Preparation is key to HIPAA compliance for health IT vendors

Health IT vendors are not breach proof but should be “breach ready,” according to a Health Care Compliance Association webinar entitled, HIPAA: Marketing and Contracting Solutions for Health IT Vendors. William J. Roberts, partner at Shipman & Goodman LLP, discussed strategies for vendors to incorporate compliance with the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) into negotiations, agreements, and policies.

HIPAA landscape

HIPAA privacy continues to grow in importance for the health care sector, for both covered entities and their vendors. Roberts said that health IT vendors face two challenges: managing covered entity customers that have concerns about HIPAA compliance, a “major undertaking” when a vendor has thousands of covered entity customers, and a regulatory and enforcement landscape that is shifting its focus from covered entities to vendors (see 2017 OCR resolution agreements off to a strong start, June 30, 2017; Business associates no longer second to covered entities as OCR increases focus, November 22, 2016). He pointed out that 60 percent of business associates have suffered a data breach, and in 2016 HHS imposed a $650,000 penalty in the first HIPAA enforcement action against a business associate (see $650K payment, 6 year CAP resolve nursing home ePHI loss, July 1, 2016).


A vendor should already have developed a formal HIPAA compliance program before reaching out to potential customers, and HIPAA compliance should be at the forefront of a vendor’s pitch or response to a request for proposals. The vendor should provide a summary of its HIPAA compliance policies, including its establishment, review, security, and training. A policy summary, said Roberts, is preferable to disclosing the policies themselves, which would be a “roadmap to being hacked.” Roberts also advised vendors to highlight certifications and set forth clear expectations for the privacy aspects of the proposed relationship.

Business associate agreements

The business associate agreement is a vendor’s first opportunity to make a good impression regarding its commitment to privacy. Vendors should have at least one template agreement, or more than one for different types of customers. Roberts advised knowing what a vendor can and cannot agree to before a negotiation and educating the sales team to avoid later back-pedaling on a promise. He also suggested empowering the customer by providing a “menu” of choices that are acceptable to the vendor—for example, barebones breach notice within five days or a more thorough notice at 15 days.

If customers are or might someday be substance abuse treatment providers, the vendor should consider this same approach for qualified service organization agreements. The vendor should review its customers and potential targets for the application of the “Part 2” confidentiality rules and include a provision in the agreement requiring the customer to notify the vendor of the customer’s status as a Part 2 program.

Data breach response

No human or service is perfect, and a vendor will probably have a data breach at some point, said Roberts, which makes a detailed data breach response plan “vital.” He identified the following elements of a breach response plan:

  • Develop an incident intake procedure.
  • Identify the leaders and members of the response team.
  • Rely on standard templates and standard works.
  • Consider a “playbook” and/or a breach reporting decision tool.
  • Develop a customer relations strategy before the breach occurs.
  • Have support vendors ready to act.

The vendor should not simply notify the customer that a breach has occurred; it should have a plan and proposal that it can offer the customer. The process should:

  • provide the covered entity the information it needs to fulfill its own legal obligations;
  • reassure the customer that the situation is under control and being handled properly;
  • inform the customer of steps the vendor has taken and is willing to take on behalf of the covered entity;
  • provide a “menu” of services available to the customer; and
  • create a plan for the future—a holistic look at what the company is doing, not just boilerplate language.

OCR paying more attention to HIPAA business associates

The HHS Office for Civil Rights (OCR) is reminding entities classified as business associates (BAs) under the Health Information Portability and Accountability Act (HIPAA) (P.L. 104-191) that they must allow covered entities (CEs) to access protected health information (PHI) the BAs maintain on the CEs’ behalf. In a recent frequently asked question (FAQ), the OCR advised BAs—defined as persons or entities that perform certain functions or activities that involve the use or disclosure of PHI on behalf of, or provide services to, a CE—of their obligations to utilize PHI in compliance with the HIPAA Privacy and Security Rules, and in accordance with their BA agreements (BAAs). Its issuance of the FAQ is further evidence of the OCR’s increased focus on BA compliance.  For example, the agency has entered into several resolution agreements in 2016 relating to BAs and BAAs, and planned to begin HIPAA audits of BAs in late September.


BAs cannot block CEs’ access to PHI in any manner or to accomplish any purpose that would violate the Privacy Rule. For example, activating a kill switch in electronic health record software developed by the BA in order to make the PHI inaccessible until the CE issues payment to the BA would be a violation.  BAs are required to return PHI to CEs, as provided for in their BAAs, in the event of termination of the agreement. BAs must also provide PHI to a CE where it is necessary to fulfill the CE’s duty to provide individuals with access to their PHI.

BAs must also ensure the confidentiality, integrity, and availability of electronic PHI (ePHI) pursuant to the Security Rule. Therefore, a BA cannot deny access to a CE.  Furthermore, if a BAA is terminated, the BA must return the PHI in a format that is “reasonable in light of the agreement” in order to maintain accessibility.

Resolution agreements

Prior to 2016, the OCR had not entered into more than six resolution agreements with CEs or BAs in an entire year.  As of September 2016, the OCR had entered into 10 agreements, four of which involved BAs, directly or indirectly.

  • North Memorial Health Care. A health care system failed to enter into a BAA with a major contractor that performed certain payment and health care operations activities on its behalf; it also failed to complete a risk analysis.  The system paid $1.55 million to resolve the dispute.
  • Raleigh Orthopaedic Clinic, P.A. An orthopedic clinic handed over the PHI of nearly 17,300 patients to an x-ray transfer company with which it considered doing business without first executing a BAA.   The clinic paid $750,000.
  • Catholic Health Care Services of the Archdiocese of Philadelphia. A BA provided management and information technology services to six skilled nursing facilities (SNFs) whose mobile phone containing unencrypted PHI was stolen.  The BA resolved the dispute for $650,000.
  • Care New England Health System. A health system that provided a hospital with technical support and information security failed to update its BAA agreements.  (For further information, see Health Law Daily, Business associates in hot water over breaches and bad agreements, September 26, 2016.)


The OCR is taking incremental steps to hold BAs accountable for HIPAA compliance. From FAQs to resolution agreements to audits, the agency has put BAs on notice that they will be held accountable for violations.

ONC blog series tries to bust HIPAA information-sharing myths

The Office of the National Coordinator for Health Information Technology (ONC) is trying to shake the Health Insurance Portability and Accountability Act’s (HIPAA’s) (P.L. 104-91) image as a roadblock to information-sharing. In a four-part blog series, Chief Privacy Officer Lucia Savage, J.D., and Privacy Analyst Aja Brooks, J.D. described HIPAA’s promotion of interoperability through permitted uses and disclosures that do not require covered entities (CEs) to first obtain written authorization from the patient.  The posts provided real-life examples of permitted uses and disclosure involved in exchanges for both treatment and health care operations.


If an individual authorizes a release of protected health information (PHI) in writing, including when she requests that the PHI be sent directly to a third party, a CE or business associate (BA) must generally comply.  However, CEs and BAs are often uncomfortable releasing PHI when such authorization has not been given.  The blogs emphasize that HIPAA provides for the release of PHI for treatment and health care operations of either the disclosing CE or the recipient CE (45 CFR 164.506(c)). Treatment is defined pursuant to 45 C.F.R. 164.501 and includes, in addition to traditional treatment, referrals, coordination of health care services with a third party, and consultation between providers. A disclosing provider is responsible for disclosing the information in a  permitted and secure manner, such as via certified electronic health record technology (CEHRT), but will not be liable for any actions that the recipient takes with that information.

Health care operations

Covered entities may also disclose information to other CEs or their respective BAs without authorization in certain circumstances related to health care operations, including those involving case management and quality assessment and improvement.  In all instances, both CEs involved in the exchange must have an existing or previous relationship with the patient, the requested PHI must pertain to that relationship, and the disclosing CE must release only the minimum necessary information.  For example, a physician may disclose minimum necessary PHI related to diabetic and pre-diabetic patients to a health management company that is a BA of a health plan (CE) so that the health management company can, at the health plan’s request, provide semi-monthly nutritional advice to members. The ONC also indicated that providers who are part of an accountable care organization (ACO) and operate as an organized health care arrangement (OHCA) may provide PHI to the ACO’s quality committee for quality assessment purposes if, for example, the ACO is looking to improve its rate of hospital-acquired infections.  Similarly, a provider may provide PHI about a current patient to the patient’s former provider if the former provider needs that information for quality assessment.

HIPAA: a tool for sharing?

The blog authors explained that HIPAA is not only a tool to protect PHI, but can be used to enable access to that same information when necessary for patient care. They hoped that the posts “shed some light on how HIPAA supports the goal of nationwide, interoperable exchange of health information for patient care and health.”  Perhaps wary providers will take note.