72
7X24MAGAZINE SPRING2014
cannotdemonstratedamages.With
fewexceptions, toprevail, plaintiffs’
mustbeable todemonstrate that the
databreachcaused themsome formof
financial harm. To theextentplaintiffs’
candemonstratesuchharm, suchas,
forexample, if theywerevictimsof
identity theft, then thecasesbecome
moredifficult fordefendants to
overcome.Nonetheless, even if the
defendingorganizationsprevail, class
action litigation isverycostly.
WhatShould ITVendorsDoNow?
Asapreliminarymatter, datacenters
andother ITvendorsshoulddetermine
whether theyaresubject toHIPAA
compliance. Todo this, theyshould
evaluate theirexistingcustomerbase to
findout: (1)whetheranyarehealthcare
providers, healthplansorhealthcare
clearinghouses; and (2) ifnot,whether
theyprovideservices toentities that
thenprovideservices to thesecovered
entities.Or, alternatively, vendors
should findoutwhether theyhave
executedanybusinessassociate
agreements.
Vendors thataresubject toHIPAA
compliance, orhaveotherwiseagreed
theyarebyexecutingaBAAora
subcontractorassociateagreement,
must thenevaluate theirexisting level
ofcompliance.Generally, this isdoneby
undertakingaRiskAnalysis,which isa
requiredelementunder theHIPAA
Rulesanda “foundational element in
theprocessofachievingcompliance.”
21
Inaddition to theRiskAnalysis, vendors
shouldconsider reviewing theOCR
AuditProtocol andusing thatProtocol
asanadditionalmeansofevaluating
compliance.
22
To theextentpossible, ITvendors
shoulddraft theirown formBAAsas
opposed toexecuting formagreements
provided to themby thecovered
entitiesorbusinessassociates, as
appropriate.Generally, so-called
‘standard’BAAswill notbe
appropriately limited toservices
providedby the ITvendors. This is
particularly true fordatacenters,which
donothavedirectcontactwith
patients.But, standardBAAsgenerally
contain terms that require, forexample,
for theBusinessAssociate toprovide
thepatientaccess tohis/hermedical
records.AsHHShasmadeclear,
“businessassociatesare liable for
providingelectronicaccess in
accordancewith theirbusiness
associateagreements.”
23
Tominimize
risks, vendorsshouldgenerallyavoid
agreeing to terms thatareoutside their
scopeof services.
Importantly, vendorsmustunderstand
that theseobligationscannotbe
ignored.HHShasmadeclear that
responsibility forprotectingPHI travels
