Hospital Access Managment Supplement: HIPPA Regulatory Alert
Compliance accountability chains put you at risk and can complicate contract negotiations
Executive summary
Providers are accountable for the compliance of all downstream contractors with the Health Insurance Portability and Accountability Act (HIPAA). Vendors might balk at some efforts to ensure compliance.
• Covered entities can be responsible for the violations of business associates.
• The risk of liability is higher if the associate acts as an agent for the hospital.
• Some flexibility is necessary when negotiating HIPAA compliance clauses.
Risk managers are doing the right thing when they try to include Health Insurance Portability and Accountability Act (HIPAA) compliance in vendor contracts, but they might meet resistance if the requirements are too onerous. The key will be finding the sweet spot where you have protected your interests as much as possible without making the contract untenable to business associates, experts say.
Resistance most likely will come from smaller companies, says C. Jason Wang, MD, PhD, associate professor of pediatrics at Stanford University in California. Wang recently wrote in the Journal of the American Medical Association (JAMA) that the 2013 HIPAA omnibus final rule creates an "unfunded mandate" on startup companies that might not have the wherewithal to negotiate business associate agreements.1
In the JAMA paper, Wang and his co-author call for additional guidance from the Department of Health and Human Services (HHS) on how contracts between healthcare entities their business associates should be construed. The final rule creates an accountability chain that includes business associates and their downstream subcontractors, Wang writes, but it does not account for what he says could be strong resistance from business associates.
Wang tells HIPAA Regulatory Alert that providers' worries about accountability could have the unintended consequence of limiting innovation and narrowing the field of companies with which a hospital is willing to work. If the hospital insists on strict compliance with HIPAA, evidence that the requirements have been passed down the line to subcontractors, and indemnity for violations, inevitably some companies will balk and say they cannot take on that responsibility, he explains. (See the story below for suggested contract clauses.)
"I really worry that if this HIPAA regulation is interpreted too far, it's going to impede innovation and get in the way of providers working with outside companies," Wang says. "That will be terrible for healthcare."
Conflicts might be inevitable, but the provider still must follow the law and include contract clauses to protect itself from liability, explains Stephen Wu, JD, a partner with the law firm of Cooke Kobrick & Wu in Los Altos, CA. The HIPAA rule explains most of what should be required of business associates, but Wu advises risk managers to take a stricter approach in some areas. The rule requires that business associates notify the provider of a breach within 60 days, for example, but he advices hospitals to require must quicker notification. He has worked with one hospital that successfully negotiated a two-day notification from a data management company.
"You're probably going to get something more than two days, but it should be way south of 60," Wu says.
The flow-down requirement for subcontractors can be the stickiest negotiating point, Wu says. Flow-down means that once you contract with a business associate, your requirements for HIPAA compliance must be included in the contracts with any subcontractors and their subcontractors
Including flow-down is not optional, Wu says, but you have some discretion in what you flow down. You must consider your contract requirements not only in terms of whether the business associate is able to comply but also whether its subcontractors can. "There are provisions that, in theory, should be flowed down to the business associates but which really aren't necessary when you consider the nature of the work. If the associate is handling patient data in a way that never involves them getting direct queries from patients, you could skip the provision about the associate being required to respond to requests by a certain time," he says. "You could take that off the table so they don't resist having to promise compliance on something they never do. But you could replace it with a clause saying they will cooperate fully if the patient makes a request to you and you need that information from them."
Money is always a sensitive topic, so indemnification and who pays for the breach of the protected health information can be difficult during negotiation, Wu says
In Wu's experience, the biggest controversy in these contract negotiations is the vendors claiming that they are not business associates at all. Contractors will argue that, for example, they merely maintain access to digital information for the provider but never open the files or have any knowledge of their contents. They will say that for that reason, they should not be considered business associates.
"You have to push back and tell them that because they are maintaining protected health information over time," Wu says. "That is the HHS decision, and they can't argue that point."
Wu advises risk managers to include a clause in the contract in which the vendor acknowledges being a business associate, along with a separate agreement to follow the compliance guidelines provided by the hospital.
One attorney urges risk managers not to go overboard with HIPAA compliance in contract negotiations. The legal risk to hospitals from missteps by business associates often is overstated, says Brad Rostolsky, JD, an associate with the law firm of Reed Smith in Philadelphia who has worked with healthcare providers to ensure data security. There is a risk of flow-down exposure, but that risk is significant only when the contractor is acting as an agent of the hospital, Rostolsky says.
"It is not true that contractors are generally on the hook for the actions of their business associates," he says. "We don't always have to negotiate as if something terrible is going to happen somewhere down the line and we're going to be liable to a great extent if we don't have a clause saying otherwise."
If a business associate is an agent under the federal common law of agency, then the covered entity is on the hook for the missteps of the business associate with regard to actions performed as an agent, Rostolsky says.
"When people try to implement more onerous language regarding indemnification and liability with business associates, I'd say that concern is valid up to a point, but may be a little misplaced," he says. "Don't be surprised when some of your associates come back to you and say that because of the cost of compliance they're going to have to raise their prices, or they're not going to be able to give you the indemnification you prefer."
Rostolsky advises structuring the contract up front so that, to the extent possible, the business associate is not an agent. To do so, the business associate must not be subject to direction by the covered entity on an ongoing basis. He cautions, however, that a single-minded focus on obtaining indemnification or other HIPAA concessions can backfire. "I've told people on both sides of this issue that if you push too hard, you can negotiate yourself out of business," he says. "Both parties in this negotiation have valid concerns and parameters for what makes good business sense, and you have to find somewhere to meet in the middle."
Covered entities also should be comforted by the fact that the government is going after business associates directly for HIPAA violations, Rostolsky says. That action doesn't mean they can't drag the covered entity into the fray as well, but Rostolsky says that will not be automatic if regulators can see that the associate was the responsible party and the covered entity acted properly in trying to ensure that the associate was in compliance.
As the Office of Civil Rights (OCR) continues enforcement activities against business associates, Rostolsky expects that "it will become implicitly clear that when a business does something improper, OCR will not hammer the covered entity for that unless there is an agent relationship."
REFERENCE
1. Wang CJ, Huang D. The HIPAA conundrum in the era of mobile health and communications. JAMA 2013; online Aug. 26.
SOURCES
• Brad Rostolsky, JD, Associate, Reed Smith, Philadelphia. Telephone: (215) 851-8195. Email: [email protected].
• C. Jason Wang, MD, PhD, Associate Professor, Stanford University, Stanford, CA. Telephone: (650) 736-0403. Email: [email protected].
• Stephen Wu, JD, Partner, Cooke Kobrick & Wu, Los Altos, CA. Telephone: (650) 618-1454. Email: swu@ckwlaw.
Compliance accountability chains put you at risk and can complicate contract negotiations; Prepare now for coming HIPAA security audits; Advocate sued over large data breach; Agencies release model notices of privacy practices
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.