Unintended consequences: Consultants using HIPAA to strong-arm business associates

October 8, 2013

By Bob Johnson, NAID CEO

When the U.S. Federal Trade Commission (FTC) contacted NAID to help write the FACTA Final Disposal Rule, their main concern was what they called “unintended consequences.” It seems every new law has side effects. The FTC’s goal was to anticipate the bad side effects and minimize them when creating new rules. Of course, they don’t always anticipate every bad side effect and those are what they refer to as “unintended consequences.”

Over the last couple of weeks, one such unintended consequence of the new HIPAA final rule (as amended by HITECH) has surfaced: aggressive compliance consultants coercing vendors into using their services. Before reading further, please keep in mind, NAID counts among its members a number of highly reputable HIPAA consultants. To the best of our knowledge, they are ethical and provide high quality services. They should be considered trusted advisers and not among the bad actors I describe below.

That being said, here is how the bad actors are showing up.

A compliance consultant contacts the business associate (BA) providing services to the health care customer, say for instance a data destruction service. The consultant explains they provide compliance consulting services to hundreds of covered entities (CEs) in the marketplace and they are reaching out to prequalify the service provider as a BA they can recommend. But first, however, the service provider must subscribe to their risk assessment and compliance training services because that is the only way they will know the BA is worthy of being recommended. Further, and far more troubling, they say they have no choice but to blacklist the service provider if they do not use their consulting services (or those of a third party they will accept).

Forget for a minute this is a form of blackmail and consider these other troubling issues that make this tactic even more disturbing:

1. Anyone can be a HIPAA compliance consultant. Sure there are plenty of legitimate ones, but there is no law restricting such claims.
2. There is no way to know whether the consultant actually represents a large number of CEs or not.
3. They have a tendency to only accept their risk assessment and training as a legitimate validation, meaning they will not accept alternatives. We submitted the NAID BA Agreement to one of these consultants, which was created by Kirk Nahra, one of the most well-known and highly respected HIPAA/HITECH privacy attorneys in the country, and it was kicked back as unacceptable (i.e., it was not theirs). This consultant might have taken a course on HIPAA compliance and has no credentials after his name.
4. They have been found exaggerating or even fabricating the rules to suit their goals, stating or insinuating that it is required to use a third party to provide the BA with risk assessment and training. That is not true, it is perfectly appropriate to conduct your own or rely on already existing risk management measures. In fact, the U.S. Department of Human and Health Services (HHS) provides a template for conducting self-assessments. Using a third party is not necessarily a bad idea, but it is inappropriate to misrepresent the law by stating it must be a third party. Also, it is inappropriate to claim a range of specific services and documents are required when, in fact, HHS is relatively non-prescriptive about what they require. Until case histories are accumulated, we have no way of knowing how to fully interpret their intent.
5. They are using these same inappropriate and unethical tactics, including extortion, on health care providers. In this regard, they have a real potential for contaminating a marketplace.

Anyway you dice it, this is certainly a bad unintended consequence of the new, tougher HIPAA rule. NAID is currently exploring how it might report such tactics to the authorities and/or provide tools to combat it in the marketplace. In part two of this blog, I will explain what HHS actually says about HIPAA risk assessments, training, and compliance and provide links to the actual HHS documents. Also, tomorrow, NAID will post the recording of last week’s webinar about HIPAA/HITECH in our NAIDDirect e-newsletter.