While Plan Administrators handle various daily operations within their health and welfare benefit plans, certain essential operational features are outsourced to external service providers. These operational tasks often involve handling protected health information (PHI). Since 1996, the Health Insurance Portability and Accountability Act (HIPAA) has governed the standards for safeguarding and transmitting PHI between covered entities and business associates. When a Plan Administrator enlists a service provider to execute tasks for their benefit plan, that service provider assumes the role of a business associate. Under the same regulations as covered entities, business associates are required to protect PHI.
The exchange of PHI must be accompanied by a business associate agreement (BAA). The Department of Health and Human Services Office of Civil Rights (OCR) has escalated its enforcement actions concerning both covered entities and business associates. Our June 2023 article discussed when a BAA is required, and this article explores the liability of covered entities in relation to their business associates.
BAAs stipulate what PHI is exchanged between a covered entity and a business associate, how it will be used, and what to do in the event of a breach.
Covered entities are healthcare providers, healthcare clearinghouses and health plans that transmit PHI. Plan Sponsors rely on Plan Administrators to execute the daily operational tasks essential to managing an employer’s health and welfare benefit plan. Business associates are service providers that fulfill a distinct role involving PHI to help the plan administrator carry out routine functions. Both covered entities and business associates are required to follow HIPAA’s privacy and security rules.
When a covered entity establishes a partnership with a business associate, both must sign a business associate agreement. The agreement must contain specific elements to be compliant with HIPAA. The contract must describe the permitted use of the PHI to be exchanged, impose limitations on how PHI is shared by the business associate, and require safeguards to prevent the unwanted disclosure of PHI.
Covered entities risk liability for the noncompliance of their business associates.
With the enactment of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), business associates were assigned direct liability for HIPAA penalties and corrective actions. However, subsequent guidance from HHS made it clear that the noncompliance of a business associate can be attributed to the associated covered entity.
As of May 2023, the OCR has investigated and resolved a considerable number of cases, necessitating corrective measures and imposing fines. Among over 30,000 cases, 133 cases have resulted in civil money penalties totaling over $1.3 billion. The OCR had increased monitoring and enforcement against both covered entities and business associates who fall short of complying with the law. In the last twelve months, several covered entities and business associates have reached settlements with the OCR, resulting in imposed fines ranging from $75,000 to $875,000.
Plan Sponsors and Administrators must ensure the service providers they contract with follow the privacy and security practices outlined in the BAA. In 2022, more than 15 health-plan-covered entities reported incidents of PHI breaches stemming from security risks with their business associates. While penalties were not imposed in these cases, these occurrences prompted revised safeguards. Several covered entities offered complimentary monitoring services and enhanced oversight of their business associate’s business practices.
In September of 2022, the business associate of Delta Dental of Washington, a large dental benefits company in the state of Washington, experienced a breach where the PHI of 6,361 individuals was held hostage under ransomware. In March of 2022, a Kaiser Foundation Health Plan business associate reported a breach where the PHI of 695 individuals became viewable to an impermissible group of individuals. Both health plans notified HHS, the affected individuals and the media, and implemented additional administrative and technical safeguards.
Plan Sponsors should periodically evaluate their privacy and security protocols, in addition to reviewing their BAAs, and verifying the compliance of their business associates.
- Perform a comprehensive risk analysis and implement any necessary safeguards
- Conduct HIPAA training for staff
- Thoroughly review all BAAs with service providers
- Verify that service providers are conducting HIPAA training, performing risk analyses and implementing necessary safeguards
- Promptly report identified breaches to the HHS, as applicable
Plan Sponsors, as covered entities, have the responsibility for safeguarding participants’ PHI in accordance with HIPAA. Plan Administrators play a crucial role in ensuring service providers adhere to HIPAA guidelines and issue BAAs before exchanging PHI. These service providers become business associates of the covered entity and must adhere to HIPAA’s privacy and security protocols. Covered entities may be held accountable for the breaches involving their business associates and, therefore, must verify their service providers are taking the necessary safeguards to maintain HIPAA compliance.
EPIC offers this material for general information only. EPIC does not intend this material to be, nor may any person receiving this information construe or rely on this material as, tax or legal advice. The matters addressed in this document and any related discussions or correspondence should be reviewed and discussed with legal counsel prior to acting or relying on these materials.
Compliance Director – Atlanta, GA