HIPAA is more than just the Security Rule

"HIPAA compliant." Spend any amount of time in data privacy in the healthcare industry and you are bound to hear a potential vendor use this phrase in an effort to allay any compliance concerns a covered entity may have using that vendor. But what does the phrase mean? And should it allay any compliance concerns?

As most know, vendors who provide certain certain services to HIPAA-covered entities are known as "business associates." Business associates like covered entities are regulated by HIPAA and have to meet certain requirements and obligations. Importantly, these compliance obligations for covered entities and business associates are not siloed from one another. A business associate's failure to meet its compliance obligations can more often than not impact the covered entity's ability to meet its compliance obligation, as we will see down below. Knowing this, vendors attempt to allay those concerns and state that they are "HIPAA compliant."

Spend any amount of time in data privacy in the healthcare industry and you are bound to see HIPAA misspelled with two "Ps." "It's HIPAA not HIPPA" is a frequent comment you will see under articles and on social media, correcting an otherwise innocent mistake. Just as HIPAA has only one "P," it also has three rules: Privacy, Security, and Breach Notification. But just as people misspell HIPAA, people often incorrectly characterize how many rules the privacy regulation has.

Most often when a vendor states it is "HIPAA compliant," what they mean is that they have undergone a third party assessment and the third party assessor has determined that the vendor meets the obligations of the Security Rule.

Two problems.

First, and more generally, compliance is an ongoing process. You don't "meet" compliance obligations on day one and then are ensured compliance on days 2, 3, 4, etc. Compliance, as most know, is an ongoing process whereby compliance is "achieved" on a daily basis. Your company ends a Monday compliant, but Tuesday presents new issues and challenges that your company successfully navigate to meet its compliance obligations. This includes the Security Rule, which has ongoing obligations such as information system activity review.

Second, compliance with the Security Rule (aside from being a low bar to clear) doesn't mean compliance with HIPAA. Business associates have obligations under the Privacy and Breach Notification Rules, meaning even assuming "compliance" with the Security Rule is achieved through a third party assessment, there are still obligations under the Privacy and Breach Notification Rules. More importantly, unlike with the Security Rule, a business associate's obligations under the Privacy and Breach Notification Rules aren't likely discerned from reading the regulation.

As most know, when a covered entity wants to provide access to protected health information to its business associate the two entities must enter into a business associate agreement ("BAA"). What the BAA must cover and what provisions it must include is found in the Privacy Rule. However, the Privacy Rule paints those requirements with a broad brush, leaving it to the covered entity and business associate to fill in the details. For example, business associates must notify the covered entity of various incidents, including any "breaches." Seems straightforward, but there's a fair amount of detail lacking. For example, is the business associate even permitted to determine whether an impermissible use or disclosure constitutes a breach? And even it is, what is the timeframe in which the business associate must send the notification to the covered entity given the covered entity has sixty (60) days, at most, to send its notifications to impacted individuals? Is it even the covered entity who sends the notifications, or will the covered entity

make the business associate responsible?

Answers to these questions are formulated during the BAA negotiation process where (more often than not) notification timelines are agreed to, whether a business associate has the authority to determine whether an impermissible use or disclose constitutes a breach, and who has notification obligations.

BAAs can, and often do, go further, creating not only obligations for business associates not found in HIPAA but also creating restrictions also not found in HIPAA. One issue data use issue that healthcare privacy attorneys are well aware of is the issue of offshoring (i.e., the storage or use of information by offshore assets). BAAs often contain language concerning offshoring. This language can be a complete bar on offshoring, permit offshoring but ban offshoring within certain nation-states, requiring the covered entity to give prior written consent before information can be offshored, and so forth. Importantly, HIPAA is silent on the issue of offshoring, meaning it is entirely at the discretion of the parties (other state and Federal laws notwithstanding) on how to handle the issue of offshoring.

This is why proclaiming "HIPAA compliant" is a bit misleading. HIPAA compliance entails adhering to the requirements of the Privacy, Security, and Breach Notification Rules. Much of the detail on what those requirements are reside in the BAA. A vendor who has not contracted with a covered entity hasn't seen the covered entity's BAA, meaning it does not know what those details are or will be. So how can the vendor know that they will meet the requirements of HIPAA?

The point of this is not to denigrate vendors who use the phrase "HIPAA compliant" (although vendors would be wise to exercise some caution over their compliance claims) but rather to highlight for both covered entities and their would-be business associates to not rely on that phrase. Again, compliance is an ongoing process and the contours of what is compliant and what is not compliant, in the HIPAA-business associate context, is largely determined by the BAA. Because the compliance fortunes of covered entities are linked to their business associates, it's important for both sides to understand what it means to be "HIPAA compliant." In fact, eschewing that phrase would be a good start. Rather than thinking about using a "HIPAA compliant" vendor, covered entities might want to think in terms of "compliantly using" a business associate.

Seems like semantics, but this subtle change helps to reframe the relationship and acknowledge that compliance is an ongoing process.