Known non HIPAA compliance

T

thenetworksmith

New Member
Reaction score
0
I have an issue with one of my clients. They are a medical office and clearly fall under HIPAA CE rules. I am providing them managed services but they refuse to follow some of my recommendations regarding email usage, backup encryption and network security. I have also asked that they provide me with a BAA to sign but they have not. I do have a generic BAA that I could provide them for both of us to sign but I am hesitant because I want them to understand their part in HIPAA compliance.

My fear is that if they do have a breech or are audited then I would be held responsible. As I see it I have a couple of options:
  1. Drop them as a client
  2. Do nothing (am I liable if they do not require me to sign a BAA and I do not have a written contract with them)
  3. Document the state of their network (as I would with any HIPAA CE client) denote where I feel there are shortcomings and what my recommendations are.Then have them sign this along with a BAA that I provide. (I know that my network and procedures are compliant so I don't have a problem signing the BAA)
 
You should probably talk to your underwriter about this. Maybe even spend a little money talk to a lawyer.

You are correct in that they are the one who must provide you with the BAA to sign. Filled out with your and their business names. I'm working on a small practice right now getting them up to compliance. In my case I'm lucky as the owner understands the importance of this and is doing everything as needed. He had no BAA so I just emailed him a link to a sample. He just edited it and I signed it.

Do you have an actual MSP agreement signed? If so, from what I understand, then the only thing you are on the hook for is what is listed in the MSP agreement. If you do not have a signed contract you will probably still be held liable for the things you cover.

The reason why I said talk to your underwriter is that this HIPAA stuff may not fall under your GL policy. And you will probably need to have E&O.
 
Run as fast as you can away from them if they refuse to do what is required by HIPAA. In the end you will end up with all of the blame no matter how much you have it documented when a breach occurs.
 
In our SLA/MSP agreement, we have a paragraph that can be used as the BAA, but it is limited because its very very very generic, and basically says "Volcano Insurance, Volcano Insurance, Volcano Insurance" for 50 lines. No...no it does not actually. But it is quite generic and states that we don't transfer or store CE information, that's their problem. And any passwords we have are strictly for the systems and not the software, and those passwords are transmitted through encryption and stored encrypted on our systems...and then "Volcano Insurance, Volcano Insurance, Volcano Insurance" for 50 lines.

There is a blurb in our agreement as well, thanks to our lawyer for adding it in there, that states that while that paragraph is in there, and does quasi-count towards the BAA agreement, it is at the discretion of the client to provide a more thorough BAA for us to sign if they so choose, and we can provide one as well.

markverhyden said:
You should probably talk to your underwriter about this. Maybe even spend a little money talk to a lawyer.
Click to expand...
Seriously talk to your insurance agent. I couldn't agree with Mark more here. Once you are done with your insurance agent, go ahead and call your lawyer for a little chat about this as well. Hopefully they are a commercial lawyer with some HIPAA knowledge and can really guide you through this one.


thenetworksmith said:
they refuse to follow some of my recommendations regarding email usage, backup encryption and network security.
Click to expand...
As for this part, document everything. They refuse it, time and date that. They refuse it again, same thing. Build up a log book of them telling you they don't to switch from Gmail as their email provider. Also, consider giving them the ultimatum. I've told a ex-client that if they don't support me in getting their practice to compliance, and approve the work that needs to get done, then I walk and take all my toys with me. I explained to them that I'm not going to have them sue me because they told me no 6 months ago about swapping out dropbox for something else, and getting the field laptops that are used encrypted. They said "we wouldn't sue you if that happened". If I take their word for it that they wouldn't sue me or at least attempt, I would voluntarily be walking up the gallows and trusting them not to pull the level. Not a risk I'm willing to take.

I talked to my lawyer prior to pulling the plug (removing the agents, AV, etc.), he said I had to give them the 30-day notice (as per the agreement)first and that was all. After that, I can pack it up and head home, it falls on them after that to have a game plan.

thenetworksmith said:
I want them to understand their part in HIPAA compliance.
Click to expand...
We all do. But if they are so wrapped up in the "costs" of now and not the "costs" of tomorrow, then you will never get through to them. If they simply don't care, then they wont care until it is too late. I say drive the message home, give them an ultimatum with a very tight deadline. So tight in fact that it cuts off the circulation to their brain and they simply say yes or no. The longer you drag this out, the higher the chance you will get pulled down with them when something happens.

thenetworksmith said:
Do nothing (am I liable if they do not require me to sign a BAA and I do not have a written contract with them)
Click to expand...
Yes, yes, and yes. They don't require you to sign a BAA, but the federal government does. According to the law of highest governing body, if the top requires it, the bottom must do it. Agreement in place or not, it's your skin. While the government will first go after them, they will turn around and sell you out (either because they are being honest or to sue you recover some of the fines they are going to be paying). Always have a written agreement in place. If you don't CYA, then that paddle is going to hurt a lot more.
 
I keep the e-mails/proposals I have given them, that state the steps I wish them to take towards compliance.
I recommend encrypting laptops that leave the office..they say "no...too expensive"...I have that e-mail stored.

IMO, document your proposals, and their acceptance and denials. You've made effort to bring them to compliance, you have an audit trail of their refusals.
 
Good recommendations above and remind them that each breach covered under HIPAA can result in a $50K federal fine per individual (some states pile on to that) whose PHI is inadvertently disclosed. If they are insured against that possibility then it is really between them and the insurance company.
 
I would drop them honestly.

2 reasons.

1 - They aren't following something they are legally required to. I don't want to get messed up with it, or have an insurance company suing me for not forcing the issue.

2 - If they won't spend the money to get HIPPA compliant, then I have no faith they will pay me when I need to do emergency work, replace equipment etc.

IMHO this client is bad news.
 
YeOldeStonecat said:
I recommend encrypting laptops that leave the office..
Click to expand...

I have a single client who has a solo practice. I bitlockered her whole HDD with 256 AES and her client info goes on a bitlockered virtual drive on that HDD, so if I need to service the laptop, I have no access to the PHI at all. The encrypted VHD gets backed up to Google Drive on a Google Apps account, with all unneeded Google apps turned off. Gmail for the account is only for back and forth with Google, she only sets appointments via email and that's a different email account. The HDD gets imaged to her portable drive. I have no BAA with her.

Am I missing anything?
 
I'm a PACS Admin at a hospital in Los Angeles.

I would do number 3 and if they refuse, number 1.

HIPAA has some very expensive fines. Eight years ago, I was consulting for a doctor and she would not upgrade to the latest version of Lytec Medical. I did mention the possible fines and still refused. Long story short, she was fined $30,000 and couldn't practice until she upgraded (about six weeks). That's a lot of money.
 
FremontPC said:
No. Didn't even think of that, thanks!
Click to expand...

I know what BitLocker is..but I'm not familiar with managing it. However....years ago I used to have some clients that had encrypted laptop fleets on individually encrypted laptops.

In talking with our resident HIPAA expert here, David, from HIPAAFORMSPS.COM we talked about laptop encryption, and he mentioned the ability to "prove it". If a laptop gets reported lost/stolen, and the state Atty General comes knocking on the door..asks you if the laptop was encrypted...you say "Yes"...and he replies "OK..prove it!". What's your answer?

So...got me to thinking. Right away, laptops that were individually encrypted...I took pictures of their bootup screen with the HDD password prompt....also showing the laptop host name. BUT...that wasn't good enough, I could be asked "OK...so it was encrypted 2 years ago when you took this picture, but how do we know it was not rebuilt..and you forgot to encrypt it, and it was encrypted yesterday when it was stolen?"

SO.....I went finding an encryption service for MSPs....and so far, I am using AlertSec.
I have a web based login portal, where I can see the status of my clients laptops...as they check in each day, and provide a report of their state of encryption.

I also will only support FDE..Full Disk Encryption, not just certain directories. This way I can't be asked to prove that someone didn't randomly have various data and documents here and there on their drive..and have to prove that those directories were encrypted. Yup..the whole damn disk is encrypted..I can prove it, and I don't care where they keep their data.
 
My bothers doctors office system was just hacked and everything was stolen. I told him that I hope his doctor was HIPAA compliant, but I doubt it. Just proves there are still doctors out there that feel they don't have to follow the HIPAA rules
 
Why does the client refuse your recommendations? Are they too cheap to pay for the recommendations or is it too complicated for them understand or use?
 
As someone who has spent 10 years in the medical field before opening my own PC repair shop:

You don't need a signed Business Associate Agreement (BAA) because you do not meet the definition of a Business Associate under 45 CFR 164.

"Technicians do not require access to PHI to preform their services, therefore they do not meet the definition of a business associate. Disclosures of PHI to technicians that occurs in the performance of their duties is limited in nature. Such disclosures are incidental and permitted by the privacy rule. [See 45 CFR 164.502 (a)(1)]

However if you sign a BAA you are saying that you need access to PHI in order to do your job, and that comes with liability if there is a breach.

If you feel their security practices are lapse then make recommendations and do so in a way that allows you to prove your recommendations later (e-mail).

 
@scott_p The quote you give in your reply is not complete and therefore taken out of context. The quote should read as follows:

"...plumbers, electricians and photocopier repair technicians do not require access to PHI to perform their services..."

The ONC released further guidance in April 2015 through the publication called The Guide To Privacy & Security of Electronic Health Information. In this guide, IT is specifically mentioned as a service that can make one a Business Associate (see page 12).

Furthermore, as stated in the Omnibus Rule: "The final rule establishes that a person becomes a business associate by definition, not by the act of contracting with a covered entity or otherwise. Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate and otherwise meets the definition of a business associate." (page 5598)

As the paragraph above points out, merely signing a BAA doesn't make one liable (though its probably not advisable). However, most IT providers are providing the services that make them a Business Associate by definition and then making up every reason imaginable as to why they are not Business Associates. That's a dangerous denial.

It simply boils down to the services and functions that the IT professional is performing for a CA or other BA. If those services involve maintaining, creating, transmitting or receiving Protected Health Information then they are a BA. I submit that it would be unlikely that most IT providers could do their jobs without doing at least one of these functions (not impossible).

Its also prudent to note that the law states that a BA does not have to actually access the PHI, simply having a persistent access to the PHI is enough. Therefore, just because an IT pro does not look at it, is not reason enough to remove the BA liabilities, responsibilities and requirements. (page 5572)

There are still lots of arguable points to HIPAA and areas yet to be clarified through guidance or actions taken. However, saying IT technicians are not subject to HIPAA is clearly incorrect. The correct statement is IT technicians may or may not be subject to HIPAA based on what services or functions they are providing for HIPAA Covered Entities or Business Associates.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Oprah says, "and you get a violation, and YOU get a violation, and YoU get a ViOlation!"
Replies
11
Views
1K
DRPCNZ
DRPCNZ
thecomputerguy
Dell is really screwing me on this one...
Replies
13
Views
1K
YeOldeStonecat
YeOldeStonecat
ThatPlace928
[SOLVED] Best Recommendation for UPS
2
Replies
22
Views
815
NETWizz
NETWizz
Velvis
NIST FAR Compliance
Replies
3
Views
412
YeOldeStonecat
YeOldeStonecat
C
Kaseya really screwed me, I must have a way out.
Replies
9
Views
1K
John Kennedy
John Kennedy
Back
Top