[Med-privacy] bus. associates

Wed, 31 Aug 2005 08:23:58 -0700

--Apple-Mail-2--981733371
Content-Transfer-Encoding: base64
Content-Type: image/gif;
	x-unix-mode=0666;
	name="logo.gif"
Content-Disposition: inline;
	filename=logo.gif

R0lGODlh1gFYAPcAAChPPfj9+ZyvqV97baq3sN7k4DtdT4yfmcXQzHyWi0ttX5/Kruzs6pO7oDFV
R8/c1bvBvXykjGOLc0NlV53FrVR0Z4eumW6MgK/DujlbS/H39ePl4oOYkZatpc7X1HullC9UQ9bf
3KHJrkJaUqbOtG6VgMXUz2d/clV8aZjApXadiL3MxTFYReft6WqJekpjWoyilrO+uFJuYqrSt/D1
8TFaSv///6e2sZSlnVuCbeDm5ENqVYqymDphTNbc2Nzg31+Hb3SchJWrn5ytpff398TNyMzMzGuT
e8/Uzuju7KWwrIydk1N6ZZW9pay9tZvDqIGWjUpxXIOZjb3Gw1p6a1l1aUxzYbfAvTxjUfTz8XiN
hENqWH2Th1JyY2uFetPY1KTNr4iwlWJ8c7jHwpWooqC1rI6lm3CMfpC4noSslLC/unONgqS1rXig
hvf//3SShl6Fcqi8s0FjU0pqW119cIy0nO/v74CojoWckmKCc2aNeqrTtStRQrXEvXmgi+Tm5XCH
fZS1pbrHwKu3s5y9rWiCdYSllHmhhwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAQUAP8ALAAAAADWAVgA
AAj/AG0IHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuX
MGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnUq1qtWrWLNq3cq1q9evYMOm
zMJGCxQTYtOqXSt0xRwshQpNeBOArd27eF/2qaGFhkAGVRLkHUy4sEckBhQQIVikxg/DkCNLZkik
CgscBGNYqSFksufPkp3UqPFAYIA3o2sIBs26NdvKNbC0EOgjdQ0XrnPr9uqDBYsJfm0gsL1mt/Hj
VXGMVlDXRgEWqQUgn06daYXRVQgKMcAC0OLq4MMH/7Ujxzedgj98iF/PfmcR3yzOt5+P3MuAAXTy
69/Pv7///wAGCOAcqWFx34EIHqgDfQwaxh10tkUo4YQUVmjhhRiOBh986jXoIV4TjAYCHySWCMKJ
KKao4oostujiiydCKGKLqT324Y1rlceCHhEc4uOPQAYp5JBEFmnkkFjA10MQQwaRgW824iglWDry
MAMJWGap5ZZcdunll2BiCcaYJFCgIwtyUNDlEz1AOeWbXukYBhgU1GnnnXjmqeeefPaJpwhNtOkb
FimI8GegbsKpaFY6pkGnn5BGKimfIjTw5KCF5hmoAw5EueinUzX66KSkltpnpZeyQKihdwIqqKeg
xv/q1AS+zWnqrZSySoEIImDJq52owidHpq02kCQLsMqqbFK0shAGCbxGK+201FZr7bW91lFotHcc
cYQFY9YJhqXwYfFEtYgiC9Eff7Tgbgs6EMFuEvSyOy+7dtiQRAF/7DubDTSsIHAcS2jgERE6JExv
Eva225xRGiT8LrwJV5wwAww83JAOU3QswA0JJdHxFGwcoPGyAjV7BwUptOzyyzDHLPPMM6NxxA4p
LLAAD1tkkAEfLEggLbm+yfFEnq4m2hARCCBQBRZYcGECDR6oIcfVbDRthhxQTFGADSFMIcYEOHSo
QRFFUPHbdxzZ0bQSUM8xBQIrsPGGDHR0kC9RSTT/vQbUazQtuBoHVGGAHAs+pEMRV4zGQchoh1gB
ygaFWIPPPvcA9eZYYI4551j0ILrnpGu+OelQ/2wuCXeAwEQDKHDqwA600x7h1bjLEcUTbCr9UAej
DUBQIT5LZ4MJZxh0QBk2sDEAyAKhNgfbh40mh8EDFZHkHB4oDogXX29kBxtC3HDFvxBJMRoUB9Ew
BGnC0ZFAcAsRESIeDFlGhUBESEEHAiizHBxKcIQSRAEEG5KAtxaYgxQFLQcZWKAEj6CHCZyID1gA
wgL1kAEEqooCTahBDkhANFUB4YQQhE8G4MDCFkrgCSl4lUR+kJruCSQOvqlCAAIwhCkYRApEeI5v
//a2BhYoJiTDqYEc9pa90cyBfgvhgG8OsJEQKOACdiBCCMyQhIhAwTfsQ8gbVmADtbFACQ2hwf3y
VwPh2SAGnJJBAH3Dgz2QYAZ+ABp8IjADMGTpCcdiAR/8cAQm9HFMfsxSHX5mhRRoyUzCWgAKttAr
P3iQBVb4Y6rk0KstAepYyWpIHkZjhoEkQQ6j8UAAzEA9G3wBZDQYQA0K0Zw11GB6SCxaFwlChDn4
JgYO6YPorqARIlQgA0w0ATAh8kUWhPEgRVCDDcxQgy2UhiFqZAH+FmIZN/6AQKVcVrNs9ckNWQEM
ugIDCvgwGgdYYQsRGFWe5NCDBoxKBCkI5A4sUP8DHozpEJe0QrRKmCY9pSuUDGGDbyrAtjX4DAdf
MB5BhmBDIvigoTU4IkgQUDQmDoQKo9nmxhKXkeFggYkMcIIXRyOFhPyBmGBjgEPUWAORJuQ6brSB
HUJAuWY5qk4kgAM7R9ODJkgLDHfYEAuKqis8hRAOZQJWCuQguy1I4JwUAAMP4MMHCZQpWEU716Fk
KBEdPMiGNhDEaKwgBFgRAQcnG4gtNfqRJC7RIGJgKUtiMJo+DMQH0HsIFNankFY2xA5r5CYL9kc5
gozzUUgFQWr4EAR5xlB2fMiBPPG0VX/OU3ZQi6edGgiCLTRgoJsUa6uaAEqKeIGUA7HfaABhEAT/
MA8hRaSrRziKJo/aIAAK8A0bWNKYGlChOQJACzMJyxjDQoSmNkWI/hrrWN/81E5bgA8IUBBVoMLB
g65r6p1IcASstmqqGxrWtMKQhm3xiqB7Yq3vIOIE39AVD6PxgkEEEL6DzLWVRPBtRXh7V4L4wGdd
yIJBAjwRIjgXIRqogG/iYIMx3Ha5NXimQMigYIfY4WTQPYgdsGeDKhj3IQ4u7IfFMwFO2QqoQNDj
Uk9rJxJEQLKpQcOv8rSFI3S3TvikKqcy++OsohNYBFUtsA5KEfL4Bq0esB76dLoEnQoMAYJQQi2N
yDY7CAAHODDDMtFmgjIX4Qs2IALaikA35RbE/65QbEEXakAHkgqEBl8GszRt4IM1lwEBfS6CCeJQ
GhPcoAMcAMQyGTKF0WxhCIOYyGBr8LiB0OAMbEPAmoWwAYIMAsw4EAD9shndPoC6DI8x8QBasGYn
rOAPAkNCHwQBNgII4AB5KEOHB/IHIZjh10Owgw4OIIM9F4QIVLjwQMbQBZ4WJAFdUIC0K4AHhFal
xQ64blbTsCE+HAKd0XrCDnAMghIUeVdowMJpqTVVzPrYT2BFk5KBzGSKnGE0q0nzdWpA4ez51Q5j
YPaJBfJfgRRAAZ3RlwzWQIMxCIBTckOLBqbQBzNgoQNFOIgJrPcDO7TAA0rwQtcMsoEuDKEuSf/o
who04IExKKcGGEAC4TiFAIfnKwBiYEHCGYIaOlNk0lzQgNBD4AXm+BsQPgtfFryQgMWcpgKJCzH/
1iCGf+mADF+gQxt1MAYnGIAzG1CDQnXuARyEDwcs8MLDTLAFKNRFA2KYgyD2MjmDZCEDVCzIDWqA
1o9mABDfM/Ec/sAVbGu7Tlu4JArkSYIYi0ig1CKBHqKw2V21W3Z3OPefkizepKmLIitYzsOE4JsL
EOQAuxQIIGqQB7lmdDE0UABjBbIXGAjEMgaYsnPIkJAkYiEGK4hDAhRAhz6QWCB26EIXCLKXlrpy
NDBFAqekoNKBxKEGuWfIH3Dw9Rp0wCAaEHD/QSY9gDKUYQiFqEEXTkZ6AyROC8jktXFhn1gbJKAG
zuafEILL2ACEKOFZ8HUuIABsUxvwoy+00l+NoQVZIAQAZHcGkHeexgLXRBBVkB0D0Wg7lxXY9mLi
IgGXxAJ1kE5JpSQ0didgEAXmhjSXxykjCG+cN1bzBRFOxgJ+JRAH8CQGED4M8H0E4QUs0HoEx2XT
5ACYMRA6MBrqEQO+UWUEUQaEhxBJNAEkZgcgNQEQQBDKIYE24AE+0z0bVwMwFXo1UBwEoQajkX8I
MQVCwAB7l0qZoQATMAQKMWnOR3sVcDIvtyAchQIEQQOoNFxZkFihZ3QE8QW+wVg0kF0JlwRf/2cF
UNQbLLBMQvB6fzUaaIYQNIAFXCgQg3CABEEFs5cyb1B4nHJ4YGAB3RYERbYFmFUC8iQCPJABOsaC
QuYATAWDqdV59UYRUlB6AvEDQuACo2E8rlYQQCgGrsccAUAgJ7dDAfADPlMcduBLTzQQGuCDUthR
BFEASeJ+yIdKcAWNYahfJuAbMPUeLEBGBCEa+KcQQ2AyqucbXbA3alAI8BGFBzFpGmYDB3B8NoB2
GUB4+Kh20GgHSaIAAEMr+BMAecACylgQi7hYAjGIGdCIPVADRzgQXzAae1ZEdScQDzAatIYQARhO
BIFDFTgQF1gQc2GK2VZ5ifd40wJI5sR4R/8QBTt2Xre4KrooLPO2K704EWQ4ATKlBh5AAKMhhGTg
W691AnJlRDZQXGswBn1wlU4gBVKQcGjHAgSQgRnXe9aTegJhRgmXRGsgCGopCIMABVDQGUjQVwJR
XGE5EO7YIQdRBvEnEC2wBaNRHEhQBnagg7pHEPxYEAKwawLxcn8gW1VAcVfZB3gABSYziNpkA0k4
SwehanfGiAKRBD2QARspkqOBAQSXAYbIZ75RlxDYiTZwfSt5exg4lzoHkx4IVEcwVKOxbr1yCDIy
Gi+IXayoJ0EGWkGJNDG4WmRFEQEgA6MRaVXGAJiTMHSIjBC5jDbwhtWJEDqQJDokEKKmEHb/RZY2
kAec4kY4xALbaRBhaJpTORqs+UZpiBBemJo2YASpYQZsUBcYwAXxOX7MxWt6yAK51wKjgRsIgVg1
ZQMPwCn6ZRAoQJELWZs2wABfN5oM6pECsQKqknocdY0maQAoORCDQIEGQQdYAHiAoHVboI8c6GJF
BgZhoFSVJS5MkANWQG4rmFWLVIu2CFrEQinJuWTLSRFSxAJrUADGQwe/NAZuNhCvJYQ2oAVSeQOc
sp4H0XNIUGsLMZ4FUURGVBef6H1iWQM3qI7xeZcIMVgFNhA3AB//mRCHuRDKkQHu4jO0ZZIMyWf5
tZkDl028py9JgqEGaGwKdYM2sAYG8IAh/+qan9h3ApFXEzCpXaAFaviiMaknB/R4YHAurFUHJTBU
IAB5vaIHmbQn+IQFxileyLmLMvh5FfEATyIHbxA+7tgFtmcQQCilufWeZGoQSYA9I1kDtBUD/YUQ
YdimizkawHE8vrGB2BgASXSm8FkQ9cUClzoQ91YDw1UQePAkMuCideg4DCGQf+B/LFAIB+FgpGYD
LfB1UmqBA5cFfplw76qRBVGoBtcHByAGZVBxFxCbBrGJI3pDfGcQF+hgD4YVhld55KWb9bQAJKAC
WCACaBAhOsYrO7CjLKiqnGIurLp5rqqcMygRc1YDEYmZmINGuoqyyxgAROCXGCoQS6CPJ/9wOR4g
UQmRrL41Bb7RA7NBHhmQqwVBBlQjl76apr6RrQIBBZwyAXY2ld1HBUxEA91qEM3UjwdBTRmwICcg
oQXRByEgW9tkSzkVWwrQRp1JoaB5GQXRkWZqA3/QB13EciaAlwqhAT1AtCRqogUhimnRsHkCBhc7
WbCoTl4lAjkKH+Ymi+oWspbnsQ4Asj8ZVrxYpBRBeixgbDbwWgZAngIRpXKFmouBX/mGhOupVjVQ
AZB6EFPoWxuQGte0BDWQPAXRAryXROlYre24tAhBhquLPibQAT+ABaNBBYljBowKoBnGEFy7IKFH
hQURACYjdUiQAXNwMgaoiP/3Fxear7//ZANlwLQMkQVYULA2IBrZ2pJiIbiaKjsOwF1NkAGOAgah
KiKUBwYSQHmUkk+rWrnydrklGxG1kX0DoQTpihCvpa4El1ECEWGf+4cHYGexh5pxZRAeMCgAiWwZ
UANfqVMgNWVJcACEF2U1UJK8tbw2gIY1cKwFAQPwMQcEIAgHgAcKhgDGi30XQAXRRRBHWmkKQXp2
KhBcUANPagNDgBb2wwISCDysaQc44EtuhK7VSQNfF6gDEQJyCQNQIDhejACqlBDm6wWReZWvWQNk
UMbqAbjte4qVpyYlcElFdQc7AGRokCosgAYksAXDiar++7HHKbJAKcCwahEyYHrdGLcE/5EEAXcd
XRBwY6A2E4ABfWAHSbCiSOBxY3AAeCsQ73O1B5EEV+Byo2EAgwABEMA2X+CccwDGdmAHFyAGHkAv
fQADD/AAEFCJNRVwuuyAj+EBCEC7NXADCIBQ1JQaBoDFDLpvNeAFhjW3fZB+rBdwLjyXgrB63DoG
PhAAMGAFK0AvJmAGK6ADV+B1syQIK1AXZUAHU0AvK3AAIQBSCoCVxluVVukzWgDGzoEAY3cACHDM
FDIA1XxnBGIbBhAA17ohVca+YeG+f1K4IhIBKAAEUQUGTIBjfHAEs3iCxPnHkxvIxTKyRDrAERED
iDoQZiCuNFBmHtDSgtPSwIwAe+MBTv/gBGqAAFA0EHJWmARhB2VmArf8AD+tMVSDzl+APTRt0whg
MD9QZkHN0jDtAV/jA1Hd0lFLED9wAzjQB4VJAxiAA3GqLz8d1EiABDwt1FFtAokTAjEwCK42Gy1Q
1k+NVrBW0yuQLyFwy2WNBE/t1EFdGjoA01TtAT4AAyFCOpeSpwfhA3/9AOphB439ALMRAuS7FQ79
Jzn6eHJwXSQQBKJqBRLABG8sVZJLuacypPSGuUIhABdMXaFsBhjALw3zBVqQvchx2ePl2dq1BasV
SD7jB5pH2v972iKd2iTdEz/gQ67NED8gBldtGoWgmLqB28Byx9olAfJk0XLM0XuST+X/EqSommQG
pdpA4QQqvNwHIT8JEQBBd9tuzCckcNGpYQE/BgaWJCLcBW/oNSjnArlAhtq7YizHzRMEALroTRAG
GmkI8Qc9nBvUbSf2q0c7MG8LkC4soALBTdrf7d//vYviNZQ+MQYJgABEsGgH3j54lxBk0LoO/t54
gkhlUh4gcASHhEhgMAPfBQJp4iudxysxXi5qMi0QjkjzKyxZRS0gzhMakCR0MAZGcOIKsQQDeRBs
AMrG0bBNlQJpsOVpYAE5OuPsxeVbzgN6cCJRwANbbgHtdScNsOXsFUhYkAZhMOdhwDu88gR1kOd1
cAeYAwJYwAN6Xgd2kuQ7QQQPmQHa/wjlB7FKVRAHBfDKBVAEB3DSx3HZYJAGIZgaSrXpmw4CaRAt
kgcA8MvpIJABvIkGSrUivsEHEy6U5L0TNHAFW6roC9ECbGAGQ5DrK5DTle7idvIEPADodRDsxB7o
wR7oei7sddDf7yXmzu7szP4EETDt1H4H1n4H1B4BaTDorUXr3h4TD27j4j7u5I5I4rUA5T4mOqMz
KJju4r7uhP7t8n4SPjXauHLv+H4nm9Ip897vKjFO54YtAj/wBF/w18JanFLZ/r7wHVHvHJ7vEE8q
nmdtDF/xGaEjWxAFGr/xHN/xHv/xIB/yIj/yI58aCm/xKE8RllMDMNLyLv/yMN/y8FZx8ilf8w/R
fRmS8zq/8zwvITRv80Af9EI/9ERf9EZ/9Eif9Eq/9Ezf9E7/9FAf9VI/9VRf9VZ/9Vif9Vq/9Vzf
9V7/9WAf9mI/9mRf9mZ/9mif9sgREAA7

--Apple-Mail-2--981733371
Content-Type: multipart/alternative;
	boundary=Apple-Mail-3--981733370

--Apple-Mail-3--981733370
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=ISO-8859-1;
	format=flowed

  Privacy In Focus=AE

Should Health Plans Audit Business Associates for HIPAA Privacy Rule=20
Compliance?
  By Dorthula H. Powell-Woodson and Steven D. Morgan
  August 2005 |  Privacy In Focus

In the wake of many disquieting data loss reports, health plans must=20
wonder whether business associates with whom they share their members'=20=

protected health information (PHI) are properly protecting the health=20
plan members' PHI as they are obligated to do under their business=20
associate agreements. If not, member PHI could face the same fate as=20
the personal information recently taken from data repositories and=20
financial institutions. Health plans may be predisposed to conduct=20
compliance audits to assess whether a business associate's practices,=20
records and supporting documents demonstrate compliance. This article=20
discusses practical issues health plans may encounter when considering=20=

whether and how to audit business associates for Privacy Rule=20
compliance.
HHS' Proposed Enforcement Rule
Last April, the U.S. Department of Health and Human Services (HHS)=20
promulgated a Notice of Proposed Rule Making (NPRM) regarding the=20
enforcement of the HIPAA Administrative Simplification provisions,=20
which builds on the 2003 Interim Final Regulations. While business=20
associate agreements must grant the Secretary of HHS certain audit=20
rights, neither the Privacy or Security Rules, Interim Final=20
Regulations, nor the NPRM, expressly require that covered entities=20
include in their business associate agreements a provision providing=20
the covered entity audit rights. This is consistent with OCR's stated=20
position that a covered entity is not required to actively monitor the=20=

actions of its business associates.
NPRM "Subpart D," on the imposition of civil penalties, provides that=20
the "Secretary will impose a civil money penalty upon a covered entity=20=

if the Secretary determines that the covered entity has violated an=20
administrative simplification provision," subject to the covered=20
entity's right to establish an affirmative defense. Importantly, under=20=

proposed =A7=A0160.402(c), a covered entity is liable, in accordance =
with=20
the law of agency, for a civil money penalty for a violation based on=20
the act or omission of any agent of the covered entity, including a=20
workforce member, acting with the scope of agency, unless:
	1 	The agent is a business associate of the covered entity.
	2 	The covered entity has complied, with respect to such =
business=20
associate, with the applicable requirements of =A7=A7 164.308(b) and=20
164.502(e) of this subchapter.
	3 	The covered entity did not (A) Know of a pattern of =
activity or=20
practice of the business associate and (B) Fail to act as required by=20
=A7=A7 164.314(a)(1)(ii) and 164.504(e)(1)(ii) of this subchapter, as=20
applicable.
Under the referenced =A7=A7 164.308(b) and 164.502(e), covered entities=20=

using the services of business associates are required to obtain=20
satisfactory assurances by written contract or other arrangement that=20
the business associate will adequately safeguard PHI. The preamble to=20
the NPRM states that if "the covered entity complies with these=20
requirements, it can protect itself from what could otherwise be=20
liability for the actions of its agent business associates that violate=20=

the HIPAA rules." The preamble goes on to state that "[a]s specified in=20=

=A7=A7 164.314(a)(1)(ii) and 164.504(e)(1)(ii), even if a covered entity=20=

knows of a pattern of activity or practice by the business associate=20
that constitutes a material breach or violation of the business=20
associate's obligations under the contract, the covered entity will not=20=

be considered to be in violation of the regulations if it takes certain=20=

actions. If the covered entity fails to take these steps, however, it=20
is outside the safe harbor provided by the Security and Privacy Rules=20
and may be subject to penalty." These actions include curing the breach=20=

by ending the violation, terminating the agreement or reporting the=20
violation to HHS.
Whether to Audit
Such a limitation on a covered entity's liability for a business=20
associate's violation focuses the issue of whether a covered entity=20
that satisfies the requirements of =A7 160.402(c) (and is otherwise =
HIPAA=20
compliant) should audit its business associates, since doing so may=20
result in the identification of violations and trigger a duty on the=20
part of the covered entity to take one of the actions identified above.=20=

While the black letters of the HIPAA Rules may suggest that a health=20
plan is not responsible for its business associates, the intent of the=20=

Rules is not to have a health plan turn a blind eye to the misconduct=20
of its business associates or hide behind the health plan's bare=20
compliance with the Rule's terms. Accordingly, the NPRM incorporates an=20=

affirmative defense whereby an otherwise liable health plan (or other=20
covered entity) may avoid liability by showing it was reasonably=20
diligent in monitoring compliance. Doing nothing more than signing a=20
properly worded business associate agreement may not demonstrate such=20
reasonable diligence. This, along with the business issue of customer=20
satisfaction, underscores the complexity of assessing whether to=20
conduct business associate audits.
Under =A7 160.410, HHS may not impose a civil money penalty if the=20
covered entity establishes that "it did not have knowledge of the=20
violation," and, "by exercising reasonable diligence, would not have=20
known that the violation occurred." The term "reasonable diligence"=20
means exercising "the business care and prudence expected from a person=20=

seeking to satisfy a legal requirement under similar circumstances."=20
The preamble makes explicit that the "question this language raises is=20=

what action is required in order to show that it has exercised=20
reasonable diligence and that its ignorance of the violation is, hence,=20=

excused." The preamble goes on to state that the "[f]actors to be=20
considered in evaluating the applicability of this affirmative defense=20=

would include whether the covered entity took reasonable steps to learn=20=

of such violations and whether there were indications of possible=20
violations, such as a complaint or other information made known to the=20=

entity, that a person seeking to satisfy a legal requirement would have=20=

investigated under similar circumstances." Thus, audits may strengthen=20=

a covered entity's ability to establish an affirmative defense for its=20=

own violations based on "reasonable steps to learn." Perhaps this is=20
the most compelling reason that would lead a health plan to conduct=20
business associate audits.
Establishing Audit Rights
The best, and perhaps only, way to determine whether a business=20
associate has complied with its business associate agreement may be to=20=

audit it. Unless the business associate agreement or underlying=20
services agreement specifically provides for compliance audits,=20
however, a health plan may be unable to compel its business associate=20
to allow an audit. Audit rights are contractually based, and if=20
suitable rights cannot be negotiated as part of the agreement, the=20
health plan should consider the appropriateness of continuing the=20
relationship.
Business associate audits can be expensive, time-intensive=20
undertakings. Thus, a health plan must consider whether its resources=20
permit auditing its business associates as a matter of course, and=20
which business associates merit priority. If a health plan determines=20
that it cannot feasibly audit particular business associates, then the=20=

question becomes whether it is prudent to negotiate audit rights in=20
agreements with those business associates.
As discussed above, the Privacy Rule does not require that a covered=20
entity secure audit rights under its business associate agreements.=20
However, once a covered entity reserves such rights, it could be argued=20=

that the entity takes on a duty to exercise those rights and monitor=20
the business associates. For those business associates that a health=20
plan cannot reasonably audit, a reporting requirement might be more=20
helpful than audit rights. A reporting requirement could require the=20
business associate to report periodically to the health plan regarding=20=

its compliance efforts and whether any violations occurred. Such a=20
report should reflect the nature of the relationship between the=20
parties, but, at a minimum, the report should explain any material=20
compliance failures, identify any party to whom the business associate=20=

has disclosed participant PHI, explain the purpose for such=20
disclosure(s) and describe any steps the business associate has taken=20
to monitor parties receiving disclosures. This could save the health=20
plan significant time and money by shifting the onus to the business=20
associate to engage in "self policing" and to scrutinize those to whom=20=

it discloses PHI.
Such a reporting requirement might be supplemented by a provision=20
granting the health plan audit rights contingent on the happening of=20
specified significant events. These could include changes in how the=20
business associate handles PHI (e.g., outsourcing PHI to off-shore=20
vendors) or the occurrence of an event that compromises its members'=20
PHI (e.g., a security breach or improper disclosure). This approach=20
could enable the health plan to monitor its business associates through=20=

a more "hands-off" approach, while ensuring rights to conduct a formal=20=

audit should the need arise.
Prioritize Business Associates for Audit
A health plan that has secured audit rights in its agreements should=20
consciously determine the extent to which it will exercise those=20
rights, because, given the time and expense required for business=20
associate audits, the health plan likely will find it impractical (or=20
impossible) to audit all of its business associates on a routine basis.
In determining which business associates to audit, it is crucial for=20
the covered entity to understand the manner in which member PHI flows.=20=

The mere fact that a business associate receives and stores participant=20=

PHI may not warrant auditing that business associate. For instance, a=20
covered entity's accountants or attorneys may be business associates.=20
However, there typically is little outflow (if any) of participant PHI=20=

from these entities, so disclosure risks are minimized. Typically,=20
little, if any, purpose would be served by auditing such business=20
associates. In contrast, business associates that are active in=20
processing and sending PHI to other entities are likely to merit=20
priority.
Identify Any "Downstream" Business Associates
Outsourcing work to foreign countries has become common in many=20
industries as a way to lower labor costs. However, off-shoring PHI=20
creates risks beyond those involved in sharing PHI with domestic=20
"downstream" vendors. One notorious example occurred in 2003 when a=20
woman in Pakistan who had been subcontracted to transcribe medical=20
records threatened to post PHI on the Internet unless she was paid=20
money she allegedly was owed. In that case, neither the covered entity,=20=

nor its business associate, knew PHI had been off-shored. A domestic=20
subcontractor a few levels "downstream" from the "primary" business=20
associate had off-shored the PHI without their knowledge. The incident=20=

highlights the need to know who your business associates subcontract=20
with and to be able to follow your members' PHI all the way downstream.=20=

While the scenario that occurred in Pakistan could also happen at the=20
hands of a domestic vendor's disgruntled employee, it is more risky if=20=

it occurs in a country where U.S. privacy laws or contracts are=20
essentially unenforceable.
As the above example demonstrates, understanding the chain of entities=20=

that receives member PHI from a business associate is necessary to=20
determine whether the business associate agreement has been followed.=20
Just as the health plan retained the services of the business=20
associate, so too the business associate may have retained the services=20=

of a "downstream" business associate. While the appropriateness of the=20=

business associate's so doing may turn on the particular language of=20
the business associate agreement, the Privacy Rule prohibits the=20
agreement from authorizing the business associate to use or further=20
disclose PHI in a manner that would violate the requirements of the=20
Privacy Rule, if done by the health plan, except that the agreement may=20=

permit the business associate to use and disclose PHI in certain=20
situations for the proper management and administration of the business=20=

associate as provided by 45 C.F.R. =A7=A0164.504(e)(4). Additionally, =
the=20
business associate agreement must provide that the business associate=20
will not use or further disclose PHI other than as permitted or=20
required by the agreement or as required by law. Notwithstanding such=20
limits, it is quite possible that the health plan's business associate=20=

may have disclosed member PHI to a downstream business associate.=20
Therefore, a health plan should consider including agreement provisions=20=

requiring its business associates to identify all parties to whom the=20
business associates disclose member PHI and to provide copies of the=20
agreements between those parties.
Conclusion
Although not expressly required under the Privacy Rule, health plans=20
should consider whether to negotiate audit rights in their business=20
associate agreements and whether alternatives to full-scale auditing=20
may be appropriate. =46rom both business and compliance perspectives, it=20=

makes sense for a health plan to take carefully designed steps to=20
address the risk that its business associates may not adhere to their=20
obligations to properly protect member PHI.

  For more information, please contact  Dorthula H. Powell-Woodson  at=20=

202.719.7150 or  dpowell-woodson@wrf.com and  Steven D. Morgan  at=20
202.719.7517 or smorgan@wrf.com.

--Apple-Mail-3--981733370
Content-Transfer-Encoding: quoted-printable
Content-Type: text/enriched;
	charset=ISO-8859-1

=
<bold><fontfamily><param>Helvetica</param><color><param>0000,6F6F,7D7D</pa=
ram><bigger>
Privacy In Focus=AE
</bigger></color></fontfamily></bold><fontfamily><param>Geneva</param>=20=

=
</fontfamily><bold><fontfamily><param>Helvetica</param><color><param>0000,=
6F6F,7D7D</param>Should
Health Plans Audit Business Associates for HIPAA Privacy Rule
Compliance?</color>

</fontfamily></bold><fontfamily><param>Geneva</param> By
<color><param>0000,6F6F,7D7D</param>Dorthula H. Powell-Woodson</color>
and <color><param>0000,6F6F,7D7D</param>Steven D. Morgan</color>

 August 2005 |=20
</fontfamily><italic><fontfamily><param>Helvetica</param>Privacy In
Focus</fontfamily></italic><fontfamily><param>Geneva</param>=20

In the wake of many disquieting data loss reports, health plans must
wonder whether business associates with whom they share their members'
protected health information (PHI) are properly protecting the health
plan members' PHI as they are obligated to do under their business
associate agreements. If not, member PHI could face the same fate as
the personal information recently taken from data repositories and
financial institutions. Health plans may be predisposed to conduct
compliance audits to assess whether a business associate's practices,
records and supporting documents demonstrate compliance. This article
discusses practical issues health plans may encounter when considering
whether and how to audit business associates for Privacy Rule
compliance.

</fontfamily><bold><fontfamily><param>Helvetica</param>HHS' Proposed
Enforcement Rule

</fontfamily></bold><fontfamily><param>Geneva</param>Last April, the
U.S. Department of Health and Human Services (HHS) promulgated a
Notice of Proposed Rule Making (NPRM) regarding the enforcement of the
HIPAA Administrative Simplification provisions, which builds on the
2003 Interim Final Regulations. While business associate agreements
must grant the Secretary of HHS certain audit rights, neither the
Privacy or Security Rules, Interim Final Regulations, nor the NPRM,
expressly require that covered entities include in their business
associate agreements a provision providing the covered entity audit
rights. This is consistent with OCR's stated position that a covered
entity is not required to actively monitor the actions of its business
associates.

NPRM "Subpart D," on the imposition of civil penalties, provides that
the "Secretary will impose a civil money penalty upon a covered entity
if the Secretary determines that the covered entity has violated an
administrative simplification provision," subject to the covered
entity's right to establish an affirmative defense. Importantly, under
proposed =A7=A0160.402(c), a covered entity is liable, in accordance =
with
the law of agency, for a civil money penalty for a violation based on
the act or omission of any agent of the covered entity, including a
workforce member, acting with the scope of agency, unless:

	1 	The agent is a business associate of the covered entity.

	2 	The covered entity has complied, with respect to such =
business
associate, with the applicable requirements of =A7=A7 164.308(b) and
164.502(e) of this subchapter.

	3 	The covered entity did not (A) Know of a pattern of =
activity or
practice of the business associate and (B) Fail to act as required by
=A7=A7 164.314(a)(1)(ii) and 164.504(e)(1)(ii) of this subchapter, as
applicable.

Under the referenced =A7=A7 164.308(b) and 164.502(e), covered entities
using the services of business associates are required to obtain
satisfactory assurances by written contract or other arrangement that
the business associate will adequately safeguard PHI. The preamble to
the NPRM states that if "the covered entity complies with these
requirements, it can protect itself from what could otherwise be
liability for the actions of its agent business associates that
violate the HIPAA rules." The preamble goes on to state that "[a]s
specified in =A7=A7 164.314(a)(1)(ii) and 164.504(e)(1)(ii), even if a
covered entity knows of a pattern of activity or practice by the
business associate that constitutes a material breach or violation of
the business associate's obligations under the contract, the covered
entity will not be considered to be in violation of the regulations if
it takes certain actions. If the covered entity fails to take these
steps, however, it is outside the safe harbor provided by the Security
and Privacy Rules and may be subject to penalty." These actions
include curing the breach by ending the violation, terminating the
agreement or reporting the violation to HHS.

</fontfamily><bold><fontfamily><param>Helvetica</param>Whether to Audit

</fontfamily></bold><fontfamily><param>Geneva</param>Such a limitation
on a covered entity's liability for a business associate's violation
focuses the issue of whether a covered entity that satisfies the
requirements of =A7 160.402(c) (and is otherwise HIPAA compliant) should
audit its business associates, since doing so may result in the
identification of violations and trigger a duty on the part of the
covered entity to take one of the actions identified above. While the
black letters of the HIPAA Rules may suggest that a health plan is not
responsible for its business associates, the intent of the Rules is
not to have a health plan turn a blind eye to the misconduct of its
business associates or hide behind the health plan's bare compliance
with the Rule's terms. Accordingly, the NPRM incorporates an
affirmative defense whereby an otherwise liable health plan (or other
covered entity) may avoid liability by showing it was reasonably
diligent in monitoring compliance. Doing nothing more than signing a
properly worded business associate agreement may not demonstrate such
reasonable diligence. This, along with the business issue of customer
satisfaction, underscores the complexity of assessing whether to
conduct business associate audits.

Under =A7 160.410, HHS may not impose a civil money penalty if the
covered entity establishes that "it did not have knowledge of the
violation," and, "by exercising reasonable diligence, would not have
known that the violation occurred." The term "reasonable diligence"
means exercising "the business care and prudence expected from a
person seeking to satisfy a legal requirement under similar
circumstances." The preamble makes explicit that the "question this
language raises is what action is required in order to show that it
has exercised reasonable diligence and that its ignorance of the
violation is, hence, excused." The preamble goes on to state that the
"[f]actors to be considered in evaluating the applicability of this
affirmative defense would include whether the covered entity took
reasonable steps to learn of such violations and whether there were
indications of possible violations, such as a complaint or other
information made known to the entity, that a person seeking to satisfy
a legal requirement would have investigated under similar
circumstances." Thus, audits may strengthen a covered entity's ability
to establish an affirmative defense for its own violations based on
"reasonable steps to learn." Perhaps this is the most compelling
reason that would lead a health plan to conduct business associate
audits.

</fontfamily><bold><fontfamily><param>Helvetica</param>Establishing
Audit Rights=20

</fontfamily></bold><fontfamily><param>Geneva</param>The best, and
perhaps only, way to determine whether a business associate has
complied with its business associate agreement may be to audit it.
Unless the business associate agreement or underlying services
agreement specifically provides for compliance audits, however, a
health plan may be unable to compel its business associate to allow an
audit. Audit rights are contractually based, and if suitable rights
cannot be negotiated as part of the agreement, the health plan should
consider the appropriateness of continuing the relationship.

Business associate audits can be expensive, time-intensive
undertakings. Thus, a health plan must consider whether its resources
permit auditing its business associates as a matter of course, and
which business associates merit priority. If a health plan determines
that it cannot feasibly audit particular business associates, then the
question becomes whether it is prudent to negotiate audit rights in
agreements with those business associates.

As discussed above, the Privacy Rule does not require that a covered
entity secure audit rights under its business associate agreements.
However, once a covered entity reserves such rights, it could be
argued that the entity takes on a duty to exercise those rights and
monitor the business associates. For those business associates that a
health plan cannot reasonably audit, a reporting requirement might be
more helpful than audit rights. A reporting requirement could require
the business associate to report periodically to the health plan
regarding its compliance efforts and whether any violations occurred.
Such a report should reflect the nature of the relationship between
the parties, but, at a minimum, the report should explain any material
compliance failures, identify any party to whom the business associate
has disclosed participant PHI, explain the purpose for such
disclosure(s) and describe any steps the business associate has taken
to monitor parties receiving disclosures. This could save the health
plan significant time and money by shifting the onus to the business
associate to engage in "self policing" and to scrutinize those to whom
it discloses PHI.

Such a reporting requirement might be supplemented by a provision
granting the health plan audit rights contingent on the happening of
specified significant events. These could include changes in how the
business associate handles PHI
=
(</fontfamily><italic><fontfamily><param>Helvetica</param>e.g.</fontfamily=
></italic><fontfamily><param>Geneva</param>,
outsourcing PHI to off-shore vendors) or the occurrence of an event
that compromises its members' PHI
=
(</fontfamily><italic><fontfamily><param>Helvetica</param>e.g.</fontfamily=
></italic><fontfamily><param>Geneva</param>,
a security breach or improper disclosure). This approach could enable
the health plan to monitor its business associates through a more
"hands-off" approach, while ensuring rights to conduct a formal audit
should the need arise.

</fontfamily><bold><fontfamily><param>Helvetica</param>Prioritize
Business Associates for Audit

</fontfamily></bold><fontfamily><param>Geneva</param>A health plan
that has secured audit rights in its agreements should consciously
determine the extent to which it will exercise those rights, because,
given the time and expense required for business associate audits, the
health plan likely will find it impractical (or impossible) to audit
all of its business associates on a routine basis.

In determining which business associates to audit, it is crucial for
the covered entity to understand the manner in which member PHI flows.
The mere fact that a business associate receives and stores
participant PHI may not warrant auditing that business associate. For
instance, a covered entity's accountants or attorneys may be business
associates. However, there typically is little outflow (if any) of
participant PHI from these entities, so disclosure risks are
minimized. Typically, little, if any, purpose would be served by
auditing such business associates. In contrast, business associates
that are active in processing and sending PHI to other entities are
likely to merit priority.

</fontfamily><bold><fontfamily><param>Helvetica</param>Identify Any
"Downstream" Business Associates

</fontfamily></bold><fontfamily><param>Geneva</param>Outsourcing work
to foreign countries has become common in many industries as a way to
lower labor costs. However, off-shoring PHI creates risks beyond those
involved in sharing PHI with domestic "downstream" vendors. One
notorious example occurred in 2003 when a woman in Pakistan who had
been subcontracted to transcribe medical records threatened to post
PHI on the Internet unless she was paid money she allegedly was owed.
In that case, neither the covered entity, nor its business associate,
knew PHI had been off-shored. A domestic subcontractor a few levels
"downstream" from the "primary" business associate had off-shored the
PHI without their knowledge. The incident highlights the need to know
who your business associates subcontract with and to be able to follow
your members' PHI all the way downstream. While the scenario that
occurred in Pakistan could also happen at the hands of a domestic
vendor's disgruntled employee, it is more risky if it occurs in a
country where U.S. privacy laws or contracts are essentially
unenforceable.

As the above example demonstrates, understanding the chain of entities
that receives member PHI from a business associate is necessary to
determine whether the business associate agreement has been followed.
Just as the health plan retained the services of the business
associate, so too the business associate may have retained the
services of a "downstream" business associate. While the
appropriateness of the business associate's so doing may turn on the
particular language of the business associate agreement, the Privacy
Rule prohibits the agreement from authorizing the business associate
to use or further disclose PHI in a manner that would violate the
requirements of the Privacy Rule, if done by the health plan, except
that the agreement may permit the business associate to use and
disclose PHI in certain situations for the proper management and
administration of the business associate as provided by 45 C.F.R.
=A7=A0164.504(e)(4). Additionally, the business associate agreement must
provide that the business associate will not use or further disclose
PHI other than as permitted or required by the agreement or as
required by law. Notwithstanding such limits, it is quite possible
that the health plan's business associate may have disclosed member
PHI to a downstream business associate. Therefore, a health plan
should consider including agreement provisions requiring its business
associates to identify all parties to whom the business associates
disclose member PHI and to provide copies of the agreements between
those parties.

</fontfamily><bold><fontfamily><param>Helvetica</param>Conclusion

</fontfamily></bold><fontfamily><param>Geneva</param>Although not
expressly required under the Privacy Rule, health plans should
consider whether to negotiate audit rights in their business associate
agreements and whether alternatives to full-scale auditing may be
appropriate. =46rom both business and compliance perspectives, it makes
sense for a health plan to take carefully designed steps to address
the risk that its business associates may not adhere to their
obligations to properly protect member PHI.

 For more information, please contact=20
<color><param>0000,6F6F,7D7D</param>Dorthula H. Powell-Woodson</color>=20=

at 202.719.7150 or=20
<color><param>0000,6F6F,7D7D</param>dpowell-woodson@wrf.com</color>
and  <color><param>0000,6F6F,7D7D</param>Steven D. Morgan</color>  at
202.719.7517 or
<color><param>0000,6F6F,7D7D</param>smorgan@wrf.com</color>.=20

<smaller><smaller> Copyright 2005. Wiley Rein & Fielding LLP.=20

</smaller></smaller></fontfamily>=

--Apple-Mail-3--981733370--

--Apple-Mail-2--981733371--