A recent complaint filed by the Minnesota State Attorney General against a HIPAA business associate seeks to recover statutory damages for multiple alleged violations of the HIPAA Security Rule. Following last year’s HHS OCR enforcement targeting HIPAA covered entities, this latest HIPAA enforcement should place all business associates on notice that enforcement authorities have them squarely in their sights.
What makes this enforcement especially noteworthy is its target. Until now, HIPAA enforcement has been limited to covered entities. This is because under “HIPAA 1.0,” business associates were required to comply with only their contractual obligations to the HIPAA covered entity. Now, under the HITECH statute, provisions of the Security Rule (i.e., 45 CFR sections 164.308, 164.310, 164.312, and 164.316) apply directly to a business associate of a covered entity in the same manner as they would to a covered entity. The lack of final rules by U.S. Department of Health and Human Services (“HHS”) does not provide a temporary safe harbor. Business associates of HIPAA covered entities must be aware, as this lawsuit highlights, that they are currently required by statute to comply with the HIPAA Security rule.
As is often the case, a laptop gone missing triggered the chain of events which led to an enforcement action. Unencrypted and containing the data of more than 23,000 hospital patients, the laptop belonging to an employee of the hospital’s HIPAA business associate was stolen out of the backseat of a rental car. On that computer were the names, addresses, dates of birth, Social security numbers, other identifiers, clinical information (including diagnoses and conditions), as well as other financial information of hospital patients. The hospital complied with its HIPAA breach notification requirements, but the underlying failure to comply with HIPAA Security Rule by the business associate nevertheless triggered the enforcement. According to the complaint, the business associate failed to do the following:
- Implement policies and procedures to prevent, detect, contain, and correct security violations.
- Implement policies and procedures to ensure appropriate access to electronic protected health information by its workforce.
- Effectively train all members of its workforce.
- Identify and respond to security incidents, and to mitigate the harmful effects of such incidents.
- Implement policies and procedures to limit physical access to its electronic information systems.
- Implement policies and procedures to govern portable media containing electronic protected health information (“PHI”).
- Implement technical policies and procedures regarding access rights for electronic information systems that maintain electronic PHI.
- Implement reasonable and appropriate policies and procedures to comply with the Security Rule.
What Can Business Associates Learn From This Enforcement?
We suggest increased awareness, analysis, and action.
- Awareness. Business associates must be aware that the HIPAA Security Rule applies directly to business associates. This may come as a shock to many.
- Analysis. HIPAA requires business associates to perform a risk analysis to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the business associate.
- Action. Armed with its risk analysis, the business associate needs to implement the administrative, physical, and technical safeguards, including establishing policies and procedures and security awareness and training.
Now that the precedent has been set, we anticipate many more business associates to be targeted by both CMS and state attorneys general. Business associates must make HIPAA compliance a priority so as to avoid becoming the next target. We have experience with HIPAA compliance, and can help navigate the regulatory landscape.