIPAA Security Rule at www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule.  These materials provide guidance on conducting risk analyses and implementing the other administrative safeguards required by the Security Rule, which may prove helpful to these business associates and facilitate their compliance efforts.”

Data Breach Medical


Just the facts…

o    HIPAA compliance effective date was March 26, 2013.

o    Compliance due date was September 23, 2013.

o    Existing Business Associates contracts/agreements may be eligible for a one year transition period before amendments are required.

o    The Privacy and Security Rule under HIPAA requires accountability and compliance for all parties dealing with PHI and ePHI.

This is YOUR business!

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>