Chris Ryan | Getty Images
Last week we spoke about choosing a HIPAA Security Officer. This week we are writing about how to identify your Business Associates and what are your responsibilities as a Covered Entity.
Who are your Business Associates?
Business Associates are those folks that support a Covered Entity. They are anyone who comes in contact or could potentially come in contact with Protected Health Information (PHI). Examples of Business Associates are lawyers, accountants, IT contractors, billing companies, cloud storage services, email encryption services, web hosts, etc. (This list could go on for a while.) You are required to have a Business Associate Agreement with these people. This is a contract that states what they are allowed to do with the information you give them, and how they are going to protect this information on your behalf.
The Business Associate Agreement
This agreement will clearly list the obligations the Business Associate agrees to follow. Here are some of the highlights of what a Business Associate will be agreeing to:
- Protecting PHI – This means that the Business Associate agrees to implement the Administrative, Physical and Technical standards set forth in the HIPAA Security Rules and certain standards under the Privacy Rule. They should be able to give you copies of their HIPAA Policies and Procedures if requested.
- Training Employees – All employees of the Business Associate should be trained on their responsibilities for protecting electronic PHI (or “ePHI”) in possession of the Business Associate. They need to show you a log of all employees training.
- Breach Notification – In the unfortunate event your Business Associate allows a Breach to the integrity or secure access of your PHI, the Business Associate should contact you without delay. We recommend that your Business Associate Agreement specify notice of such breaches within 15 days of discovery of the breach. As the Covered Entity under HIPAA, you have 60 days after discovering the breach to notify HHS as well as the patients of a breach, so it’s important for the BA to notify you quickly when they suspect a Breach.
- Subcontractors – The Business Associate must require their Subcontractors meet the same HIPAA Privacy and Security requirements that apply to the Business Associate.
- Return or Destroy Information – When the service contract with your Business Associate is over and your BA no longer needs access to your PHI to perform services on your behalf, the Business Associate must agree to return and/or destroy any PHI they have received from you as the Covered Entity. This also means the Subcontractors will return and destroy any data they have.
Not everybody who comes in contact with your PHI is a Business Associate. So whether you need a Business Associate Agreement with a third party depends solely on whether the third party is a person or entity performing business associate activities.
For example, the following entities may or may not be Business Associates (and may or may not need BA agreements) depending on their activities.
- Cleaning Company – Unless the cleaning company is using, storing, or otherwise making use of your PHI on your behalf, the routine cleaning and disposal of the garbage in your office does not involve Business Associate activities requiring a Business Associate Agreement. You, as the Covered Entity, have some duty to encrypt, shred, or otherwise make your discarded PHI secure from interception by the cleaning crew or others who might follow your waste stream. It is a good idea to have a conversation with a supervisor to make sure the cleaning staff understands what they should do in the event they come in contact with PHI. They should let you know if records, or identifying information are left in an unsecure area, or if they are finding sensitive information in the trash, un-shredded, as this will alert you to a hole in your HIPAA compliance requirements. .
- Laboratories – Pathology or reference labs are health care providers and thus Covered Entities. Labs who receive your PHI are not Business Associates (unless the lab performs Business Associate services for you – such as billing services – in addition to their lab services). HIPAA does not require any prior authorization or Business Associate arrangement for disclosures for treatment purposes. But, if you share a patient’s PHI along with a blood sample to the lab, you need not obtain a separate authorization or a BA agreement for such disclosure.
- Physician Referrals –Referrals of patients along with their PHI to specialists, other physicians, or other health care provider for emergency care are disclosures to other Covered Entities for treatment and not disclosures to a Business Associate. These disclosures of PHI are for treatment purposes, and patient authorizations are not needed in this case nor are Business Associate Agreements.
Common Law of Agency
The new HIPAA Omnibus rules extend the federal common law agency rules to actions of Business Associates. See, 45 CFR § 160.402(c). This extension clarifies that a Covered Entity is liable for the HIPAA violations made by their Business Associates. Before you contract with any Business Associates, make sure you audit their Privacy and Security Plan. (Link Security Plan Blog)
In HHS’s 2012 Breach Report to congress, Business Associates were responsible for 42% of the Breaches.
What does this teach us? You need to be careful what your Business Associates are doing with the information they have, and in turn with whom they are working.
Auditing Your Business Associates
Once you’ve identified your Business Associates, you will want to see their Privacy and Security Plans. This means viewing their –
- Privacy and Security Policies and Procedures
- Risk Assessment
- Training Logs of Employees
- List of Subcontractors they work with
Because of the Common Law of Agency provision, it is important that you conduct these audits before you contract with your Business Associates. Remember, their mistakes made as part of their agency relationship with you become your mistakes!
How do you manage your Business Associates?
It is a good idea to review your Business Associate Agreements periodically. You could schedule this when you review your Privacy and Security Policies and Procedures. Also, ask them to alert you if they have any dramatic changes in the way they conduct business. Your Business Associate should be able to provide an updated Compliance Plan as requested.
Come back and visit us next week when we talk about Performing a Risk Assessment for your Practice.