Author Archives: William Roberts

Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices

Health care providers and health insurance companies are generally aware that when protected health information (“PHI”) is disclosed to a vendor, such as an attorney, consultant or cloud data storage firm, a business associate agreement is necessary to comply with HIPAA and to safeguard the information disclosed. However, not all vendors will be business associates, even when such vendors may have potential access to PHI, and health care providers and insurers often struggle with how to manage risks to PHI in these relationships. The following FAQs address these issues and my solutions for managing and mitigating risk in an efficient and cost-effective manner.

Who are non-business associate vendors?
Generally, a vendor is not a business associate if it does not receive, use, disclose or maintain PHI. The key risk though is that these vendors may still have potential access to an organization’s PHI. Examples include the following:

  • An IT vendor that will have access to hospital information systems to install, update or maintain malware protection.
  • A cleaning service which has access to staff offices, medical record rooms or other areas in which PHI may exist.
  • A software company that licenses a locally hosted program that utilizes or processes PHI, and that may need access to local information systems for installation or troubleshooting.
  • A consultant who is granted limited access to quality, compliance or other internal reports that include only aggregate information but who may be working in a medical records storage area or be logged into the local network.

What harm can these vendors cause?
Failure to manage data privacy risks with non-business associate vendors may lead to both violations of HIPAA and state privacy laws. Let us consider a recent example to illustrate the importance of addressing data privacy and HIPAA concerns with vendors who are not business associates:

Health care provider engages a local IT security firm to install patches. Parties agree that vendor is not a business associate. While in the provider’s information system, a newly hired vendor employee stumbles upon locally maintained patient and employee records. Bored, he starts reviewing the records and finds a former classmate of his. He copies the records to a USB drive and emails the records to the former classmate. Several weeks later, the former classmate contacts the state attorney general and says “look what the provider gave [the employee] access to.” Vendor employee failed to appreciate the seriousness of the access (no privacy training provided), was under no obligation to report the access to employer, and vendor had no obligation to notify, indemnify, reimburse or cooperate with the provider.

Provider was found to be in violation of both HIPAA and state privacy law and regulators required an extensive corrective action plan.

What strategies should a health care provider or insurer pursue to manage the risk caused by non-business associate vendors?

I generally advise clients to pursue a 3-part strategy addressing organizational policies, due diligence and confidentiality agreements:

  1. Organizational Policies: Avoid limiting privacy and security policies to only HIPAA compliance – while very important, HIPAA is not the only privacy and security concern a health care provider or insurer should have. Policies should also consider proprietary information, trade secrets and state privacy laws. Further, ensure that privacy and security polices apply to all vendors, not merely those subject to HIPAA.
  2. Due Diligence: Consider implementing a vendor-screening tool as part of your contracting process and make data privacy and security a factor when choosing vendors. The purpose of the screening tool is to obtain vendor assurances regarding privacy, receive comfort that the vendor is cognizant of and is addressing privacy concerns and to periodically monitor vendor privacy efforts (such as through annual certifications).
  3. Confidentiality Agreements: Develop a specific template confidentiality agreement for non-business associate vendors, the terms of which should reflect the risk profile of the organization (Note: a standard non-disclosure agreement is generally insufficient for this purpose). Ensure a focus on confidentiality obligations, compliance with laws and policies, incident reporting and reimbursement.

The post Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices appeared first on

HIPAA Breach: Who You Gonna Call?

Everyone knows that you call a plumber for a leaking pipe, a mason for a cracked stonewall, and an electrician to fix faulty wiring. However, when faced with an actual or suspected HIPAA data breach, many folks struggle with determining whom to call. Failure to have contacts lined up ahead of time may pose more than an inconvenience–any delay in bringing in experienced advisors to assist with breach investigation, response and mitigation may result in significant financial and legal consequences.

HIPAA covered entities and business associates should have a written breach response policy and protocol. The policy and protocol should provide clear guidance to the covered entity’s or business associate’s staff regarding how to respond to an actual or suspected breach. Among other things, the policy and protocol should include a roster of resources staff persons may rely upon, including legal counsel, forensic and IT consultants, public relations/marketing professionals, and human resources advisors. Given the necessity of responding to a breach promptly, covered entities and business associates should not wait for a breach to occur in order to start assembling a team.

In light of the risk of lawsuits or government enforcement, the first call to make should be to an attorney experienced in data privacy matters. The value in contacting an experienced attorney, aside from expertise in the legal requirements imposed by HIPAA and other state and federal laws that may apply, is that bringing in an attorney at the start may allow the covered entity or business associate to protect the subsequent breach investigation and response under attorney-client privilege. By doing so, the covered entity or business associate may be able to protect the confidentiality of damaging facts (such as investigatory reports citing failures in the covered entity’s or business associate’s privacy safeguards) from plaintiff’s counsel seeking to sue for damages. While there is no guarantee that asserting attorney-client privilege will be successful in all instances, having an attorney involved and directing the investigation from the start is often the only chance a covered entity or business associate has at protecting damaging information from litigants and the public.

Aside from legal counsel, covered entities and business associates should have a list of trusted forensic and IT consultants. When electronic protected health information (ePHI) is involved, consultants experienced in HIPAA matters are necessary. They may be needed to investigate a hack or ransom-ware attack; audit the online activities of a rogue employee; report on what information may have been on a lost or stolen mobile device; or recover data from a damaged hard drive.

Data breaches often result in considerable media attention, particularly when notice to the media is required. Protection of an entity’s reputation is crucial to retain customer and public trust and the service of a media relations professional is often invaluable. If employees are involved in the breach, seek advice from an HR professional prior to conducting employee interviews, sanctions or termination – particularly if a unionized workforce is involved.

A HIPAA breach is like a fire drill – you need to respond quickly and cannot ignore the warnings. Having the right team in place ahead of time will ensure a timely, appropriate and cost-effective response to the breach.

The post HIPAA Breach: Who You Gonna Call? appeared first on

Can I Be Sued for a HIPAA Violation?

I am asked that question almost weekly. While the answer has traditionally been “no,” the legal landscape is shifting and the risk of being sued continues to increase.

Let’s first start with some background. As some of you may know, HIPAA does not include a “private right of action.” This means that an individual may not file a claim against a covered entity or a business associate in order to enforce HIPAA or seek damages in response to a HIPAA violation. For example, a patient is not able to sue a dentist if the dentist fails to distribute a Notice of Privacy Practices or enter into a business associate agreement. The sole remedy of an aggrieved individual is to file a complaint with the United States Department of Health and Human Services Office for Civil Rights (“OCR”) or, more recently, with a state Attorney General. In addition, in some states, individuals have been able to file complaints regarding generalized privacy concerns with various state regulatory agencies, such as a state health or consumer protection department. With respect to OCR, notification of the right to file a complaint and the process for doing so is generally set forth in a covered entity’s Notice of Privacy Practices.

Since HIPAA was enacted, the lack of a private right of action has provided solace to covered entities and business associates, particularly since complaints tend to be few in number. Moreover, OCR investigations of complaints have often resulted in compliance agreements and consent orders, rather than court actions or civil damages, both of which would require the covered entity or business associate to expend considerable sums on attorney fees, court costs and payment of damages.

While there is no hint at this time that Congress is contemplating including a private right of action in HIPAA (i.e. allowing individuals to sue to enforce HIPAA), aggrieved patients and their counsel have been finding other ways to file claims for HIPAA violations and use HIPAA violations as the basis for seeking monetary damages. For example, in some states, patients have filed suit against health care providers on the grounds of negligence – claiming that the provider was negligent when violating HIPAA and thus must be held liable for damages. A recent example from Connecticut illustrates the way these lawsuits operate:

A physician received a subpoena for medical records. The physician supplied the medical records as requested by the subpoena; however, the subpoena did not comply with HIPAA. The subject of the medical records sued, alleging that HIPAA creates a “standard of care” for all health care providers and that the failure of the physician to adhere to that standard of care was “negligent.” The physician sought to block the suit but the Connecticut Supreme Court allowed it to continue. As of this date, the lawsuit is making its way through the Connecticut state courts. In addition, lawsuits are currently being prepared and filed in response to the recent Anthem breach and many will be claiming negligence or violation of various state privacy or insurance regulations.

These types of lawsuits would have been unheard of even just a few years ago. However, while still not widespread or common, the emergence of these suits poses significant risk management and liability concerns for any health care provider, health insurance company or vendor subject to HIPAA. The risk of a lawsuit is most pertinent to HIPAA violations which may cause financial, reputational or other harm to a party. Hypothetical examples, based upon real life incidents, include:

  • Inappropriate disclosure of medical records in response to a subpoena, which causes a former patient to lose custody of her children.
  • Inappropriate disclosure of a child’s medical record to an estranged parent after the health care provider failed to verify the estranged parent’s authority to access records, which leads to the estranged parent to discover where the child now resides.
  • Inappropriate use of medical records by hospital staff as part of a “hot or not” game which causes severe embarrassment and distress to certain patients. A negligent attorney and an angry patient could potentially make a claim based upon any of the above and may seek a significant financial settlement or payout.

In light of the potential for such lawsuits and the significant damages that may be awarded, covered entities and business associates should consider reviewing their HIPAA compliance programs to identify weaknesses and institute safeguards and protocols to reduce the likelihood of inappropriate disclosures that may lead to a patient filing suit. Such safeguards may include, based upon the above examples, a subpoena review checklist, verification procedures, a reliable reporting protocol or other procedures to allow the entity or its staff to verify that information is being used and disclosed appropriately.


The post Can I Be Sued for a HIPAA Violation? appeared first on

Business Associate Agreements – a First Look at Indemnification

A party’s responsibilities under HIPAA generally come from two sources – the law itself and the business associate agreement entered into between the covered entity (the health care provider or health plan) and the business associate (its vendor). While all parts of a business associate agreement are important, there are certain terms that are most likely to affect the parties’ liability and obligations.

One of these key terms is indemnification, and it is often the section of the business associate agreement that lawyers most often fight over. Folks often wonder why lawyers tend to focus so much on this section, and the short answer is that when things go wrong–such as a data breach or HIPAA violation–indemnification is the clause which that determines who pays, when they must pay, and how much they owe. In other words, it’s the money clause.

Indemnification is the concept through which the party at fault makes the other party whole; in other words, the party at fault will pay the costs, expenses, fines, and losses that the other party incurs.

While many underlying agreements will address indemnification (such as a service agreement or consulting agreement), it is often best to address indemnification in the business associate agreement and how it specifically applies to the use and disclosure of protected health information (PHI). Your goal is to not incur costs or damages due to the act or omission of the other party, or to at least limit your exposure to such costs. The costs and damages a party is typically most worried about are those incurred due to a data breach or HIPAA violation by the other party, such as attorney fees, notification costs, credit monitoring, or fines.

Let’s take an example of a typical data breach to demonstrate the importance of indemnification:

City Hospital hires a consulting firm to provide it guidance with improving patient outcomes. As part of the engagement, a consultant downloads a list of patient records to a laptop. Unbeknownst to the consultant, IT mistakenly failed to encrypt the laptop. While in an airport, the laptop is stolen. The consultant reports the breach to her employer and the hospital is notified.

When notice of the stolen laptop reaches a hospital executive or executive director of the consulting firm, one of the first questions asked will be: “what is this going to cost us?” When faced with a data breach that can easily cost a health care facility six figures, the first place the facility and its attorneys will look is to the indemnification clause. This paragraph will tell them who is responsible to pay the costs of the data breach (does the hospital pay or the consultant?), how much the obligated party must pay (if the consultant must pay, is there a cap?), and which costs the obligated must pay (if the consultant must pay, does the consultant need to pay the hospital’s attorney fees?)

Moreover, what if the business associate lacks an indemnification clause? In that case, someone will need to inform the hospital’s CEO that the hospital may be unable to recover its costs, or may attempt to do so only at considerable expense. No one wants to be in the position of breaking such news to the CEO.

In a future post, we will look at the most important issues to keep in mind when drafting indemnification clauses in order to appropriately protect your organization.


The post Business Associate Agreements – a First Look at Indemnification appeared first on