Q&A with Beau Patterson
HIPAA makes employers pay costs
for curiosity of its employees
Q: Cedars-Sinai Medical Center in Los Angeles made news earlier this month when it terminated several employees in response to a privacy breach involving the medical information of celebrity Kim Kardashian. The breach occurred when six hospital employees, who were not involved in Ms. Kardashian's care, accessed her medical file seeking information about her recent pregnancy and delivery. The information was not shared outside of the hospital, and the employees appeared to be motivated only by a desire for information about their favorite television personality. Did the hospital do the right thing?
A: Yes. The Health Insurance Portability and Accountability Act (HIPAA) imposes obligations on health care providers and related covered entities to protect and secure a person's health information. This not only means preventing outside disclosures of protected health information, but also limiting access within the organization to persons who need to know for treatment, payment or health care operation purposes. HIPAA requires a swift and thorough response when a breach is discovered, which can include imposing disciplinary penalties up to termination for employees who violate the law, and undertaking expensive training and corrective measures to guard against future problems. The federal government can impose significant fines when a covered entity fails to safeguard protected health information or to respond appropriately to a breach. Criminal penalties are a possibility. In 2011, the UCLA Health System paid nearly $1 million to federal regulators to settle claims of HIPAA privacy breaches engaged in by certain members of its administrative and medical staff. In one case, a physician in the system received a four-month prison sentence for impermissibly accessing the medical records of former Gov. Arnold Schwarzenegger.
Q: Do HIPAA's obligations apply to non-health care providers?
A: Yes. Beginning Sept. 23, federal rules will go into effect imposing many of HIPAA's privacy and security obligations (as well as corresponding penalties) on third-party businesses that perform services for — and receive protected health information from — covered entities (“business associates”). For example, a law firm representing a nursing home in litigation is a business associate if it receives protected health information during the course of its representation. Likewise, a business consulting firm that receives and analyzes protected health information as part of its effort to assist a health care provider in improving operational efficiency would be a business associate. Businesses shouldn't assume that, because they are seemingly not involved in the health care industry, they are necessarily outside of the reach of HIPAA.
Q: What should business associates be aware of regarding their expanded obligations under HIPAA?
A: Any failure to safeguard protected health information while it is in the business associate's possession, custody or control (e.g., a failure to maintain a secure server or file room) can make the organization a direct target of individual claims or a federal investigation and disciplinary action should a breach occur. Monetary penalties previously only recoverable against a covered entity are now directly recoverable from the business associate.
Q: What should business associates do to prepare for these expanded obligations?
A: Business associates need to have an up-to-date business associate agreement with the covered entity for whom they provide services. Additionally, a business associate will need a second-tier agreement for any downstream entities to whom the business associate discloses the protected health information (e.g., a medical billing company that provides protected health information to an outside consulting firm as part of an audit). Beyond that, business associates need to have written policies and procedures governing how they will receive, store, transmit, and ultimately destroy protected health information received from a covered entity. As a comparison of the Cedars-Sinai and UCLA Health System situations makes clear, covered entities and business associates who are proactive will fare much better than those who wait too late to act.
PAULA BURKES, BUSINESS WRITER