Developing and implementing a HIPAA compliance plan can often seem like preparing for a tornado on a sunny day. You’ve never had a real-world breach before and you don’t foresee an OCR audit anytime in the near future. However, as one of our clients recently discovered, it pays to be prepared because tornadoes hit unexpectedly.
What Happened
One of our client’s employees recently reported a breach to the company’s Privacy Officer. The breach report stated that the company’s insurance agency (their Business Associate) accidentally sent the employee’s and his current wife’s Explanation of Benefits (EOB) to the employee’s ex-wife. Understandably, this employee wants to file a complaint. He is well within his rights to do so. The employee can file his complaint with any or all of the following:
- The Insurance Company – To file with them he must request a complaint form from the employer’s Privacy Officer
- Health & Human Services – Forms found here
- State Attorney General – Forms found online
- Insurance Commission – Forms found online
The breach was the insurance agent’s fault, however, our client hired the insurance company. So they called us with the big question:
What is their liability?
Because of the Common Law of Agency Provision, an employee reporting a matter to HHS could open the employer up to an investigation—meaning OCR could come in and do a full audit of the insurance agent (the Business Associate), and the Employer (the Covered Entity).
What is the Common Law of Agency Provision?
HIPAA’s Common Law of Agency Provision in the 2013 Omnibus ruling states that a Covered Entity is responsible for the HIPAA compliance of their Business Associates (BAs). Now, this doesn’t mean you have to follow your BAs around. After all, we contract with them to make our lives easier. What it means is that you need to do your due diligence and audit your BAs BEFORE you work with them. At a minimum, the review should include a summary of the BA’s compliance plan and employee training records.
What to do after a Real-World Breach?
If you have a breach, everyone needs to review:
- What happened?
- How did you handle the breach?
- Is this a systemic problem or just a onetime issue?
- Where was the breakdown, and how can it be mitigated going forward?
If you discover a systemic issue, the Covered Entity is responsible for terminating the relationship with the Business Associate. At that point, the Covered Entity must recover any PHI the BA is maintains, or require the information to be destroyed according to the terms of the Business Associate Agreement.
What is next?
Fortunately for our client, prior to this real-world breach, they prepared a compliance plan using our Turn-Key Compliance Solution, trained their staff using our online training, and are in the process of completing the implementation of this plan. As part of that process, they put a BA Agreement in place with the insurance agent that caused the breach. The employer is prepared for an investigation led by OCR or a State Attorney General.
Need help creating your HIPAA Compliance Plan? Contact us today!
