Is OCR Moving the Goal Posts on Vendor Management?
Recent statements at the 27th National HIPAA Summit suggest that the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) may be changing its position and expecting a greater level of vendor due diligence under HIPAA. Although surprising to many, the HIPAA regulations do not specifically require vendor due diligence or monitoring. Rather, HIPAA requires a business associate agreement (BAA) and that the covered entity take action upon learning of a business associate’s pattern of activity or practice in breach of the BAA. The same is true with respect to the relation between business associates and their subcontractors.
Where We Have Been
The Privacy Rule that initially was proposed in 1999 included a requirement that covered entities implement policies and procedures to monitor their business partners and take reasonable steps to ensure their compliance. In the final rule that was issued in 2000, however, HHS changed its position, providing that a covered entity does not need to monitor its business associates or ensure their compliance, but rather needs to take action only upon learning of a violation of a BAA:
In the final rule, we reduce the extent to which a covered entity must monitor the actions of its business associate and we make it easier for covered entities to identify the circumstances that will require them to take actions to correct a business associate’s material violation of the contract, in the following ways. We delete the proposed language requiring covered entities to “take reasonable steps to ensure” that each business associate complies with the rule’s requirements. Additionally, we now require covered entities to take reasonable steps to cure a breach or terminate the contract for business associate behaviors only if they know of a material violation by a business associate. In implementing this standard, we will view a covered entity that has substantial and credible evidence of a violation as knowing of such violation. While this standard relieves the covered entity of the need to actively monitor its business associates, a covered entity nonetheless is expected to investigate when they receive complaints or other information that contain substantial and credible evidence of violations by a business associate, and it must act upon any knowledge of such violation that it possesses.
The Privacy Rule includes a requirement to implement reasonable safeguards to protect the privacy of protected health information. Arguably, this could be interpreted to require some level of vendor due diligence and monitoring, but we have not seen evidence that OCR historically has expected more than merely obtaining compliant BAAs and taking action upon learning of business associate non-compliance. OCR has indicated in guidance on cloud computing that the Security Rule requires that a covered entity include in its risk analysis risks related to business associates, but that is significantly different from a due diligence or monitoring requirement.
Other Agencies' Approaches
OCR’s past approach to HIPAA contrasts with other statutory and regulatory approaches. For example, in the Matter of GMR Transcription, the Federal Trade Commission brought a complaint against the company for not taking “adequate measures to monitor and assess whether [a subcontractor] employed measures to appropriately protect personal information.” The Massachusetts law governing the security of personal information requires “[t]aking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations.”
A Changing Position?
In a keynote speech at the 27th National HIPAA Summit in March 2017, Serena Mosley-Day, OCR’s Acting Senior Advisor for HIPAA Compliance and Enforcement, suggested in her remarks that HIPAA does require a certain level of vendor due diligence. She indicated that a covered entity may not need to perform thorough due diligence, such as reviewing evidence of a compliance program, for a well-known and established cloud services provider. In contrast, she indicated that a covered entity may need to perform due diligence of a lesser known entity, such as a newly established company, to determine that it has appropriate safeguards in place. Mosley-Day highlighted a particular enforcement case, when a covered entity provided protected health information to a person claiming to provide free digital conversion services for radiology images (in exchange for the right to recover the images’ silver content) without first obtaining a BAA or doing any due diligence. HIPAA clearly requires a covered entity to enter into a BAA; however, the due diligence obligation is less clear.
Reasonable due diligence and monitoring of business associates always has been a good idea, especially since the Breach Notification Rule, which can lead to a covered entity suffering significant financial and reputational harm due to a business associate’s actions. But, historically, due diligence has not seemed to be a requirement under HIPAA. Mosley-Day’s informal remarks suggest that this may be changing.
Granted, an agency official’s statements at a presentation should not be treated as formal agency guidance. At a future OCR presentation, the agency could take a view more in line with its past policy. But, in the meantime, OCR’s recent statements suggest that it may be expecting a greater level of vendor due diligence under HIPAA, where merely obtaining a BAA may not be sufficient.
Next Steps
Where does this leave covered entities and business associates? If they are not already doing so, they should evaluate the existence and effectiveness of their vendor management process. What checks are in place to reduce the risk of providing protected health information to a vendor that does not have adequate privacy and security safeguards? Organizations may wish to take a risk-based approach, determining risk based on factors such as independent assessments, reputation and resources, amount and type of protected health information that will be accessible, and security questionnaires. Organizations then can focus their due diligence efforts on business associates that appear to be higher risk.