September is fast approaching. And if you're classified as a HIPAA business associate, that could only mean one thing: it's crunch time. By September 23, you should have already complied with the requirements in HIPAA/HITECH's Final Rule. Some of those requirements affect file transfers involving protected health information.
So if you share files with people in the healthcare industry or if you operate in the industry yourself and share files with others, I suggest you start reviewing your file transfer systems and procedures to see if they are HIPAA compliant.
The Final Rule, which reflects the statutory amendments introduced under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), makes significant changes to the original HIPAA regulation. Before it was introduced, business associates were not as deeply involved in regulatory compliance activities as covered entities. But now, if you're a business associate, you are mandated to implement the HIPAA administrative, physical, and technical safeguards - just like covered entities.
We already did a thorough discussion on HIPAA-compliant file transfers in general, so if you're totally unaware of your obligations when transferring files containing protected health information (PHI), I suggest you read the post Guide to HIPAA Compliant File Transfers first. That guide used to be applicable to covered entities only. But with the latest developments in HIPAA/HITECH, business associates should find it pretty useful too.
What is a HIPAA business associate?
A business associate is a person who performs certain functions or provides certain services involving protected health information (PHI) on behalf of or to a covered entity.
Note: In the language of HIPAA, a 'person' means "a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private."
These functions involve creating, receiving, maintaining, or transmitting PHI and can include:
- claims processing or administration,
- data analysis,
- processing or administration,
- utilization review,
- quality assurance,
- certain patient safety activities,
- benefit management,
- practice management, and
Services may include: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.
A business associate can also be:
- a Health Information Organization, E-prescribing Gateway, or other person who provides data transmission services involving PHI to a covered entity and has to access the PHI on a routine basis;
- a person who offers a personal health record solution to at least one individual on behalf of a covered entity; and
- a subcontractor who creates, receives, maintains or transmits PHI on behalf of another business associate.
The sheer breadth and depth of HIPAA's new definition of a Business Associate can be pretty overwhelming, for it can include a large number of people. Its inclusion of subcontractors alone (which may cover many levels of subcontractors downstream), allows HIPAA compliance to affect more people than it has ever before.
So if you feel you're directly or indirectly handling PHI, then I suggest you seek legal counsel just to determine whether you're considered a business associate or perhaps even a covered entity.
HIPAA non-compliance penalties
The price of violating HIPAA can be quite staggering.
The Department of Health and Human Services (HHS), who basically issued the HIPAA final rule, drew up four (4) categories of violations with increasing civil money penalties:
1. A violation in which the business associate (or covered entity) did not know and, even by exercising reasonable diligence, would not have known that he had made such a violation;
2. A violation due to reasonable cause and not to willful neglect;
3. A violation due to willful neglect that was corrected within the prescribed 30-day period; and
4. A violation due to willful neglect that was not corrected.
Here are those 4 violations with their corresponding penalties:
|Category||Amount per violation||Maximum amount
for all such violations
of an identical provision
in a calendar year
|For those who "Did not Know"||$100 - $50,000||$1.5 Million|
|Cases involving "reasonable cause"||$1,000 - $50,000||$1.5 Million|
|Cases of Willful Neglect but were timely corrected||$10,000 - $50,000||$1.5 Million|
|Cases of Willful Neglect and weren't timely corrected||$50,000||$1.5 Million|
Prior to HITECH, civil monetary penalties used to apply only to covered entities. Now, business associates can be held directly liable for violations and subjected to monetary penalties.
But these penalties aren't the only things you should be worried about.
Breach notification and burden of proof
Under HIPAA, business associates have certain obligations to fulfill in the event of a data breach. Once you've discovered a breach of unsecure PHI, you are required to notify the covered entity whose data was affected by the breach. In turn, the covered entity would have to notify the Secretary of HHS.
Things can quickly go from bad to worse if the breach is found to have affected at least 500 individuals. Breaches this large are posted on the HIPAA wall of shame, which is an updated collection of HIPAA-related breaches that have affected 500 individuals or more. Unfortunately, whenever applicable, the name of the business associate involved is also published.
This kind of negative publicity can seriously damage your reputation and you could lose several clients because of it.
The HITECH definition of a breach is not very favorable to business associates. Any impermissible acquisition, access, use or disclosure of protected health information is presumed to be a breach unless you are able to show a low probability of risk that PHI has been compromised. In other words, the burden of proof is on you.
To determine probability, you will have to conduct a risk assessment that would take into consideration at least these four factors (in addition to other factors that may be deemed appropriate for the specific incident):
1. The nature and extent of the PHI involved;
2. The unauthorized person who used the PHI or to whom the disclosure was made;
3. Whether the PHI was actually acquired or viewed; and
4. The extent to which the risk to the PHI has been mitigated.
Sending HIPAA-compliant file transfers
File transfers may involve transmissions of PHI in electronic form (a.k.a. ePHI). Hence, these processes should conform to the HIPAA Technical Safeguards (§ 164.312). The only change in the HIPAA Technical Safeguards is the addition of "business associates" in the introductory text, i.e.:
from "A covered entity must ...." to "A covered entity or business associate must ...."
The rest of the content in §164.312 remain the same.
We already discussed those Technical Safeguards standards which we felt were relevant to secure file transfers. You can find it in Part 2 of the post "Guide to HIPAA Compliant File Transfers". We also talked about how those standards can be implemented in an actual file transfer system in Part 3 of the same post.
The standards we covered included:
- Access Control - for restricting ePHI access to authorized individuals and software programs;
- Audit Controls - for recording logs of file transfer activities;
- Integrity - for preventing ePHI from being maliciously or accidentally altered or destroyed;
- Person or Entity Authentication - for verifying the identity of individuals or software programs requesting access to ePHI; and
- Transmission Security - for securing ePHI that is transmitted over networks.
By implementing those standards, you will not only be preventing possible data breaches and incidents of medical identity theft. You will also be able to demonstrate, in a risk assessment following the discovery of impermissible use or disclosure of PHI, a low probability of risk that PHI has been compromised.
Like covered entities, business associates must now implement stronger security measures to their secure file transfer systems in order to comply with the updated HIPAA administrative, physical, and technical safeguards. This post has provided guidance towards that direction.
About JSCAPE MFT Server
JSCAPE MFT Server is a platform independent managed file transfer server that centralizes all of your file transfer processes into a single easy to use application. When properly configured JSCAPE MFT Server can meet strict HIPAA compliance requirements.