The HHS Office for Civil Rights (OCR) is reminding entities classified as business associates (BAs) under the Health Information Portability and Accountability Act (HIPAA) (P.L. 104-191) that they must allow covered entities (CEs) to access protected health information (PHI) the BAs maintain on the CEs’ behalf. In a recent frequently asked question (FAQ), the OCR advised BAs—defined as persons or entities that perform certain functions or activities that involve the use or disclosure of PHI on behalf of, or provide services to, a CE—of their obligations to utilize PHI in compliance with the HIPAA Privacy and Security Rules, and in accordance with their BA agreements (BAAs). Its issuance of the FAQ is further evidence of the OCR’s increased focus on BA compliance. For example, the agency has entered into several resolution agreements in 2016 relating to BAs and BAAs, and planned to begin HIPAA audits of BAs in late September.
BAs cannot block CEs’ access to PHI in any manner or to accomplish any purpose that would violate the Privacy Rule. For example, activating a kill switch in electronic health record software developed by the BA in order to make the PHI inaccessible until the CE issues payment to the BA would be a violation. BAs are required to return PHI to CEs, as provided for in their BAAs, in the event of termination of the agreement. BAs must also provide PHI to a CE where it is necessary to fulfill the CE’s duty to provide individuals with access to their PHI.
BAs must also ensure the confidentiality, integrity, and availability of electronic PHI (ePHI) pursuant to the Security Rule. Therefore, a BA cannot deny access to a CE. Furthermore, if a BAA is terminated, the BA must return the PHI in a format that is “reasonable in light of the agreement” in order to maintain accessibility.
Prior to 2016, the OCR had not entered into more than six resolution agreements with CEs or BAs in an entire year. As of September 2016, the OCR had entered into 10 agreements, four of which involved BAs, directly or indirectly.
- North Memorial Health Care. A health care system failed to enter into a BAA with a major contractor that performed certain payment and health care operations activities on its behalf; it also failed to complete a risk analysis. The system paid $1.55 million to resolve the dispute.
- Raleigh Orthopaedic Clinic, P.A. An orthopedic clinic handed over the PHI of nearly 17,300 patients to an x-ray transfer company with which it considered doing business without first executing a BAA. The clinic paid $750,000.
- Catholic Health Care Services of the Archdiocese of Philadelphia. A BA provided management and information technology services to six skilled nursing facilities (SNFs) whose mobile phone containing unencrypted PHI was stolen. The BA resolved the dispute for $650,000.
- Care New England Health System. A health system that provided a hospital with technical support and information security failed to update its BAA agreements. (For further information, see Health Law Daily, Business associates in hot water over breaches and bad agreements, September 26, 2016.)
The OCR is taking incremental steps to hold BAs accountable for HIPAA compliance. From FAQs to resolution agreements to audits, the agency has put BAs on notice that they will be held accountable for violations.