How to Avoid Multi-Million-Dollar HIPAA Phone & Data Penalties

Mike Semel

Why is There Still So Much Confusion, Denial, and Deception?

The Office for Civil Rights just announced a $3 million penalty against Touchstone Medical Imaging, partly because Touchstone “failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider as required by HIPAA.”

This is the first penalty that clearly states third-party data centers are Business Associates. Third Party data centers can include co-location facilities where you store your own servers and network devices; and cloud services that allow you to configure and manage your own servers using infrastructure they own. Other cloud services provide software-as-a-service, like Microsoft Office 365, cloud-based Electronic Health Record systems, and cloud-based Voice Over IP (VOIP) phone services that record messages, record calls, and convert voice messages to emails.

Because Voice Over IP (VOIP) phone services offer voice messaging, call recording, and their support staff has access to on-premise and cloud-based systems, they are HIPAA Business Associates if messages or call recordings contain PHI. 

Most VOIP systems and hosted services were never built for encrypted data, encrypted transmissions, and HIPAA compliance. Converting to a compliant platform can be very expensive and time-consuming. A VOIP vendor told one of our clients they could make their system HIPAAcompliant quickly. It ended up taking nine months, including several missed deadlines, causing our client to choose another VOIP vendor that was already HIPAA-compliant.

IT Support vendors include local IT service providers, telephone system support companies, help desk services, Network Operation Centers (NOCs) and Security Operation Centers (SOCs). These services either come on site or remotely access your network and phone system for management, maintenance, and repairs. Some may be subcontractors to the company you pay for support. 

HIPAA compliance is a binary choice. You either are or aren’t compliant. Under HIPAA, Covered Entities and Business Associates are responsible for the actions of their vendors. North Memorial Health Care paid $ 1.55 million after a vendor had a laptop stolen. 

Cottage Health has been sued by its insurance company for $ 4.1 million, paid a $ 3 million federal HIPAA penalty, and paid $ 2 million to the California Attorney General after a vendor caused a data breach. 

Is it worth risking millions of dollars by continuing to work with a non-compliant vendor because you like them, you have been working with them for a long time, or it would be inconvenient and costly to change to a compliant vendor? These are all excuses we have heard from clients who are resistant to ending their relationship with a vendor that refuses to comply with HIPAA.

The Omnibus Final Rule changed HIPAA six years ago. The Office for Civil Rights – the HIPAA enforcement agency – published its cloud service guidance three years ago. So why is there still so much confusion, denial, and (unfortunately) deception with phone service vendors and data centers? 

Before 2013, companies that supported health care providers and health plans simply had to sign a Business Associate Agreement that committed them to keeping confidential any Protected Health Information (PHI) they ‘accessed’. Based on the original HIPAA law, Business Associates were out of the reach of HIPAA enforcement and could not be penalized for breaches and compliance violations.

That all changed with the HITECH Act of 2009 and the 2013 HIPAA Omnibus Final Rule. The definition of a Business Associate changed to include organizations that ‘maintain’ PHI, meaning any business that stores PHI must comply with HIPAA.

Further, the HITECH Act made Business Associates directly liable for breaches they cause and required them to implement similar HIPAA compliance programs to what Covered Entities are required to do. This means that Business Associates must sign Business Associate Agreements AND comply with the Privacy, Security, and Breach Notification Rule requirements. 

 

NOTE: In May 2019 the Office for Civil Rights that enforces HIPAA released its Business Associate Liability Fact Sheet that clearly states that all Business Associates must comply with the HIPAA Security Rule. Click here for more information.

 

Business Associates must provide HIPAA training to their workforce members, adopt written HIPAA Policies and Procedures, conduct a Security Risk Analysis and implement HIPAA-compliant security controls, including encryption of electronic PHI at rest (stored) and in transit (across the Internet or in email). We helped a cloud-based healthcare analytics service – a Business Associate – survive a federal HIPAA compliance review.

CONFUSION 

The language in federal laws and agency rules can be confusing. Add to that confusion a vendor’s selfish desire to interpret the rules in their favor so they can sell more and keep their costs down. This is one reason we look to the OCR’s Guidance on HIPAA & Cloud Computing and enforcement documents to best understand what the compliance requirements really mean. 

Someone paying a $ 3 million fine for not having a business associate agreement with “a thirdparty data center provider as required by HIPAA” leaves little to be interpreted.

DENIAL 

Compliance costs money. For some VOIP vendors it can cost a lot. Six years after the rules changed, some Voice Over IP (VOIP) vendors still deny they have to comply as Business Associates by claiming they are a ‘conduit’ that simply transmits PHI across their system in live calls. They would be right if they didn’t offer voice messaging and call recording, and if they never accessed their client’s systems or data when they need support. 

One of our clients used a third-party data center that claimed it was not a Business Associate because our client’s equipment that stored PHI was in a locked rack that they could not access. The OCR’s cloud service guidance says that a service is a Business Associate even if data is encrypted and they have no access to the encryption key, much stronger data protection than a simple lock on a data center cage or rack. 

Besides, all you have to do is stop paying your data center bill to see how fast the data center staff will break into your cage or rack to move your equipment so it can rent the space to someone else.

DECEPTION

A Business Associate Agreement (BAA) is the written agreement that defines how a Business Associate will comply with HIPAA. 

A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. (US Dept of Health & Human Services) 

The BAA defines how “A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law.” So, you would assume that a vendor sending you a Business Associate Agreement to sign acknowledges that it is a Business Associate, right? 

In 2017 (after the OCR cloud service guidance came out) Jive Communications sent its Business Associate Agreement to one of our clients. It starts out saying “The Customer is subject to the requirements of the Health Insurance Portability and Accountability Act and wants to comply with the requirement to sign an appropriate agreement with each of its Business Associates (as that term is defined in 45 CFR § 160.103).”

So far so good. 

Then, throughout the BAA, Jive Communications refers to itself as a “conduit” that is exempt from HIPAA’s requirements for Business Associates. Jive says it “acts as a conduit for the transmission of data and does not require access to PHI on a routine basis.” Jive appears to be denying its obligations as a Business Associate to protect voice messages and recorded calls stored in its systems, which are protected data files just like electronic medical records.

Surprisingly, this means that you must carefully review Business Associate Agreements to make sure the vendor doesn’t use one to deny its status as a Business Associate! That is why our client moved from Jive to a HIPAA-compliant VOIP vendor.

LESSONS LEARNED

  • If you are a HIPAA Covered Entity or Business Associate, you can only do business with HIPAA-compliant IT support and telephone system support vendors.
  • If you are a HIPAA Covered Entity or Business Associate, you can only do business with HIPAA-compliant data centers, cloud services, and VOIP vendors.
  • Require your data center, cloud services, and phone vendors to sign Business Associate Agreements. 
  • Have an attorney review any vendor-supplied Business Associate Agreements to ensure the vendor isn’t using it to deny their Business Associate obligations. 
  • Don’t rely on a vendor’s advertising, meaningless seals of compliance, or statements like “We have lots of healthcare clients” to assume the vendor is compliant. Assess their willingness to sign a Business Associate Agreement. Demand evidence they have provided HIPAA training to their staff, have written HIPAA Policies & Procedures, have a current HIPAA Security Risk Analysis, and that they deliver HIPAA-compliant services. The best proof comes from an independent third-party assessment of the vendor’s compliance. 
  • The risks are in the millions of dollars if your vendor isn’t HIPAA-compliant. Protect the people you serve, your organization’s reputation and finances, and your career by being willing to switch away from non-compliant vendors. 
  • Or, get out a blank check, make it out to the Office for Civil Rights, and be prepared to write small so you an include a lot of zero’s in your penalty amount.