After over almost four months of no new HIPAA Resolution Agreements or Civil Money Penalties, OCR quietly posted two new HIPAA settlement agreements at the end of July. At first glance, both appear to be “run-of-the-mill” cases with nothing new to learn with the first one resulting in OCR finding that the covered entity failed to complete a basic Security Risk Analysis and train workforce, and the other involved – yet again – a stolen unencrypted laptop. However, the second case in particular deserves closer examination where it has embedded in it more complex corporate structure and liability issues where it involved legally separate covered entities that elected to designated themselves as a single covered entity for purposes of HIPAA. Let’s look at each of these cases separately.
For Pete’s Sake — Do the Basics!
The first resolution agreement involved a Federal Qualified Health Center (FQHC), Metropolitan Community Health Services (Metro), that provides a variety of discounted medical services to underserved population in North Carolina. Metro agreed to pay $25,000 and enter into 2-year corrective action plan (CAP) due self-reporting a breach affecting 1,263 patients in June of 2011. This led to OCR’s investigation finding “longstanding, systemic noncompliance with the HIPAA Security Rule.” Specifically, OCR found that Metro “failed to conduct any risk analyses, failed to implement any HIPAA Security Rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016, over 4 years after the breach incident occurred. Although the Metro case does not really reveal anything “new” – it does continue to highlight that there remain many organizations out there that do not complete even the most basic requirements for compliance with the HIPAA Security Rule – namely, completing a Security Risk Analysis and training workforce. Although it may seem a bit insensitive that OCR would go after an organization that is providing much-needed services to an underserved population, OCR Director Severino raises this valid point in the corresponding Press Release:
“Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information”.
So, another important take away is that even individuals receiving healthcare from covered entities serving an underserved population deserve a commitment to privacy and security of their information. You can review the entire Metro Resolution Agreement here.
HIPAA “Affiliated Covered Entities” Beware!
The second resolution case with OCR resulted in a $1.04 million settlement between Lifespan Health System Affiliated Covered Entity (Lifespan ACE), a non-profit health system based in Rhode Island. This settlement also was triggered by a self-reported breach by Lifespan due to an unencrypted laptop containing ePHI of over 20,431 patients which was stolen. The investigation by OCR which inevitably followed of course identified “systemic noncompliance with the HIPAA Rules including a failure to encrypt ePHI on laptops after Lifespan determined it was reasonable an appropriate to do so.” However, OCR also pointed out something much more interesting when it found that Lifespan ACE “failed” to have a BAA in place with Lifespan Corporation. Specifically, OCR states the following in the Resolution Agreement:
“Lifespan did not have the proper business associate agreements in place between Lifespan Corporation and the Lifespan healthcare provider affiliates that are members of the Lifespan ACE (See 45 C.F.R. § 164.502(e))” (emphasis mine).
So, some of you might be reading that and thinking to yourself “What?! … so, am I required to have BA Agreements between entities within my healthcare system?” The answer is, possibly yes. The unique HIPAA issues that are triggered when more than one separate legal entity are organized under a parent corporation are not new. OCR has demonstrated that it is willing to hold separate legal entities responsible for each other’s HIPAA compliance when they designate themselves as affiliated covered entities for purposes of HIPAA. Let’s review how HIPAA treats these issues.
HIPAA “Affiliated Covered Entities”
Historically, HIPAA permits certain “affiliated covered entities” to treat themselves as a single covered entity for purposes of compliance with HIPAA. Effectively, this permits the affiliated covered entities to share information between their organizations as if they were one legal entity, use a common HIPAA NPP and Authorization form, share a Privacy and Security Officer (note, HHS expressly states this in its Preamble to the HIPAA Rules), have common Privacy and Security Policies, among other activities subject to HIPAA. Sharing protected health information (“PHI”) between organizations that choose to designate themselves as an affiliated covered entity as if they were a single entity permits broader integration and efficiency between the affiliated covered entities.
“Legally separate covered entities that are affiliated may designate themselves as a single covered entity for purposes of this part” if they are under “common ownership or control”. 45 CFR 164.105(b)(1) and (b)(2). HIPAA requires that this designation must be documented and maintained for a period of six (6) years from its creation or the date when it was last in effect. Covered entities are considered to be under “common ownership or control” if:
- An entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity (common control, i.e., affiliated physician practices)
- An entity or entities possess an ownership or equity interest of 5 percent or more in another entity (i.e., subsidiaries, joint ventures)
HHS noted in the Preamble to the (2002) Privacy Rule that,
“some legally distinct covered entities may share common administration of organizationally differentiated, but similar activities (for example, a hospital chain) [and] we permit legally distinct covered entities that share common ownership or control to designate themselves or their health care components, together to be a single covered entity….Such organizations may promulgate a single shared notice of information practices and a consent form. For example, a corporation with hospitals in twenty states may designate itself as a covered entity and, therefore, able to merge information for joint marketplace analyses.”
HHS noted further that,
“[t]he requirements that apply to a covered entity also apply to an affiliated covered entity. For example, under the minimum necessary provisions, a hospital in one state could not share protected health information about a particular patient with another hospital if such use is not necessary for treatment, payment or health care operations. The covered entities that together make up the affiliated covered entity are separately subject to liability under this rule.”
ffiliated covered entities are jointly and severally liable for any monetary penalties which may arise for a violation of HIPAA based on an act or omission of the affiliated covered entity (i.e., the various facilities acting together), unless it can be established that another member of the affiliated covered entity was responsible.
Corporate Structuring in Health Care Systems
The corporate structure of health care systems varies and typically involves a combination of a parent holding company which operates, directly or through one or more subsidiaries, one or more covered entities. HHS expressly refused to acknowledge a separate category of “covered entity” for integrated health care systems because of the varied arrangements in which integrated delivery systems may function. Integrated delivery systems operate and share information in many different ways, and may or may not be financially or clinically integrated. HHS notes in its Preamble:
“In some cases, multiple entities hold themselves out as one enterprise and engage together in clinical or financial activities. In others, separate entities share information but do not provide treatment together or share financial risk. Therefore, we do not include a separate category of covered entity under this rule for integrated delivery systems, but instead accommodate the operations of these varied arrangements through the functional provisions of the rule. For example, covered entities that operate as [OHCAs]…may share [PHI] for the operation of such arrangement without becoming business associates of one another….The application of this rule to any particular “integrated system” will depend on the nature of the common activities the participants in the system perform. When the participants in such an arrangement are affiliated as defined in this rule, they may consider themselves a single covered entity.”
For the health system that conducts covered entity functions through one or more subsidiaries, the application of HIPAA may prove challenging. By definition, the parent company (Parent) itself technically is not a “health care provider” within the meaning of HIPAA and the Social Security Act, and therefore may not meet the definition of a “covered entity.” HIPAA defines a “covered entity” to mean (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. 45 CFR 160.103. A “health care provider” means a provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. 45 CFR 160.103.
If the provision, furnishing, billing or reimbursement for health care is conducted by the subsidiaries, which are each health care providers and therefore covered entities individually, (i.e., separately incorporated hospital corporation, long-term care facilities, physician practices), the subsidiaries are health care providers for purposes of HIPAA. Each of these subsidiaries would then be treated as covered entities under the common control or ownership of the same parent company and could clearly designate themselves as part of an affiliated covered entity. However, if the Parent itself is not a health care provider, and therefore, a covered entity standing alone, it is not entirely clear whether the parent, if it performs activities closely integrated with and on behalf of its subsidiary covered entities, may likewise treat itself as part of that affiliated covered entity. That said, the Lifespan ACE Resolution makes it clear that OCR would, in this instance, likely expect a BA agreement in place between the parent entity and its healthcare provider affiliates.