The recent OCR settlement over a breach by Catholic Health Care Services (CHCS) of the Archdiocese of Philadelphia on HIPAA violations should interest practices, because CHCS’s nursing home clients, all covered entities (CEs) under HIPAA, were spared penalties only because their business associate agreements (BAAs) isolated the responsibilities for the breach with CHCS.
This is how BAAs are supposed to work, but don’t always, due to poor understanding or contract management by CEs. (This will be discussed at length in the next issue of Part B News.)
Katherine Keefe, head of Beazley Breach Response Services for the Beazley Group in Philadelphia, notes that partners of large, complex health care entities have a particular problem in this regard: Confusion as to who, among the many players, has the covered-entity job, and who has the business-associate job.
The massive Anthem breach of 2015, which involved not only the insurance giant but also many smaller plans that worked with Anthem to insure their own beneficiaries, is a good example.
The confusion in this case was over Anthem’s dual status as CE under HIPAA and as a BA to some health plans that were themselves covered entities. “When you have a self-insured employer-sponsored health plan, for example, that plan is technically the covered entity under HIPAA, and in most cases that plan contracts with a third-party administrator, such as Anthem, to administer the benefits -- enroll the members, add dependents, process and reconcile premium and pay the health care claims,” says Keefe.
Anthem was holding some data from plans like this, which was compromised in the breach, and some of the plans weren’t sure who was responsible for what. Right after the breach Keefe got calls from clients involved in some of these plans, asking, “should we rely on Anthem to notify our beneficiaries or should we do it ourselves?”
Anthem eventually took responsibility for all the notifications, but the breach clearly cost these clients some sleepless nights – and who knows what would have happened if their agreements weren’t in order and Anthem balked? Keefe advises health care partners to be absolutely sure they not only have BAAs for every appropriate relationship, but also that the agreement has everything they’ll need if there’s a breach, including timely notification of a data incident, cooperation from the BA with regard to an incident investigation, and payment/indemnification of response costs.