Contractual Obligations

A lawyer specializing in health care and privacy and data security regulations talks of business associate agreements and service contracts under HIPAA/HITECH.

While the Department of Health and Human Services Office for Civil Rights has yet to release the final Privacy and Security Rule under the Health Information Technology for Economic and Clinical Health (HITECH) Act, records and information management firms should already be thinking about their obligations under the Health Insurance Portability and Accountability Act (HIPAA) as a result of HITECH.

Storage & Destruction Business (SDB) Editor DeAnne Toto recently asked Gina M. Kastel, a partner in the law firm Faegre Baker Daniels’ Minneapolis office, about the nature of the changes to the HIPAA Security Rule as well as the Security Breach Notification and how these changes will affect RIM firms.

Kastel specializes in health care and privacy and data security regulations. Her experience includes advising health care providers, medical device manufacturers and software companies regarding health information privacy issues, including compliance with HIPAA’s privacy and security regulations, as well as drafting and negotiating agreements for professional services.

Kastel also offers her advice for how RIM companies can best update the language in their service contracts to reflect these responsibilities as well as the changes they could see in their health care clients’ business service agreements.


SDB: Please begin by providing an update on the current status of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and Security Breach Notification.

Gina M. Kastel (GMK): The HIPAA Security Rule, which regulates the security of electronic protected health information, has been enforced since 2005. Since the enactment of the HITECH Act, the Security Rule has applied to business associates as well as to HIPAA covered entities. A covered entity includes a health plan, health care clearinghouse or health care provider that conducts HIPAA covered transactions. A business associate is a vendor that provides administrative services to or on behalf of a covered entity that involve the creation, use or disclosure of protected health information. A data storage or destruction company could be a business associate depending on circumstances.

In addition to the Security Rule, under the HITECH Act, there is also an obligation to give notice of breaches of “unsecured” protected health information. Unsecured protected health information is any information that has not been encrypted or destroyed using guidelines published by the federal government and includes paper records as well as electronic information. A security breach is defined as the acquisition, access, use or disclosure of unsecured protected health information in a manner not permitted by the HIPAA privacy regulations that compromises the security or privacy of the information. A use or disclosure compromises the security or privacy of the information if it poses a significant risk of financial, reputational or other harm to the individual. If a breach occurs, the covered entity must give notice to the affected individuals and, in some circumstances, to the local media. A business associate that causes a breach must inform the covered entity, which then notifies the individuals.


SDB: Can you explain how the HITECH (Health Information Technology for Economic and Clinical Health) Act helped to strengthen HIPAA?

GMK: The HITECH Act strengthened HIPAA in several ways. Specifically it: (a) increased the penalties for violations of HIPAA, (b) added the Security Breach Notification requirement, (c) made certain provisions of the HIPAA Privacy and Security Rule directly applicable to business associates, (d) gave state attorneys general the power to sue for HIPAA violations and (e) imposed additional restrictions under the Privacy Rule for certain uses of protected health information, including marketing and sales of protected health information.


SDB: How will these changes affect covered entities and their business associates/subcontractors?

GMK: Both covered entities and business associates must ensure they properly report breaches of unsecured protected health information.

Business associates for the first time have had to comply with the HIPAA Security Rule with respect to electronic protected health information. Among other things, this means they must conduct and document a security risk assessment and implement physical, technical and administrative safeguards to protect the confidentiality, integrity and availability of the electronic information.


SDB: How have you advised your health care clients to adjust their business associate agreements to reflect these changes?

GMK: We are still awaiting the final privacy regulations under HITECH, which will address the business associate agreement requirements. Even without the final rules, we have seen covered entities and business associates being much more careful about certain aspects of their relationships because the new obligations under HITECH. For example, we are seeing more requests from covered entities for their business associates to indemnify them for costs incurred as a result of security breaches.


SDB: How should records and information management firms adjust their service contracts to reflect these changes? Is there any specific language they should include?

GMK: Records and information management firms are likely to be business associates and must take stock of their compliance with the new requirements under the HITECH Act. For example, they should ensure they have met all applicable provisions of the HIPAA Security Rule with respect to electronic protected health information. Mobile devices in particular create many challenges, and good security policies and procedures are essential. Companies also need to ensure they are tracking uses and disclosures of information in a way that permits them to identify security breaches and report them in a timely manner.


SDB: If a security breach occurs and the language in a hospital's business associate agreement differs from that of the RIM firm's service contract, which will take precedence?

GMK: A business associate agreement’s provisions regarding the privacy and security of protected health information will generally take precedence over an underlying services agreement if the two conflict. Many business associate agreements state this expressly.


SDB: Has HIPAA/HITECH affected the relationship between health care providers and their records and information management services providers?

GMK: There are many trends in health care that make strong partnerships between providers and information management companies important. For example, providers need a variety of data and sophisticated analysis to demonstrate compliance with new performance-based payment systems, such as value-based purchasing, accountable-care organizations and-shared savings programs. The stakes are higher, however, from a HIPAA compliance perspective because of the new obligations for covered entities and business associates under HITECH.

Information management companies need to be well-versed in HIPAA’s provisions. Those that can show they have strong systems in place to ensure the privacy and security of protected health information will have an advantage in the market in attracting sophisticated provider clients.

 

Gina M. Kastel is a partner in the Minneapolis office of the Faegre Baker Daniels. She can be contacted at gina.kastel@FaegreBD.com.

Read Next

Domestic Strength