Old dogs, new tricks?
OK, not exactly, but I did actually learn something new about HIPAA today. It confirmed my understanding in the area (which coincidentally I was discussing with someone within the last few days), but I wasn't aware that there was such an explicit outlining of the matter by HHS already.
Someone asked me what their HIPAA obligations are, as a covered entity, to investigate their business associates' HIPAA compliance activities. Lots of larger CEs have extensive requirements they pass down to their BAs, forcing them to answer questionnaires, provide documentation, and agree to inspections or reviews, so that the CE can determine whether the BA is adequately protecting PHI. This is a good thing in theory, but can be a monstrous pain in the neck for the BA, especially if it's a small shop with a more, shall we say, informal HIPAA compliance plan ("Shhh.").
As I told my interlocutor, the HIPAA regs themselves do not require any sort of active engagement by the CE over its BAs, only the entering into of a BAA and the downstreaming of the specified obligations in 164.504(e). Most BAAs contain more than is required, and those that contain active monitoring of the BA certainly do. While it seems to be becoming an industry trend, and may be a "best practice" for a larger CE, it's certainly not a requirement.
As an aside, I would note that a BA should be very careful about agreeing to provide the CE with a copy of its risk assessment: once an organization has determined what it's greatest weaknesses are, it's not a good idea to show that to anyone outside the organization. If the outside entity does not keep that information secure, it's like giving potential hackers a road map to the best way into your data. I passed this advice along as well.
Anyway, Lexology today led me to this article
by Adam Green's crew at Davis Wright Tremaine. It turns out, there is specific language
in the December 2000 Privacy Final Rule that removed a more active monitoring requirement in the proposed regs from 1999 (the regs I famously read on the beach in Destin, Florida in June of 2000). The 2000 Final Rule says, "In the final rule, we reduce the extent to which a covered entity must monitor the actions of its business associate
and we make it easier for covered entities to identify the circumstances that will require them to take actions to correct a business associate’s material violation of the contract. . . . [T]his standard relieves the covered entity of the need to actively monitor its business associates
. . . ."
As the article also notes, OCR officials indicated a year ago at a HIPAA Summit that they do expect CEs to conduct a certain level of due diligence with respect to their BAs. While this "guidance" is helpful, and I would always encourage CEs to exceed the requirements of HIPAA where it's reasonable to do so, it is still just that: guidance. As with the OCR "ransomware = breach" guidance, it is not the law and it is not a regulation, and should not be enforced as such. The Administrative Procedures Act exists for a reason, and if HHS wants to draft binding regulations, there's a way to do so, and HHS should follow the rules.
Blogger: HIPAA Blog - Edit your Template