Thursday, October 4, 2012

Providers Must Enter into BA Agreements with Vendors who Transmit, Maintain, Use or Have Access to PHI

The Stage 2 Meaningful Use requirements make clear that the federal government is continuing its push to require healthcare providers to use information technology. The requirements also make clear, however, that patient privacy and security has not been sidelined.
With this emphasis on making information available to patients online, providers must remember the need to enter into business associate agreements with vendors who transmit, maintain, use or have access to protected health information. The recent action against Phoenix Cardiac Surgery, P.C. by the Office of Civil Rights (OCR) is instructive on this front. In that case, Phoenix used a publicly accessible, Internet-based calendar to post patient appointment dates and an Internet-based email account to e-mail PHI to workforce members’ personal Internet-based e-mail accounts. In both instances, OCR faulted Phoenix for not entering into business associate agreements with the providers of these services. Phoenix agreed to pay HHS $100,000 and enter into a 1-year corrective action plan.
In general, providers should enter into business associate agreements with vendors who “touch” PHI in any manner. This would generally include hosting providers, computer repair services and even copy machine repair services. The only exception to this requirement to enter into business associate agreements is for vendors who are conduits, with the US Postal Service serving as the typical example. Based on the HHS definition of “conduit,” and the OCR’s interpretation (as explained by Leon Rodriguez, Director of OCR, at a recent presentation) of that term, that exception is very narrow and is not likely to apply to, for example, a hosting vendor that provides managed cloud servers. As David Holtzman noted at the Health Care Compliance Association’s 16th Annual Compliance Institute in April 2012, “If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service.”
Additional References:
·         Office of Civil Rights Enforcement Activity - http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html
·         OCR - Phoenix Cardiac Surgery, P.C. Settlement Details - http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_agreement.html
·         Office of the National Coordinator – Privacy and Security Materials for Practices - http://www.healthit.gov/providers-professionals/ehr-privacy-security
·         Stage 2 Meaningful Use – Federal Register (Official Title: Medicare and Medicaid Programs; Electronic Health Record Incentive Program—Stage 2; Health Information Technology: Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, 2014 Edition; Revisions to the Permanent Certification Program for Health Information Technology; Final Rules) - http://www.gpo.gov/fdsys/pkg/FR-2012-09-04/pdf/2012-21050.pdf