Now that the HITECH Act and the Omnibus Rule have made covered entities potentially liable for breaches by their business associate, see Compliance Hit: Expanded Liability for Business Associates’ Breaches: HIPAA & HITECH Act Blog by Jonathan P. Tomes on February 11, 2013, available at http://www.veteranspress.com/another-compliance-hit-and-a-big-one-expanded-liability-for-business-associates-breaches-hipaa-hitech-act-blog-by-jonathan-p-tomes, the question arises whether you as a covered entity have a duty to audit your business associates for HIPAA compliance.

Clearly, they don’t have a legal duty under HIPAA and HITECH. No provision of those statutes or of the Omnibus Rule implementing the HITECH Act, after the change in the business associate (“BA”) relationship, directly imposes a duty on covered entities to audit their BAs’ compliance. 45 C.F.R. § 164.504(e) requires only a business associate agreement (“BAA”) and imposes covered entities’ compliance requirements “downstream” on BAs. Of interest is the specific deletion in the December 2000 Privacy Rule of a requirement for active monitoring of BAs in the 1999 proposed regulations. The 2000 Final Rule says, “In the final rule, we reduce the extent to which a covered entity must monitor the actions of its business associate and we make it easier for covered entities to identify the circumstances that will require them to take actions to correct a business associate’s material violation of the contract . . . . [T]his standard relieves the covered entity of the need to actively monitor its business associates . . . .”

Consequently, there is no explicit legal duty for covered entities to audit BAs for compliance and no language that would appear to contain an implicit requirement to do so. But does a business reason exist to do so? This question seems to bring me back to my favorite HIPAA topic—that is, risk analysis. Perhaps, a covered entity or upstream BA who may be liable for the breaches of its subcontractors should perform a risk analysis of its BA relationships and determine whether such audits are reasonable and appropriate, similar to the different kind of risk analysis that I discussed in my July 29, 2018, blog post of what degree of compliance was reasonable and appropriate for covered entities and BAs, available at http://www.veteranspress.com/hipaa-risk-analysis. But certainly, problems exist in performing such audits. Are you competent to perform one? Or will you have to hire an outside consultant to perform an effective audit? And do you have the time to do it yourself when you may have dozens of BAs, or do you have the funds to hire someone to do the audits? And if you are using IBM Cloud Services, for example, are they likely to agree to allow you to perform such audits on them? They don’t need your business that badly.

And in addition to the issues noted immediately above, doesn’t a legal risk or two exist in performing such audits? First, for example, as a former litigator, I could certainly come up with a legal theory that a covered entity that was not otherwise liable for a breach was liable because the covered entity had not conducted a proper audit of the BA and had not required the BA to upgrade the relevant security measures. See my February 18, 2013, blog post, “You’d Better Not Control Your Business Associate’s Performance!” available at http://www.veteranspress.com/youd-better-not-control-your-business-associates-performance-hipaa-hitech-act-blog-by-jonathan-p-tomes. Second, for example, too much control by the covered entity or the upstream BA over the BA’s day-to-day performance of its duties under the BAA can subject the covered entity or the upstream BA to such liability.

Yes, this question amounts to a damned-if-you-do/damned-if-you-don’t dilemma. Rather than auditing, unless your risk analysis demonstrates unusual circumstances necessitating same, we suggest that you consider taking the following steps:

• Make certain that the entities that you intend to use to perform services for you or on your behalf are BAs. Perhaps, they fall under the “mere conduit” rule, under which entities are not BAs, even though they transmit protected health information (“PHI”) and thus have contact with it, if they don’t have routine access to it and do not intend to disclose it other than transmitting it to the intended recipient. Such services as internet service providers, couriers and their electronic equivalents, and the U.S. Postal Service are unlikely to be BAs.
• Make certain that you have a current HITECH Act and Omnibus Rule compliant BAA in place containing all of the required terms.
• Before entering into a BAA, at least ascertain that the BA has conducted (and updated as necessary) a written risk analysis. I would be very leery of using one that had not done so.
• You could also try to ascertain before employing a BA whether the BA has had any breaches of privacy or security in the last five years and what, if anything, resulted therefrom.
• Consider what other terms in a BAA could help protect you from breaches by the BA, such as indemnification clauses, a requirement to maintain data breach insurance and cyber liability insurance, a representation that the BA and its workforce will comply with the Security Rule and applicable provisions of the Privacy Rule, and (if appropriate) a limitation on what subcontractors can and cannot be used, such as, for example, a requirement of no foreign entities.
• Suggest that BAs visit my (and others’) HIPAA blogs to keep up on HIPAA developments, particularly new and developing risks.

Parenthetically, some BAs have had my HIPAA compliance consulting company, EMR Legal, audit them so that they can show potential customers their EMR Legal Certificate of HIPAA Compliance as a Business Associate. They use that certificate as a marketing tool. Even if I were wrong to issue such a certificate, which is highly unlikely, the covered entity would be protected in having reasonably screened the BA’s level of compliance before having engaged the BA.

We believe that it would be a rare case in which a covered entity or an upstream BA would need to audit a BA, but that a covered entity or an upstream BA should consider the above bullets.

Alice here: Consider looking through Jon’s books, templates, and other compliance tools available at http://www.veteranspress.com/products/hipaa-hitech-compliance-tools. As we always emphasize, make sure that your risk analysis is up to date, especially if you are contemplating adding a BA to provide services for you or on your behalf, and as Jon mentioned above, analyze the risk(s), if any, of such BA(s). Draft and implement a policy as to how to go about retaining a BA, including a compliant BAA and a reasonable and appropriate decision based on your risk analysis as to whether to conduct a risk analysis of or for your BA(s). Train your workforce members on who is responsible for hiring BAs, what your procedures are for hiring BAs, whether the organization would conduct risk analyses of BAs, and who, if applicable, would conduct such risk analyses. Also, consider signing up for Jon’s upcoming webinar, “How to Handle HIPAA Security Incidents, Breaches, Complaints, and Investigations to Avoid Writing That Expensive Check to DHHS,” which will begin at noon CDT on Tuesday, August 14, 2018. You can sign up for it at https://www.educator-one.com/how-to-handle-hipaa-security-Incidents-breaches-complaints-and-investigations. We will keep you posted on Jon’s upcoming webinars as we get the details on them from the various webinar companies. Check our website for updates at http://www.veteranspress.com/hipaa-training-seminars. As always, thank you for reading Jon’s blog, buying his books and other HIPAA compliance tools, signing up for Jon’s webinars, and hiring us to help you. If you need help, contact us at jon@veteranspress.com. We wish you every success in achieving your HIPAA compliance objectives.