HIPAA business associates can expect more penalties ahead

HIPAA business associates can expect more compliance penalties in 2017. MSPs should take steps to ensure they are meeting the requirements.

A major initiative in 2016 to enforce compliance with the Health Insurance Portability and Accountability Act is a sign of things to come, and MSPs need to be prepared, industry experts said.

In 2016, the total amount of settlement fines was $23.5 million, compared to $6.1 million in 2015. Since MSPs that handle electronic personal health information (ePHI) are liable as HIPAA business associates for mishandling the information, the stakes are high for those in this type of business.

The U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) took enforcement action against a HIPAA business associate in 2016, finding that Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) had not taken any actions to comply with its obligations to safeguard ePHI. CHCS also did not put policies and procedures in place to establish the required processes to assess or analyze its information systems. Further, it also did not have an incident response program and contingency plan, or generally fulfill its responsibilities as required of HIPAA business associates, according to David Holtzman, vice president of compliance strategies at CynergisTek.

Additionally, the U.S. Government Accountability Office (GAO) issued a report critical of the OCR for not enforcing HIPAA compliance. Specifically, the OCR was told it needed to improve its oversight of corrective action plans that are negotiated in lieu of a financial penalty, said Mike Semel, founder and CEO of Semel Consulting.

HIPAA compliance: What partners must know

First, MSPs must determine if they are HIPAA business associates. A HIPAA business associate is a contractor or vendor to a HIPAA-covered entity that creates, maintains or transmits protected health information in performing a function or service to the covered entity, Holtzman said. An example would be an MSP that provides IT services and support to one or more healthcare facilities or skilled nursing facilities through which they handle or process patient data, he said.

David Holtzman, vice president of compliance strategies, CynergisTekDavid Holtzman

There are a couple of important takeaways from the OCR's surge in enforcement last year. There are about 1,800 large breaches and tens of thousands of complaints reported every year, Holtzman said. The vast majority of cases are resolved informally through voluntary compliance actions on the part of the HIPAA-covered entity or business associate, he said. That means no fine or penalty is levied and the case is closed with no continued monitoring or reporting required by the covered entity or business associate.

"Cases that were resolved with formal enforcement represent incidents in which OCR, in its investigating, determined that there were systemic management failures to establish or maintain programs to safeguard protected health information, or to have appropriate policies in place as required by the HIPAA privacy, security and breach notification rules," Holtzman said.

Anurag Agrawal, CEO of TechaisleAnurag Agrawal

Privacy and security are the most important aspects of HIPAA compliance, along with the ability to reduce fraudulent activity, stressed Anurag Agrawal, CEO of Techaisle.

Being a HIPAA business associate is not for the faint-hearted. Responsibility for HIPAA compliance is a huge challenge and is "tedious to not only implement but manage as the legislation continues to evolve," Agrawal said. "Especially for MSPs, the complexity increases because they have not only to ensure that they are compliant but their clients are also compliant."

HIPAA business associates should expect more penalties

Semel believes there will be more penalties for HIPAA business associates in 2017, "simply because of timing."

It typically takes OCR about three years to issue a penalty after a breach or complaint, he noted. "Since [HIPAA] business associates first became liable for HIPAA violations in 2013, it seems logical that the OCR has investigations in the pipeline that will result in business associate fines."

The OCR issued guidance "that made it clear that cloud services and data centers are business associates under HIPAA," he added. "Many were in denial, and I wouldn't be surprised, based on the fact that enforcements sometimes take three years after an incident to be resolved, that there may be some cloud service penalties in the works."

CEO of Semel ConsultingMike Semel

Already, the first financial penalty in 2017 was levied against a healthcare organization that failed "to implement or delayed implementing other corrective measures it informed OCR it would undertake," Semel noted. This indicates that OCR will be going back through years of negotiated corrective action plans to validate that they have been properly addressed, he added.

Last year's crackdown is an opportunity for MSPs to look at their organizations to evaluate whether they meet the standards for HIPAA compliance and the security, privacy and breach notification rules, Holtzman said. This way, they can determine what steps they should take to protect the health information they handle and to identify the threats posed by hackers and ransomware.

"The enforcement action OCR took against [CHCS] serves as a wakeup call to MSPs to evaluate the steps they have taken and the state of their compliance programs,'' he said. "This is something they should have been doing all along, and indicates there are some participants in the marketplace who are not doing that."

This year, if MSPs do only [one] thing to succeed, it should be conducting a deep audit of themselves and their clients. They would be doing themselves a huge favor.
Anurag AgrawalCEO, Techaisle

Semel warned that the OCR is not the only enforcement entity MSPs have to worry about. The Federal Trade Commission has issued severe penalties for HIPAA data breaches through their wide reach to protect consumers, he noted. State attorneys general have also enforced HIPAA, he said.

"There are lawsuits after every data breach. And cyber liability insurance policies may not pay off if the MSP has not done everything right," he added. "The MSPs we train know they should have good Errors & Omissions insurance, in addition to working hard to do everything right."

How MSPs can cope with the risks

One of the most important areas that MSPs should invest in is education and training to deeply understand HIPAA compliance and how it can be managed, Agrawal said.

"Most MSPs lack the skill sets and the resources ... to understand how to enable technology that [establishes] compliance and then the resources to constantly update technology," he said. "This year, if MSPs do only [one] thing to succeed, it should be conducting a deep audit of themselves and their clients. They would be doing themselves a huge favor."

Semel believes this is a transition year for HHS and OCR because of the change in the administration. President Trump, as did his predecessors, froze all proposed initiatives from the previous administration, he said. "I believe there are already a lot of investigations in the pipeline that will result in penalties, and an increase in audits, but nothing else really new."

HIPAA has always enjoyed bipartisan support, Semel added. "A change at the White House is unlikely to unravel over 20 years of legislation and rule-making." Semel thinks Congress and the White House will be busy dealing with Obamacare, immigration, border protection, climate change and a lot of other issues brought up during the campaign.

"At no time did I hear any politicians talking about HIPAA, so I don't think it will get a lot of attention."

Next Steps

The top challenges of HIPAA compliance for channel partners

Healthcare data security: How to deal with internal threats

Common mistakes made by healthcare organizations

Dig Deeper on Regulatory compliance with cybersecurity laws and regulations