The CoPilot Provider Support Services incident: The HIPAA issue
In the first part of a discussion of an incident reported by CoPilot Provider Support Services, this site reported claims by John Witkowski, a former employee, that CoPilot had not reported accurately on the incident. In this part, we focus on just one of CoPilot’s claims – that they are not a business associate under HIPAA.
When CoPilot Provider Support Services recently disclosed a security incident that they had known about since 2015, they claimed that they were not a business associate under HIPAA, telling Security Media Group that the firm “supports physicians in the furtherance of payment or healthcare operations. As such, it is not a business associate to physicians but it is covered by HIPAA in its relationship to providers. HIPAA permits physicians to disclose PHI to organizations like CoPilot – with or without a BAA [business associate agreement] – since disclosure(s) is in furtherance of payment or healthcare operations.”
Experts consulted by Marianne Kolbasuk McGee for the story found their statements confusing, and possibly inaccurate. DataBreaches.net, too, found the claims somewhat confusing.
CoPilot’s site describes its services and includes the following:
… By taking a consultative approach to our services, each reimbursement support program is customized to our clients’ needs but could involve the following core components:
- Benefit verifications
- Prior authorization assistance
- Billing and coding support
- Monitoring of payer policy and verification
- Appeals management
DataBreaches.net’s understanding of the service is that any physician can use the monovischcp.com site, although they should register for it. Once they input their patient’s information, CoPilot makes calls to the health plan to determine eligibility/authorization, and then emails the physician the outcome.
According to John Witowski, the former employee whose claims were discussed in the first article, if the injections are authorized by the health plan, then:
If CareMed can fill the prescription, CoPilot sends it to CareMed to be filled. (This should be Patient/Provider’s choice. CareMed does a test claim on all pharmacy benefit investigation requests CoPilot gets).
DataBreaches.net asked Witkowski if he was ever involved in any discussions about whether the companies needed to comply with HIPAA while he was employed there. He responded, “All the time. It was required training, as they were handling patient information. As far as I knew, we were ‘HIPAA Compliant’. Clearly not.” In a response to a follow-up question as to whether he knew why CoPilot claims it is not a business associate under HIPAA, he replied, “That one confuses me.”
It confuses a lot of us, it seems.
DataBreaches.net asked CoPilot to explain why they believe they are not a Business Associate under HIPAA’s definition at 45 CFR 160.103. They did not reply, so DataBreaches.net asked a few HIPAA lawyers to review CoPilot’s site and their statements and to offer their opinion based on the site and CoPilot’s statements.
Matthew Fisher of Mirick, O’Connell, DeMallie & Lougee, LLP responded:
On first blush, CoPilot’s service of assisting providers in obtaining reimbursement would be an outsourced service whereby CoPilot obtains the provider’s PHI for purposes of doing something on behalf of the provider. That would clearly fit within the definition of a business associate and make CoPilot a business associate. Such an interpretation is supported by the list of services identified on CoPilot’s website that CoPilot states it can perform for others.
However, more information may be necessary to full determine whether CoPilot was in a business associate relationship with the providers regarding the database that was inappropriately accessed. CoPilot’s statement and press release suggest that the coverage verification website was created and maintained by CoPilot as a general service. In looking at the www.monovischcp.com website identified by CoPilot, it is branded under a pharmaceutical company and identified as for informational purposes only. The website may not be part of support services that CoPilot would offer to a provider who contracts with CoPilot. If the website is maintained for general informational purposes, I can see support for the position that CoPilot was not a business associate of the providers who entered information.
To determine CoPilot’s exact status in connection with each provider’s PHI that was impacted does require more information though. The primary piece would be knowing whether the providers sought out the website and entered the information without any form of relationship with CoPilot, or if the verification was part of a suite of services offered by CoPilot to the providers.
DataBreaches.net also sought an opinion from Jeff Drummond of Jackson Walker. Noting that he does not have definitive facts about their customers and is making some assumptions, he wrote:
If CoPilot’s only customers were non-covered entities such as pharmaceutical companies that don’t sell to the public, then CoPilot arguably would not be a business associate.
But the description of CoPilot’s services under reimbursement support sure seems to indicate that some of their customers are providers who are billing patients/payors for their services. At least some of those providers almost certainly are “health care providers” who conduct electronic transactions covered by HIPAA. If so, then CoPilot is a business associate if they provide claims processing services that involve the use or disclosure of individually identifiable health information.
Unless their customers are not covered entities under HIPAA, I don’t see how CoPilot could not be a business associate under HIPAA. Seems impossible to me. I’d want to hear their argument, but it really beggars belief.
The fact that two experienced HIPAA lawyers could not draw definite conclusions based on information provided on the sites suggests that at the very least, CoPilot and/or Depuy Mitek, who publishes the Monovisc site, might want to have some statement about HIPAA on the site and whether the service implicates HIPAA in any way.
Does HHS/OCR Believe CoPilot is Covered?
Importantly, perhaps: after investigating the complaint Witkowski filed about the security incident on December 23, 2015, OCR notified him on November 26, 2016, that
After careful consideration, OCR has determined that it will pursue action regarding your complaint’s allegations. Therefore the covered entity has been notified of the complaint.
So perhaps OCR believes that CoPilot is a Business Associate or covered entity under HIPAA? Yes, there have been cases where they have investigated and then determined that the entity was not covered, but is that likely to be the case here?
The incident does not appear on HHS’s public breach tool at this time, and it is not clear whether CoPilot has submitted it or not, even though they claimed that “out of an abundance of caution,” they had communicated with OCR and “otherwise taken all necessary compliance steps pursuant to HIPAA.”
Perhaps OCR will get an answer from CoPilot as to why the lengthy delay in notification to patients, but if CoPilot is covered by HIPAA, they may find themselves with some serious problems, and not just over the very delayed notification. Then, too, any HIPAA-covered physicians who used or use the service without having any business associate agreement in place may find themselves in trouble if they should have had a business associate agreement in place.
But even if it should turn out that CoPilot is correct in their claims with respect to HIPAA, they could still potentially face complaints from state attorneys general or the Federal Trade Commission over their lack of timely notification over the breach. Absent a written request from law enforcement to delay notification, DataBreaches.net is hard-pressed to think of any valid justification for taking more than one year to notify patients, unless CoPilot intends to argue that its risk assessment indicated that no notification was necessary. But if that’s the case, then why notify at all?