There are many due diligence and due care considerations required under HIPAA, amplified by The HITECH Act. Rachel V. Rose, JD, MBA wrote this article originally for Becker’s Hospital Review and has granted permission to republished the article here. Rachel underscores the importance and value of completing a Risk Analysis. Here’s today’s big tip – Learn important due diligence considerations under HIPAA and the HITECH Act.
HIPAA Security Risk Analysis Tips – Due Diligence Mitigates Liability Exposure Under HIPAA and the HITECH Act
Written by and republished with permission of Rachel V. Rose, JD, MBA, Principal, Rachel V. Rose – Attorney at Law, PLLC, Houston | May 16, 2012. It was originally published in Becker’s Hospital Review and may be found at: http://www.beckershospitalreview.com/healthcare-information-technology/due-diligence-mitigates-liability-exposure-under-hipaa-and-the-hitech-act.html
One area of healthcare that has significant liability potential and has received heightened enforcement is violations of protected health information under the Health Insurance Portability and Accountability Act of 1996 and the 2009 Health Information Technology for Economic and Clinical Health Act. Both HIPAA and HITECH Act violations have the potential to cause substantial financial, reputational and operational harm to covered entities, business associates and subcontractors. Therefore, HIPAA covered entities, business associates and subcontractors need to comply with 45 C.F.R. §164.504(e), which delineates the privacy terms required in HIPAA business associate agreements, pursuant to Section 13404 of the HITECH Act.
Comprehensive risk assessments provide a prudent avenue to mitigating liability exposure and complying with the privacy, security and data breach rules. A risk assessment should be conducted in a manner similar to doing “due diligence in the context of mergers, acquisitions, divestitures or joint ventures (strategic initiatives).” Due diligence, when approached from both the strategic buyer’s and seller’s standpoint, has been defined as the “affirmative duty to ensure compliance with disclosure obligations and the investigation that is part of nearly every … corporate acquisition, whether out of an affirmative duty or a thought to a future defense.” Likewise, the HITECH Act’s Breach Notification Rule requires each contracting party to conduct a risk assessment; hence, each party must provide assurances of compliance with the expanded HIPAA Privacy and Security Rules’ requirements.
Violating the technical requirements and/or causing or discovering a related incident consistent with breaching the provisions defined in HIPAA and the HITECH Act exposes covered entities, business associates and subcontractors to increased government enforcement  and to potential reputational and financial damages. As such, this article will focus on various aspects of due diligence under HIPAA and the HITECH Act and the liability exposure associated with non-compliance.
Due diligence considerations under HIPAA and the HITECH Act
The HITECH Act holds covered entities and business associates accountable to HHS and to individuals for proper safeguarding of the private information. A primary objective of HIPAA is to define and confine the circumstances where PHI may be used or disclosed by covered entities, business associates and subcontractors. In determining whether a person is the agent of the covered entity or business associate, the federal common law of agency is used. 
A covered entity, according to the HIPAA Administrative Simplification Regulations, is a healthcare provider that “transmits any health information electronically in connection with a covered transaction, such as submitting healthcare claims to a health plan.” Under HIPAA, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services are considered business associates. Business associates are defined as “a person who performs functions or activities on behalf of, or certain services for, a covered entity that involved the use or disclosure of individually identifiable health information.”  Along the same lines, a subcontractor is a person who contracts with a business associate, who also handles PHI.
Under the HITECH Act, the “snitch provision” of the HIPAA Privacy Rule applies equally to a business associate as it does to a covered entity.  Consequently, both the covered entity and the business associate have an affirmative duty to take reasonable steps to cure a breach or other violation. Notably, the actions or inactions of one group, including subcontractors, may adversely affect another group.
Recent actions by the Minnesota Attorney General highlight the notion that covered entities are not the only group that needs to comply with the provisions set forth in HIPAA and the HITECH Act. Here, the Attorney General alleged that Accretive Health, Inc. violated both laws as a business associate for exposing more than 25,000 patients’ PHI from two Minnesota hospitals with whom it had business associate agreements.  The crux of the claim focused on Accretive’s failure to comply with the regulations in relation to implementing and maintaining appropriate administrative technical and physical safeguards, such as encryption, for PHI after agreeing with two covered entities that “it would not use or disclose protected health information in violation of HIPAA or HITECH and that it would use ‘appropriate safeguards’ to prevent the misuse or disclosure of protected health information” (emphasis added).” 
Another illustrative example is CVS Caremark Corp.’s 2009 violation of the Federal Trade Commission Act in relation to technical violations for failing to provide reasonable and adequate security measures for PHI, after disseminating a privacy and confidentiality statement that consumers relied upon.  The Federal Trade Commission Act gives the Federal Trade Commission “the authority to prohibit unfair or deceptive practices in or affecting commerce.”  Unfair or deceptive practices are further delineated and include acts that either actually cause or likely cause reasonable foreseeable injury or involve material conduct.
The FTC determined that CVS had engaged in a multitude of protocols that conflicted with its representation to consumers about protecting PHI. Specifically, CVS failed to: (1) implement adequate policies and procedures to dispose of PHI; (2) adequately train employees; (3) use reasonable measures to assess compliance; and (4) employ a reasonable process for discovering or remedying risks to such information. Ultimately, the FTC held that CVS inappropriately discarded PHI as a result of their policy and procedure failures.
The interim final enforcement regulations expressly define “reasonable diligence” as “business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.”  The legal requirements under HIPAA and the HITECH Act involve complying with both prophylactic technical requirements and potential breach/breach incident requirements. Workforce training is a key component related to an entity’s ability to discover a breach related incident; and the training serves to demonstrate whether the required entities are “seeking to satisfy a legal requirement.”  HHS, building upon the knowledge and diligence requirements, “recommends that covered entities and business associates implement reasonable and appropriate internal systems to assist in the discovery of breaches, as well as appropriate training programs for employees and other workforce members.” 
Just as there are fundamental inquires in a due diligence process of a strategic initiative, there are basic questions affiliated with HIPAA and the HITECH Act’s reasonable diligence in risk assessments. These include:
- Have you identified the ePHI within your organization? This includes ePHI that you create, receive, maintain or transmit.
- What are the external sources of ePHI? For example, do vendors or consultants create, receive, maintain or transmit ePHI?
- What are the human, natural and environmental threats to information systems that contain ePHI? 
In 2010, the Office of Civil Rights released guidance on HIPAA’s risk analysis requirements, which built upon on the foundation set forth by the National Institute of Standards and Technology. Evaluation of risks and vulnerabilities are required, as are an organization’s implementation of reasonable and appropriate security measures subject to the Security Rule.  This rule expressly requires entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the [organization].” Meaning, a risk analysis, which meets the OCR, NIST and other regulatory guidelines is required.
Had due diligence in the form of a comprehensive risk assessment of HIPAA and the HITECH Act’s protocols, procedures and training been performed by Accretive and CVS, the claims and potential penalties/penalties may have been averted or diminished. Therefore, in order to limit similar or greater liability exposure, required entities should perform “reasonable diligence” through comprehensive internal and external risk assessments.
Damages resulting from a regulatory violation can have significant ramifications. HIPAA and the HITECH Act are no exception. This commitment to enforcing compliance with HIPAA legal standards is reflected in the increased civil monetary penalties, potential criminal penalties and the January 2012 suit filed by the Minnesota Attorney General against Accretive Health. Entities violating HIPAA and the HITECH Act provisions may also be liable under other statutes including: The Federal Trade Commission Act, Sarbanes-Oxley, Dodd-Frank, state law and the False Claims Act.
Related to potential penalties that may be assessed under the multitude of laws listed is the diminished mens rea requirement with respect to certain healthcare regulatory violations.  HIPAA is among them. Prior to the enactment of The Patient Protection and Affordable Care Act, the American Recovery and Reinvestment Act of 2009 criminalized certain HIPAA violations that were committed through “willful neglect.” Although willful neglect was not defined in that particular statute, the HITECH Act, which amended HIPAA and is included in ARRA, defined willful neglect as, “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” Hence, the level of intent associated with “willful neglect” under HIPAA and the HITECH Act coincides with negligence, as there is no appearance of required awareness of wrongdoing. HHS echoed this sentiment in a press release:
“Prior to the HITECH Act, the Secretary could not impose a penalty of more than $100 for each violation or $25,000 for all identical violations of the same provision. A covered healthcare provider, health plan or clearinghouse could also bar the Secretary’s imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules. Section 13410(d) of the HITECH Act strengthened the civil money penalty scheme by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.”
Therefore, covered entities cannot simply use ignorance as an excuse for not complying with the regulatory requirement of HIPAA and the HITECH Act.
As an example, consider the approximately 28,000 violations of PHI identified in the Minnesota Attorney General’s claim against Accretive, where the “willful neglect” standard was used for the alleged HIPAA and the HITECH Act violations. Criminal penalties may also be assessed, and the HHS Secretary has a great deal of discretion. Six years is the maximum disclosure accounting period immediately preceding the accounting request,  the HIPAA Regulations  provide amounts for civil money penalties to be determined in accordance with paragraph (b) of this section and §§160.406, 160.408, and 160.412. Violations occurring pre-February 18, 2009, impose a penalty of a maximum of $100 for each violation; or a ceiling of $25,000 for identical violations during a calendar year (January 1 through December 31).
Consider the chart below, which illustrates the potential regulatory penalties for the 28,000 PHI violations:
|False Claims Act|
|Client Hospitals (covered entity)||$1,500,000||Civil Penalty Range Per Violation ($5,500-$11,000):
(28,000 x $5,500) = $154,000,000
(28,000 x $11,000) = $308,000,000PLUS Treble Damages Ranging from $462,000,000 to $924,000,000
|Covered Entity Total
(Does not include business associate
and subcontractor Liability)
(Note: excludes potential criminal penalties)
|Up to $1,232,000,000|
As the chart demonstrates, the potential monetary ramifications from the statutory penalties alone are staggering. To put this in perspective, money collected by civil plaintiffs JPMorgan Chase, Citigroup and the Canadian Imperial Bank of Commerce in the Enron case reached $7.3 billion; and, in 2005, Encompass Health reached an agreement of $325 million to settle Medicare fraud violations.  These figures represent a fraction of the total damages associated with these corporate wrong doings. Likewise, the damages expressed in the chart reflect a small portion of the liability facing entities that violate HIPAA and the HITECH Act.
Because of the considerable costs associated with these other domain costs, the implications on an entity violating HIPAA and the HITECH Act’s provisions are significant. Therefore, being in compliance should be a priority for covered entities, business associates and subcontractors.
In sum, HIPAA and HITECH Act violations have the potential to adversely impact entities significantly from a financial, reputational and operational standpoint. The penalties alone could be staggering, and, if the entity is publicly traded, the ramifications can be far reaching and implicate various security related laws. Therefore, covered entities, business associates and subcontractors should be proactive in assessing their internal policies with the “reasonable diligence” required under the statute. In turn, measures should be taken to ensure that the entities they are doing business with meet the same standards, or penalties may still be assessed. By performing comprehensive risk assessments, entities can mitigate their liability exposure and protect patients’ privacy — something we all value.
 American Health Lawyers Association, Enterprise Risk Management for Healthcare Entities, p. 385 (1st Ed. 2009).
 Id. citing, Katz, David A., Due Diligence In Acquisition Transactions, Practicing Law Institute PLI Course Handbook, Conducting Due Diligence 2003, p. 579-580 (Jun. 2007).
 U.S. Department of Health and Human Services, HHS Settles HIPAA Case with BCBST for $1.5 million – First Enforcement Action Resulting from HITECH Breach Notification Rule, available at www.hhs.gov/news (Mar. 13, 2012); Doug Pollack, HHS Puts Teeth into HIPAA/HITECH Enforcement (Mar. 23, 2011), available at, www2.idexpertscorp.com.
 45 C.F.R. § 164.404(a)(2).
 HHS-OCR Privacy Brief, Summary of the HIPAA Privacy Rule, p. 3 (2003).
 HITECH Act 13404(b), citing the HIPAA “Privacy Rule” provision 164.504(e)(1)(ii).
 45 CFR §160.404; State of Minnesota v. Accretive Health, Inc., Complaint, 3, 19-20 (U.S. District Court of MN (Jan. 19, 2012)) (showing that PHI data violations were discovered on “at least 23,531 Fairview and North Memorial patients” and, North Memorial’s expert “discovered an additional 6,690 patients whose names and data were believed to be on the laptop but who were not revealed to be on the laptop by Accretive.”).
 In the Matter of CVS Caremark Corporation, FTC File No. 072 3119 (Jun. 18, 2009). The representation CVS made to consumers: “CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information (“Protected Health Information” or “PHI”). PHI is information about you, including basic information that may identify you and relates to your past, present or future health or condition and the dispensing of pharmaceutical products to you. We take this responsibility very seriously.”
 15 U.S.C. 45(a)(1).
 45 C.F.R. § 164.401.
 American Health Lawyers Association, Federal Breach Notification Resource Guide, p. 36 (Jul. 2011).
 Id., citing 74 Fed. Reg. at 42749.
 National Institute of Standards and Technology, SP 800-30 – Risk Management Guide for Information Technology Systems, available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidancehtml; Office of Civil Rights, Guidance on Risk Analysis Requirements under the HIPAA Security Rule (Jul. 14, 2010).
 Elizabeth R. Sheyn, Toward a Specific Intent Requirement in White Collar Crime Statutes: How the Patient Protection and Affordable Care Act of 2010 Sheds Light on the “General Intent Revolution”, Vol. 64 FL Law Review 449, 466 (2012).
 45 C.F.R. § 164.528
 45 C.F.R. § 160.404
 Kristen Hays, Enron Shareholders are One Step Closer to Some Money (May 26, 2007), available at http://www.chron.com/business/enron/article/Enron-shareholders-are-one-step-closer-to-some-1834838.php; Health South Chronology, http://www.bmartin.cc/dissent/documents/health/healthsouth_flowch.html (last visited, Apr. 3, 2012).
To learn how to complete your Risk Analysis according to HHS/OCR and underlying NIST guidance, view Clearwater HIPAA Risk Analysis Video Overview.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017