Q&A: HIPAA Compliance for Business Associates
Rachel V. Rose, JD, MBA, presented the webinar “HIPAA Compliance for Business Associates” recently and a recording can be viewed here. Rachel returned to answer many commonly asked questions from the webinar. Be sure to sign up for Rachel’s next webinar, The New AKS and Stark Laws Final Rules – Key Take-Aways about the Final Rules taking effect Jan 1, 2021. This webinar is happening December 17, 2020, 12 pm ET. Sign up here.
Are business associates subject to HIPAA penalties?
Yes. As stated in both the HITECH Act and the Final Omnibus Rule, 78 Fed. Reg. 5566 (Jan. 25, 2013), business associates, which include subcontractors, can be held directly liable for HIPAA violations. For example, in 2016, a business associate’s failure to safeguard the protected health information of nursing home residents led to a $650,000 monetary penalty being assessed by HHS OCR. (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/catholic-health-care-services/index.html)
If you were to give business associates and subcontractors one item that they need to do annually, what would it be?
Annual Risk Analysis because all technical, administrative and physical safeguards would be identified and corrected.
Is an indemnification provision required in BAAs?
No. In my practice, I see them included quite a bit; however, this particular provision is not a requirement under 45 CFR §164.504(e)(1) or that HHS indicated was preferred. See https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.
Are class action cases something that should be considered as part of an enterprise risk management program?
Yes. The financial, legal, and reputational costs can be great and need to be considered. A good example of a HIPAA data breach which led to both an HHS OCR enforcement action of $16 million and a class action lawsuit settlement in excess of $115 million is Anthem BlueCrossBlueShield. An article that I wrote for Physicians Practice details these issues – https://www.physicianspractice.com/view/class-action-lawsuits-can-result-from-a-protected-health-information-data-breach.
Should business associates be familiar with the 21st Century Cures Act, as well as the ONC and CMS Final Rules?
Yes. There is an intersection between HHS HIPAA App Guidance and the ONC and CMS Final Rules, in terms of patients accessing their data through apps. Be aware of unsecure apps and stay abreast of the compliance dates.
Rachel V. Rose – Attorney at Law, PLLC (Houston, Texas) – represents clients on healthcare, cybersecurity, securities and qui tam matters. She also teaches bioethics at Baylor College of Medicine. She has been consecutively named by Houstonia Magazine as a Top Lawyer (Healthcare) and to the National Women Trial Lawyer’s Top 25. She can be reached at rvrose@rvrose.com.
Be sure to look up a recording of this webinar on YouTube and a recording with Rachel on our podcast, 1st Talk Compliance. Take a look at our brand-new book: HIPAA Privacy and Security, and our online compliance training courses such as What is HIPAA?, and HIPAA Business Associate Agreements Under HITECH. And check out Rachel’s other blogs Q&A: HHS Final Rules, Patient Access to PHI & Health Apps Intersect, Recent HHS Guidance Underscores the Importance of HIPAA Compliance and Q&A: HIPAA and Health Apps.