Many hospitals and medical practices outsource some or all of their pathology needs. Traditionally, such services included the provision of laboratory services up to and including around-the-clock diagnostic help by specialized teams of pathologists. More recently, vendors are now selling custom software, known as “laboratory information systems,” for the management of in-house labs. These systems often handle some combination of functions, including accounting, billing, workflow management, reporting, and information storage and retrieval of lab reports. From the perspective of applicable state and federal rules, all of these arrangements pose privacy and security risks to the labs and the vendors who service them.
What Are the Information Risks?
Hackers and dishonest insiders will sometimes directly target patient or employee financial and demographic information (personally identifiable information or PII) or complete medical records with insurance information because they are useful for committing fraud or identity theft. More typically, however, thieves seek physical devices that have some independent value, such as laptops, tablets, or smart phones. Notwithstanding that the thief may not actually care about the sensitive data contained on the device, these thefts frequently result in a data security incident that must then be reported and managed.
In addition to intentional misconduct, PII and protected health information (PHI) is also at risk from negligent or inadvertent disclosure, including mishandling by outside technology vendors. Common scenarios include lost portable devices, badly secured IT systems, poor access control, or mixed-up records or reports directed to unauthorized people. Whether through intentional or unintentional misconduct, privacy or security breaches constitute events to be managed in compliance with applicable state and federal regulations and laws.
The Basics of State Law
Most state data privacy and breach notification statutes do some or all of three main things: (1) force organizations to disclose incidents involving potential identity theft and financial fraud; (2) require companies to inform consumers about their security practices; and (3) prescribe certain minimal standards for treating personal or sensitive information in light of an anti-fraud concern. State laws especially tend to focus on the disclosure of financial information or Social Security numbers (SSNs) as triggering events for an obligation to notify affected individuals and, occasionally, state attorneys general and other state regulators. Breach notification can be an expense ranging upward of six figures, only to be followed by further state investigations, fines, and private lawsuits, including class actions. Frequently, these forms of liability do not require any intentional fault or gross negligence on the part of the entity being investigated, fined, or sued.
In the medical context, it is not just the hospital, medical practice, or other traditional Health Insurance Portability and Accountability Act (HIPAA) “covered entity” that has to face the various forms of liability created by state law. Outside vendors and labs must also worry about compliance with state laws, even where the data in question is not their own. In fact, vendors in some circumstances may have an independent duty to notify a patient that a breach has occurred.
The Basics of HIPAA and the New Final Rule
In January of this year, the Department of Health and Human Services (HHS) released the long-awaited HIPAA final fule. The new final rule significantly revised privacy and security regulatory provisions affecting HIPAA-regulated entities. Outside labs and technology vendors may be accustomed to a regulatory regime in which covered entities (CEs) have all the responsibility and liability, but this arrangement changes under the new final rule with significant responsibility added to business associates (BAs). In particular, both the revised privacy and security rules contain new provisions aimed at BAs. Consequently, outside labs and technology vendors cannot escape meaningful HIPAA obligations simply by virtue of their status as BAs instead of CEs.
Notably, the final rule rejects any neat, absolute distinction between CEs and BAs, instead specifying that an organization can be both a CE and a BA. This raises regulatory compliance issues for outsourced pathology labs. From the perspective of the hiring hospital or medical practice, outsourced labs are clearly BAs, but as providers of diagnostic services with respect to individual patients, full-service pathology labs arguably also fit within the regulatory definition of
covered entity. Because an entity may be both a BA and a CE depending on the services performed, labs in this position will be required to comply with aspects of the final rule aimed at both BAs and CEs.
There are three areas in particular that labs and technology vendors, operating as BAs, need to address under the final rule. Many of these changes can be addressed as HIPAA business associate agreements (BAAs) are updated in accordance with the final rule.
Breach Notice: The HIPAA breach-notice provisions are substantially unchanged within the new final rule. BAs are not required to notify individuals of a breach of security in the handling of PII or PHI; they are, however, required to notify the CE.
Privacy Rule: BAs may not “use or disclose” PHI except in accordance with their BA contract, and generally may not use or disclose PHI except as allowed by the rule. BAs are also restricted from the sale of PHI and from use or disclosure of genetic information for underwriting purposes. PHI must not be used or disclosed beyond the minimal amount necessary to accomplish the purpose of the use or disclosure, even where the use involves treatment, payment, and operations.
Security Rule: All BAs are now required to implement appropriate technical, administrative, and physical safeguards to secure electronic PHI. This includes protecting against “reasonably anticipated threats or hazards to the security or integrity of such information” and ensuring workforce compliance. (Thieves and hackers are probably “reasonably anticipated threats” where PII and PHI are concerned.) Lab technology vendors with cloud or software-as-a-service offerings should especially pay attention to these requirements—by accepting electronic PHI onto their own managed system, they are accepting regulatory obligations and liability that cannot be contractually avoided.
These provisions are now in effect, although the Office of Civil Rights, HHS’s enforcement arm for these regulations, will not enforce compliance until Sept. 23, 2013. In general, outside pathology labs and lab vendors that already had robust privacy and security procedures in place will probably have an easier time meeting the new requirements of the final rule. Even so, given the new requirements, these service providers should review existing policies and procedures now to ensure compliance with the final rule by the September deadline. CEs should encourage their vendors to undertake such a review and should similarly undertake such a review themselves. While BAs are directly liable for their own violations of HIPAA, CEs are liable if they are not prudently managing vendors.
Security and Privacy Strategies
There is no substitute for technically strong information technology safeguards, and these basics become more important as information is dispersed more widely among vendors and outside service providers. These basics should be generally familiar.
Institutions should restrict storage and access to data; deidentify data (do not use SSNs as patient identifiers, for example); limit access rights, including within the IT group (it is bad practice, for example, to give network administration rights to every help desk technician); use strong authentication schemes (e.g., strong passwords or passphrases, no shared passwords, passwords that periodically expire, limited login attempts); have a verified, working backup system; ideally, have verified, working access to logs at the network, server, PC, and application levels; keep software patched and up-to-date, including anti-virus and malware; place appropriate restrictions on public network share drives (beware employees who inadvertently create a data privacy incident by publicly sharing files including sensitive information); manage servers appropriately (e.g., do not routinely run services under the account of a network administrator or superuser); and provide employees with a secure e-mail option.
There are technology firms with specialized security auditing services that can help organizations test and manage these and other aspects of their IT security. Such testing could be incorporated into an annual risk assessment.
Pathology services and vendors of laboratory information systems can provide a wide range of services on many different kinds of device platforms. In these contexts, CEs and their vendors should pay attention to the amount of data that is stored on these outside systems and the period of time for which such data are available. Appropriate limits on data storage—enforced by technical controls, contractual provisions, and/or periodic audits—are advisable. Both CEs and vendors should pay attention to access controls; for example, services that provide physicians with telephone access to lab reports should include a meaningful numeric password or other authentication procedure.
CEs using outsourced labs should pay particular attention to mobile device security, since lab reports and other patient records are likely to be accessed from portable devices. (Many pathology services treat such convenient access as a selling point.) Especially, CEs should implement strong encryption on all portable devices. Doing so can help CEs fall within a safe-harbor provision of the final rule and of many state breach-notification statutes. That, in turn, can mean avoiding regulatory fines and costly breach notice obligations in the event (uality) that a portable device is lost or stolen.
CEs should pay attention to the regulatory requirements for BAAs, including new final rule requirements. BAs must provide “satisfactory assurances” that PHI will be safeguarded, and, for these provisions, CEs should consider spelling out and requiring specific IT safeguards within the BAA. The BAA should also address the requirement to limit the use of PHI to the purposes of the contract.
Contract provisions can also be used to specify the procedures—and any indemnification and limitation on liability—for responding to a breach affecting both a vendor and vendee. Contracts should address questions like, Who controls the response to a breach? Who can be obligated to conduct a forensic investigation? What information-sharing or auditing rights does the CE have? From whom will any breach notifications come? How will external communication be controlled? What is the time frame within which a business associate must notify a covered entity of a suspected incident? Who is responsible for the costs of breach notification?
All entities should have a data breach incident response plan and an incident response team. Typically, the incident response team will consist of representatives of senior management, IT, compliance, communications, and legal. There should be clear policies and procedures within the organization for confidentially communicating a suspected data breach, and employees should receive appropriate training on these plans and policies. Entities should also consider cyber-liability insurance coverage. Even with the best practices, it is impossible to predict or prevent every event. Insurance is a good method for further addressing risks.
Conclusion
Many businesses have the mistaken impression that outsourcing services is, in itself, a good way to manage data privacy liability—and many vendors are happy to trade on this impression. But hospitals and medical practices should enter vendor arrangements with their eyes wide open: while strategic outsourcing may make sense for many reasons, legal risk avoidance is probably not one of them. With respect to breach-notice obligations, reputational risk, regulatory risk, and private lawsuits, the CE’s data privacy liability substantially remains, even where services are outsourced. And, for their part, vendors increasingly share these same risks. These new realities call for careful policies and proactive management on all sides.
Theodore Kobus III can be reached at tkobus@bakerlaw.com.
Michael Young can be reached at myoung@bakerlaw.com.