Who is responsible for a data breach?

Aptihealth, a behavioral healthcare provider, recently notified nearly 20,000 patients of a data breach that occurred at Sisense, an Aptihealth data analytics services provider. 

According to HIPAA, covered entities are entities (healthcare providers, healthcare clearinghouses, or health plans) that “transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.” On the other hand, business associates are entities that engage in activities involving PHI on behalf of a covered entity. “By law, the HIPAA Privacy Rule applies only to covered entities – health plans, health care clearinghouses, and certain health care providers,” says the HHS. 

Every entity is assigned specific roles and responsibilities to safeguard protected health information (PHI). However, if there happens to be a data breach, it becomes crucial to determine each party's respective accountability.

Covered entities: who they are and what they do

Definition of covered entities

Covered entities include:

• Health plans: Entities that provide or pay the cost of medical care, such as health insurance companies, health maintenance organizations (HMOs), Medicare, and Medicaid.
• Healthcare clearinghouses: Organizations that process nonstandard health information received from another entity into a standard format (and vice versa). This includes billing services and repricing companies.
• Healthcare providers: Any provider of medical or health services that transmits health information in electronic form in connection with transactions for which HHS has adopted standards, such as hospitals, doctors, and clinics.

Go deeper: How to know if you’re a covered entity

Key responsibilities of covered entities

Covered entities have a broad range of responsibilities under HIPAA, encompassing the Privacy Rule, Security Rule, and Breach Notification Rule. Let's break down each of these areas:

Compliance with HIPAA Rules

Covered entities must:

• Ensure the confidentiality, integrity, and availability of all electronic PHI (ePHI).
• Protect against reasonably anticipated threats or hazards to the security or integrity of ePHI.
• Guard against reasonably anticipated uses or disclosures of ePHI not permitted by the Privacy Rule.
• Ensure workforce compliance with these safeguards.

Privacy Rule

The HIPAA Privacy Rule sets standards for the protection of PHI. Covered entities must:

• Develop and implement policies and procedures to protect PHI.
• Train employees on privacy practices and the proper handling of PHI.
• Provide patients with access to their PHI and the ability to request corrections.
• Obtain patient consent for uses and disclosures of PHI not related to treatment, payment, or healthcare operations.
• Implement safeguards to prevent unauthorized use or disclosure of PHI.
• Designate a privacy officer responsible for developing and implementing privacy policies.

Security Rule

The Security Rule focuses specifically on ePHI and requires covered entities to:

• Conduct a risk assessment to identify potential risks and vulnerabilities to ePHI.
• Implement administrative, physical, and technical safeguards to mitigate identified risks.
• Develop and enforce security policies and procedures.
• Ensure that employees comply with these policies and procedures.
• Regularly review and update security measures as needed.
• Create a contingency plan to respond to emergencies affecting ePHI.

Breach Notification Rule

In the event of a breach of unsecured PHI, covered entities must:

• Notify affected individuals without unreasonable delay, and no later than 60 days following the discovery of the breach.
• Inform the Secretary of HHS if the breach affects 500 or more individuals, immediately. If fewer than 500 individuals are affected, an annual report is required.
• Notify prominent media outlets if the breach affects more than 500 residents of a state or jurisdiction.

Learn more: FAQs: HIPAA covered entities

Business associates: who they are and what they do

Definition of business associates

A business associate is a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involves the use or disclosure of PHI. Examples include:

• Third-party administrators handling claims processing.
• Billing companies.
• IT service providers managing health information systems.
• Consultants performing utilization reviews.
• Cloud storage providers hosting ePHI.

Go deeper: How to know if you’re a business associate

Key responsibilities of business associates

While business associates are not directly involved in patient care, their responsibilities under HIPAA are critical for the protection of PHI. Their duties include compliance with the business associate agreement (BAA) and relevant HIPAA rules.

Compliance with HIPAA Rules

Business associates must:

• Adhere to the terms specified in the BAA with the covered entity.
• Implement safeguards to protect ePHI.
• Report any breaches of unsecured PHI to the covered entity promptly.

Privacy Rule

Business associates must:

• Use or disclose PHI only as permitted by the BAA or as required by law.
• Ensure that subcontractors who handle PHI agree to the same restrictions and conditions.

Security Rule

Business associates are required to:

• Implement administrative, physical, and technical safeguards to protect ePHI.
• Ensure that subcontractors implement similar safeguards.
• Conduct regular risk assessments and take measures to address identified risks.
• Develop and enforce security policies and procedures.

Breach Notification Rule

In the event of a breach, business associates must:

• Notify the covered entity of any breach of unsecured PHI without unreasonable delay and no later than 60 days following the discovery of the breach.

Learn more: FAQs: HIPAA business associates

Who is to blame for a breach?

Determining who is to blame for a breach of PHI depends on the specific circumstances surrounding the incident. If the breach occurs due to the negligence or failure of a covered entity to implement and maintain appropriate safeguards, then the covered entity would be held responsible. Conversely, if the breach happens because a business associate failed to uphold the terms of the Business Associate Agreement (BAA) and HIPAA regulations, the business associate would be at fault. Both parties are responsible for maintaining the security of PHI within their respective roles, and accountability is assessed based on whose actions or inactions led to the breach.

Identifying the responsible party allows for a clear understanding of where the security failure occurred, whether with the covered entity or the business associate, facilitating appropriate corrective actions to prevent future breaches. Additionally, determining blame can influence the legal and financial consequences faced by the responsible party, including fines and penalties imposed by regulatory bodies. 

It is also important to know what to do once a breach has been identified, starting with containing and mitigating it. It is also important to notify affected individuals and relevant authorities promptly (no later than 60 days following the discovery) and conduct a thorough investigation to understand the cause and prevent future occurrences. Implementing corrective actions and improving security measures are essential to restoring trust and compliance.

See also: 

• Understanding and implementing HIPAA rules
• HIPAA Compliant Email: The Definitive Guide

FAQs

Why is it important for healthcare providers to understand the roles of covered entities and business associates?

Understanding these roles helps healthcare providers comply with HIPAA regulations, protect patient information, and avoid legal and financial penalties. It also promotes effective collaboration and clear communication between covered entities and their business associates, ensuring the security and confidentiality of PHI.

Can a covered entity also be a business associate?

Yes, an organization can be both a covered entity and a business associate, depending on its functions and relationships with other covered entities.

How can covered entities and business associates ensure compliance with HIPAA?

To ensure compliance with HIPAA, covered entities and business associates should:

• Conduct regular risk assessments.
• Implement and enforce comprehensive policies and procedures.
• Provide ongoing training to employees.
• Use encryption and other technical safeguards.
• Regularly review and update security measures.
• Execute and monitor compliance with business associate agreements.

Go deeper: The 12 steps to HIPAA compliance