Executive Summary
Business associates must be monitored carefully to avoid HIPAA breaches that can pass on liability to the healthcare provider. Indemnity agreements can help mitigate the risk from breaches traced to vendors.
- Cloud servers and improper disposal of printed materials can cause breaches.
- Portable storage media are a common cause of breaches.
- Indemnification is a worthwhile option, even if only partial indemnification is possible.
Business associates can frustrate compliance officers because they cannot be completely controlled, yet their performance can lead to a HIPAA breach for which the hospital or healthcare system is liable. Some providers are trying to use indemnification to escape that trap, but there are limitations to that strategy, too.
The best example of the threat is the 2011 breach at Stanford (CA) Hospital & Clinics, which was traced to a business associate’s subcontractor, says Marc Voses, JD, a partner with the law firm Kaufman Dolowich & Voluck in New York City. A class action lawsuit against Stanford Hospital & Clinics and two business associates related to the breach affecting 20,000 patients was settled in 2014 for $4 million.
Court documents indicate that the breach occurred when a business associate’s subcontractor posted information about 20,000 patients treated in the hospital’s emergency department on a web site. The information was on the web site for more than a year before the breach was discovered.
The information about patients treated between March 1 and Aug. 31, 2009, included patient names, medical record numbers, hospital account numbers, emergency department admission/discharge dates, medical codes for the reasons for the visit, and billing charges, Stanford Hospital & Clinics confirmed at the time.
The case is indicative of the many ways that protected health information (PHI) is at risk once it leaves the healthcare company’s data system, Voses says. He cites these most common security threats with vendors:
- lack of encryption of PHI at rest and in transit;
- use of portable storage media;
- sharing of information by vendor with non-business associates;
- improper disposal of written or electronic PHI;
- failure to maintain adequate security protocols and revise them periodically;
- use of cloud servers that are publically accessible.
Push for protection
The healthcare provider does have some leverage for requiring business associates to take proper HIPAA precautions, of course. Though these strategies have limitations, they should be pursued vigorously to obtain the most protection possible, Voses says. Those strategies include having a written agreement that outlines the terms of the relationship, requiring the vendor to retain a third party to verify the security protocols in place at the vendor and compliance with the said protocols, and requiring periodic audits of the vendor’s systems that contain the provider’s PHI.
Those strategies are increasingly difficult to implement when managing vendors and third-party risk across many industries, and with complex multi-vendor arrangements, notes Bill Huber, a managing director at Alsbridge, a global sourcing advisory and consulting firm based in Dallas. “This requires maintaining effective governance mechanisms to oversee the myriad touchpoints and linkages in the service delivery chain,” Huber says. “The requirements of the healthcare industry, and of HIPAA specifically, mean that governance is especially critical.”
Huber recommends these specific best practices for risk mitigation:
- appropriate due diligence on supplier information security controls and processes prior to selection and contracting of suppliers;
- specific contractual carve outs for HIPAA-related data breaches, with a separate, usually higher limitation of liability related to gross negligence or willful misconduct;
- specific notification requirements and audit rights in the contract related to information security controls and processes;
- mature vendor management processes and organization, including vendor risk management;
- transition readiness assessment (buyer and supplier) and testing prior to go-live/transfer of data;
- ongoing, periodic audits and tests of supplier controls;
- ongoing monitoring of supplier financial, regulatory, and legal alerts.
Pursue indemnification?
Because even the most diligent vendor compliance program cannot eliminate all potential liability from a HIPAA breach, some hospitals and health systems are pursuing indemnification, Voses notes. That strategy can reduce the risk and potential liability, but getting the vendor to agree to a meaningful indemnification agreement often is difficult, he says.
“It depends on the resources available to the vendor to indemnify you for a breach. When Target’s breach was traced to an HVAC vendor, I doubt it could have paid for Target’s losses,” Voses says. The retailer estimates that about 42 million people had their credit or debit information stolen in 2013. Target settled a class action lawsuit for $10 million, according to court documents. “If the vendor has the resources, demand contractually provided liquidated damages for failure to protect PHI,” Voses says. “Have the healthcare provider added to the business associate’s cyber/data breach policy as an additional insured.”
Unless you know the business associate would be unable to compensate you for the costs of a breach, start out by asking for every possible type of indemnification, advises Jennifer Breuer, JD, a partner with the law firm of Drinker Biddle in Chicago. That request should include any violation arising from the underlying business associate agreement or related to confidentiality and HIPAA compliance. But don’t expect the vendor to sign off on that agreement.
“What business associates don’t like about indemnification is that it completely changes the way they look at the underlying contracts and business associate agreement,” Breuer says. “If the vendor is selling an item to the hospital for $12, they may look at the indemnification and realize they can’t sell it to you for $12 if they might have to pay all the costs of a HIPAA breach.”
When the vendor balks at a broad indemnification that leaves them on the hook for any breach in which the vendor is involved, the counter offer can restrict the indemnification so that the business associate is liable only when the breach is tied to specific actions for which it is directly responsible, she says.
“Reasonable people will agree that they have an obligation to have controls in place to protect PHI, and vendors are more likely to agree to indemnification when they see that it is tied to the actions that everyone in their industry is expected to do,” Breuer says. “It is not unreasonable to ask for this type of indemnification, and it is not unreasonable to expect the vendor to agree to it.”
The next issue
The next negotiating point involves whether the indemnification agreement will include a cap on the losses for which the vendor will reimburse the hospital or health system. A vendor with limited resources or doing a modest amount of business with the healthcare provider might want a cap so that a breach would not break the company or vastly outweigh the value of the hospital’s business, Breuer explains.
“The cap could be the actual losses incurred by the hospital, or it could be related to the fees paid to the vendor,” she says. “You might have an agreement that says the vendor’s liability is limited to five times the fees paid to the vendor, for instance, so that the company can see the relative value of the indemnification. That emphasizes the point that you’re not just trying to push off your legal problems on them, but rather that the hospital’s business with that vendor comes with an obligation.”
