medical practices icon

The second webinar, "Business Associate Agreements," was held on February 19th, 2015. Daniel Brown, Esq. of Taylor English Duma LLP and Jason Karn of Total HIPAA Compliance walked attendees through on overview of business associate agreements, and discussed some of the intricacies of this compliance requirement. Topics covered include:

  • Who is a Business Associate (B.A.)
  • Responsibilities of B.A.s and Subcontractors
  • What's in a Business Associate Agreement
  • What are Business Associates liable for
  • How to keep your Business Associates in check

Video Playlist

To make the webinar a little easier to navigate, we divided it into shorter clips. If you'd like to view the entire webinar, just start with the first clip, and the rest will be queued up automatically. A transcript of the presentation is available below as well as answers to some of the questions we received during the Q&A.


Webinar Transcript

To keep things simple, we divided the video transcript into short sections corresponding with the clips above. Just click on the section title to expand the transcript.

Slide Deck
Audio MP3

P1 - Intro

Caleb Clarke: Thanks for joining our Steps to HIPAA Compliance Webinar Series. Today we've got our second installment, Managing Business Associates. I'm Caleb Clarke and I'm the sales and marketing director at NueMD. We're very fortunate to have Jason Karn from Total HIPAA Compliance and Daniel Brown from the law firm of Taylor English. Dan...

Daniel B. Brown, Esq.: Thank you very much. My name is Dan Brown and I'm an attorney in Atlanta, GA. I practice with the full service firm of Taylor English Duma LLP in Atlanta. I've been representing healthcare companies, providers, systems for a little over 25 years now and have had the pleasure of working with many providers in their HIPAA compliance plan, corporate compliance plan and helping them out when they find themselves in a crosswise with these rules. I'll be joining the program a little bit later. Right now I'd like to introduce Jason Karn of Total HIPAA.

Jason KarnMy name is Jason Karn I'm the director of training and IT at Total HIPAA Compliance. I've been involved with HIPAA since 2003. I'm also one of the co-creators of Total HPAA's online training and compliance documents. I'm also a frequent presenter at conferences across the country and I do a lot of blogging on HIPAA. So we're going to start off with a little house keeping. As you see this program is educational and does not constitute any legal advice. And we're also not serving in a client-attorney relationship with anybody.

P2 - The Players

Jason Karn: Let's do a review here about some of the players we have going on here. As you can see most of the people registered today are covered entities. And covered entities are your physicians, what we'd call the top of the chain. You have your healthcare clearinghouses, your insurance carriers, and any employers, and this is sometimes a shock for people, any employer that offers healthcare coverage to their employees are also considered covered entities. So you could fall into more than one category here. You could be a business associate as you support a healthcare provider but if you do supply healthcare coverage to your employees then you're also considered a covered entity. And then we have business associates and business associates subcontractors.

Business associates, and that's who we're really going to be talking about today, in many ways business associates and business associate subcontractors- you'll see a lot of overlap with the same kinds of people that are in these groups. The business associates support the covered entities, the business associate subcontractor support the business associates. So a covered entity will not have a business associate subcontractor. They would only have a business associate.

P3 - Who is a Business Associate

Jason Karn: Who is a business associate? This is anybody who helps your business or practice basically do business. This is your lawyers, these are your IT contractors, billing companies. These are basically anybody who comes in contact with your protected health information, holds this for you. It could be your shredding company, the list really goes on with this. And as we spoke about last week about formulating your compliance plan, you really want to make sure you have a good list of who those business associates are with contact information, and also request to see who your business associates use as subcontractors. There's a lot of liability that's changed now and you need to be careful and understand who you're dealing with and who they're dealing with and who that information may be passed onto. I'm going to pass it to Dan who is going to talk about who are not a business associates.

P4 - Who is NOT a Business Associate

Daniel B. Brown, Esq.: When we think about the business associate, we've got to think about a lot of legal obligations that the HIPAA rules impose upon us as providers. Historically the way it worked was that a covered entity had an obligation not to disclose their protected health information except pertinent to HIPAA. That means you could always disclose any information to anybody for purposes of treatment, healthcare operations, or payment without any particular authorization from the holder of the PHI, the patient.

But the HIPAA guys realized from time to time the covered entity, the doctor's practice, a hospital, may need to use a third party vendor to do stuff for the hospital or the practice and to use protected health information in performing those exact services. So the easy example is the billing company. You're going to give the billing company access to your PHI so they can bill on your behalf. They do it on your behalf so they have access to protected health information. They're the classic business associate.

Let's talk about some of the activities people do that are questionable. And the top one on the slide is cleaning companies so let's think about that for a moment. If you are a covered entity and you fall under the HIPAA rules, you have certain obligations to protect the privacy of the PHI. Once you're a covered entity, that privacy obligation not only extends not only to electronic information but also to anything in writing and anything orally said.

So here we've got a cleaning company coming into your offices and they're going to take out the trash. And there may be papers all over your desk and there may be protected health information in front of them. You know you've hired this company to come in and do something for you. They have access to PHI because it's sitting there. Does that make the cleaning company a business associate where you require the business associate agreement? The department of human and health services tells us, "no".

Cleaning company is not necessarily a business associate. First of all they're not using the PHI to help you do anything. They just come across it. And in coming across it, it's in a transient system. And more importantly than whether or not a cleaning company is a business associate is whether or not you as a covered entity have properly secured the protected health information so it can't be gathered up by a cleaning company and used by them. This goes to your obligation to shred or otherwise secure protected health information so others don't see it.

What about a lab or physician referral? Well again remember,  we have to determine whether or not the laboratory or physician that you refer a patient to, another physician or x-ray supplier, independent diagnostic testing facility, those guys are going to be performing treatment for your patient. And the question is are the disclosures you make to those other covered entities, laboratory or physician, are they business associates? And the answer is 'no'. By rule, HIPAA says that a provider who uses health information for treatment purposes is not a business associate.

It's really kind of interesting because it's true that the other covered entity is not a business associate. Let's a doctor, if I send the doctor a patient, "I need you to take care of doctor/specialist and here's the healthcare information", no authorization is required for the treatment disclosure, and the recipient is not a business associate unless the physician happens to do business associate stuff for you. In other words, starts billing for you. In that case he's both a covered entity and a business associate and you need to have a business associate agreement. So we need to think about the different activities that the recipient does to determine if they're a business associates.

P5 - Am I a HIPAA Conduit

Daniel B. Brown, Esq.: Here's a really interesting concept that came about in 2013 as part of the HIPAA overhaul. It used to be that a business associate who basically took electronic information and didn't do anything with it was not a business associate. After the HITECH laws came into place and the overhaul of HIPAA in 2013, that kind of changed a little bit. What we have now is a distinction in the law about whether or not somebody who is a transmitter of protected health information is a business associate. And whether or not a big server who keeps your data in the cloud, whether or not they're a business associate. And the rule that came about is called the conduit exception. And the conduit exception is pretty simplistic on first reading then it gets complicated. The simple discussion is if an entity only transmits the data, the PHI that you'd deliver to them, with the very limited expectation that they would ever look at them or use it then they are not a business associate. I'll give you an example: the postal service, FedEx, and UPS and their internet equivalence. Those guys are just transmitters they're not business associates. The alternative is a cloud database. A cloud database basically has pooled this data, if not encrypted separately, the owner of the pool has the opportunity to go in and look at it from time to time. That cloud based data storage unit would be considered a business associate and there would need to be a business associate agreement by the covered entity to the business associate. The best way to think about this is to think about a babbling brook and then think of your mind as a pool at the end of the brook or maybe stand up by a beaver dam or something. But all the information in the brook as it travels through the brook is very much going to be a transmission entity not a business associate. But when the data gets to the pool and it's being held there and there are some facts and circumstances that would lend one to believe that there is some access and perhaps improper use by the cloud owner well then that turns the activity into business associate activity and you require a business associate agreement with the cloud provider at that point. 

P6 - Requirements for Business Associates

Daniel B. Brown, Esq: Let's go ahead and look at the next slide and that's requirements for business associates. Now when you think about business associates, what do you have to do? Well, it used to be that a covered entity, before the 2013 overhaul, the covered entity had the entire exposure for a breach or a violation of a HIPAA privacy or security rule performed by the covered entity. The business associate had to liability at all. And the way the covered entity could protect themselves from liability was simply to have some reasonable accommodation, reasonable steps that it was taking to protect the information in the hands of the business associate.

What's that reasonable accommodation, that reasonable step? It was entering into a business associate agreement. That's the only reason we have these agreements. It's because HIPAA says, you the covered entity have to take some steps to prove that you put some contractual obligations on your business associates not to play around with your PHI.

So the only requirements business associates used to have were merely contractual. Now HIPAA tells us exactly what those contracts must include. So if you were to go out and let's say draft your own business associate agreement it probably wouldn't stand up to protect you or the business associate unless it tracts exactly the form of standards that is contained in the actual regulations.

And by the way if go online on the Department of Health and Human Services, there is a form of a business associate agreement that you can use that provides the bare minimum what you can think about of what's required for the purposes of a business associate agreement. That's just a little tip you can get out there.

There are certain requirements though apart from these contractual requirements we've got to think about nowadays. Now after the HIPAA overhaul, a business associate, has taken on a considerable legal obligation to perform activities that only a covered entity used to do. For example, it's now under the security rules- a business associate who has electronic health information, is going to have to do a risk analysis of their own business. And determine by analysis of their own business activity whether or not the business associate has holes where electronic health information can leak out- you know, where there's not encryption. There's devices being used where we can't track. There's a whole obligation of the business associate to make that analysis, document that analysis because as we can see the business associate is now liable for not following these rules as anybody else.

So we're going to have a risk analysis, risk management, there needs to be a sanction policy, we'll have to have all types of security awareness training. Business associates must now train their workforce just like the covered entities do- need to have contingency plans, need to have evaluations.


P7 - Liabilities

Daniel B. Brown, Esq.: So what are all these liabilities out there? Well the liabilities are kind of direct. It used to be like I said, a covered entity, was the only entity that could be liable for a breach or a problem of their business associate. And now the business associate has their own liability for their own failure to do things like make risk assessments and train their workforce. And these are real penalties. It used to be that you could say "I didn't know I had to do that" and get away with it. There's no more 'did not know' affirmative defense. You can have up to $50,000 per violation.

And I will say there are now some folks going out and auditing business associates themselves to see if they are accommodating all the obligations they have to have which brings us to the subcontractor. The whole concept is there is a obligation of a covered entity to protect information if the covered entity uses a business associate, the business associate must likewise protect the information and likewise has liability.

Similarly if the business associate delegates any activity down to any subcontractor, anybody who is not in the workforce of the business associate, to do some of the business associate's activities we've created a third tier. And that third tier party is also liable and the business associate is liable unless the business associate enters into a business associate agreement with the subcontractor.

So all of this makes the business associate and the subcontractor liable to the extent of a covered entity. Now there is a little legal trick here and the law says that a subcontractor or business associate, either one, is liable to the covered entity. And the covered entity by the way has liability for the actions of the business associate, if and only if the business associate is acting as an agent of the covered entity.

P8 - Common Law of Agency

Daniel B. Brown, Esq.: The law tells us, we are going to look at the federal common law of agency to determine whether or not we're in an agency relationship. And what's an agency relationship? It's kind of back and forth. It looks at the term of the arrangement. The most important thing is whether or not covered entity can control the business associate's ability to use and manipulate the conduct of the performance of the duties the business associate is doing. And you know it's an interesting thing. If you want to disassociate yourself as a covered entity, and protect you from the mistakes of a business associate, one thing you can do is look at your business associate agreement and try to disclaim an agency. Say that you're just entering into an independent contractor relationship with the business associate. We're not creating an agency. The business associate has its own control of the stuff it's doing. And therefore you can try from a legal perspective to insulate yourself from the business associate's mistakes. And that's something to keep in mind. We can talk about other tips a little bit later but think about that as you analyze your relationships with business associates. Maybe we don't want to create agency relationship and therefore we stopped liability from coming upstream. Jason, I'm going to turn to you and let you talk a little bit about the breach obligations. What are the obligations of the parties when there's a breach.

P9 - What is a Breach?

Jason Karn:Thank you so much Dan, I really appreciate that. So what is a breach? This is when PHI has been accessed, used, acquired, or disclosed by an unauthorized person. And this applies to three different formats. It applies to ePHIs, electronic protected health information, oral, so anytime you're speaking and also paper. One of the things that's a catch for people is oral. So you need to be really careful not only with your business associate in the way you disclose information but also with your employees. Say you're a receptionist, when people are speaking in the reception area, make sure they're speaking quietly. Also if they need to speak about a particular client or patient that they need to step out of that area.

P10 - Permitted use of PHI

Jason Karn: There are permitted uses of PHI. Dan brought this up. There's what we call TPO, which is treatment, payment and operations as we have your health care operations. And there are also certain public policy exceptions that exist for releasing PHI. Most of those have to do with everybody. One recent example we have is the Ebola scare out of Texas. If you have a patient that has hemorrhagic fever, you have to notify the CDC. And that includes calling them. Depending on what it is, say with the flu, you just have to notify them with writing. I know sexually transmitted disease require you have to send those by writing. And you do not have to have an individual's written authorization to make these disclosures. These are common good of the population so the CDC needs to know about these. There may also be state boards and regulations for releasing this information and that's important to keep in mind. But all other uses require a written authorization. This would be for any marketing purposes or anything beyond that.

P11 - Breach Exceptions

Jason Karn: So there are some breach exceptions and this is an unintentional access by an employee who is authorized to access this information. If you have employees who are not authorized to access this information, this potentially could be a breach.

Then we have the inadvertent disclosure from a covered entity to a business associate. This calls to be from employee to employee. But again they have to be authorized to access this PHI. We spoke in the last webinar about making sure that within your practice you make levels of authorization so you have administrative levels, whatever you determine so that a receptionist doesn't have access to medical records that the physicians and practicing nurses have.

And also the third breach exception is unauthorized access by a PHI to a third party who can't reasonably use this information. And this is a really hard one to work around and I've bounced this around with people in my company and in my legal counsel. And the best thing I could come up with that explains this would be encrypted information.

If say you had the information that was encrypted, you sent it to the wrong person, it was password protected, without reasonable attempt they could not access and figure out what was in that information. That would fall under this third party. When we present on this and I talk about it to people, normally for this third exception I tell them to go ahead and do a risk analysis on that breach and say let's treat this as a breach and lets prove this information was not released. And that there's no way this information could be used. So we want to mitigate that breach.

P12 - Breach Notification Requirements

Jason Karn: Now what are your requirements for notifying people? You have 60 days from the time that you knew or reasonably should have known about the breach. When it comes there is this threshold of 500 that exists. And the 500 is that if you have disclosure of over 500 people's information, you immediately have to notify HHS. If you are in the state of California and I'm not sure if other states require this but you also have to notify the attorney general in the state of California. And if there is an imminent threat so say you have an employee who walked out with records, has social security numbers, has information that they could use, you need to actually notify the people. You can do this in writing, email or phone calls.

If you have less than the 500, as far as notification you don't have to notify HHS at that time- within that 60 day time frame. But you will hold that information till the end of the year. And at the end of the calendar year you would need to disclose that information say, these are the breaches we've had, this is how we mitigated those breaches. That's an important thing to keep in mind when it comes to dealing with that information.

Now if you have a business associate who has a breach, within your contract, and also the subcontractor has a breach, what we recommend for a lot of our clients and I know in our business associate agreement we say that you have 15 days to notify the covered entity. And it's important that you have them notify you because you want to get a unified front as much as possible to say here's what we're going to do, here's how we are going to mitigate the breach, and here's what we're going to do to investigate. You really want to try to work together. And this is a situation where the more you can work together the better outcome you can have cause you want to find out why that breach happened, where the shortcomings were and what you can try to do to stop that from happening again. You want to make sure that as a covered entity, that your business associates are notifying you if they have an issue.

P13 - Individuals Affected by the Breach

Jason Karn: This is an interesting graph. This is from OCR, the Office of Civil Rights and they have to do a presentation to congress every year and this is from 2012. And it was interesting to me because you look at how many business associates were responsible for breaches of health care information. And it's 42% and that's why when we were talking about compliance plan last week and also talking about what you do before you sign a business associate agreement is really understanding what your business associate is doing with your information. Ask to see that compliance plan. You want to see a risk assessment. You want to know who they're giving the information to. You want to know if that information is encrypted, in transit, at rest, when they're backing up that information. And there have been really bad breaches that have happened recently.

There was one I saw recently. It happened on February 3rd. There was a NY based company, one of their subcontractors was a nurse and she had an unencrypted laptop, an unencrypted phone, and they said 2,700 members had their information disclosed. This is was social security numbers, health records. So what I say to everybody is make sure you're encrypting your information and make sure you're business associates are encrypting their business information. Ask to see that information. And there's a lot we can do and there's a lot that we don't do at this point. And I think the encrypting is one of the big things and I know one of my high horses that I tell everybody- make sure that you're encrypting all of your information. You want to make sure all your hard drives, that software is built in. And we'll be talking about this in future webinars about technology but make sure you're encrypting emails. There's so much you can do to stop this from happening.

So I'm going to pass it back to Dan and he's going to talk to you about what you need to do about auditing your business associates before you sign those contracts.

P14 - Auditing and Managing Your Business Associates

Daniel B. Brown, Esq.: Thank you Jason. As far as auditing your business associate, you have to know who you're playing with. I have some business associates that come to me and say, "Are you kidding me? I have to do what? Do risk assessment? Do all these other types of activities?" And the answer is yes. Yes, you do because you the business associate have liability and by the way, if you don't take care of it, you will be liable and so will the covered entity. And it's really in their best interest to do that as well.

Take a look at the last slide and that's managing your business associates. Again as Jason said, periodically review them. You as a covered entity have some liability for what they're doing. Make sure you know who you're dealing with. Make sure if there are changes they know what they are and likewise if they change they should tell you what their changes are. And the BA should have updated compliance plans.

You know depending on whether or not I'm representing a covered entity or a business associate, I will look at the business associate agreement. And in that agreement I know I have lots of room to allocate some types of activities and liabilities under contract that's not required under HIPAA.

For example, Make sure all the HIPAA required language is there. And then I've got a lot of room to play with. If I'm the covered entity I'm going to put an indemnification obligation on the business associate to say "business associate, if you mess up you're going to have to indemnify me, the covered entity". But if I'm representing the business associate, I'll make sure I never have that language in there because I never want to indemnify a covered entity.

But I will also be very aggressive in not taking on too many obligations. I'll tell the covered entity, "Well, I do have an obligation to notify you if there is a breach and I will do it according to law but instead of five days we'll use the entire 60", which is a bad situation because it gets everybody in trouble. But there is some mischief you can do inside that business associate agreement that you should look at that's different from what HIPAA requires. So if someone just hands you a business associate agreement you might want to make sure somebody looks at it for these areas of mischief.


Top Questions

During the webinar, attendees were able to ask questions directly to Dan and Jason. While we tried to get through as many as we could, we simply did not have time to answer all of them. So, we put together a round up of the top unanswered questions.

Q: Who is legally responsible for putting a business associate agreeement in place? Is it the provider or the Business Associate?
A: It's the covered entity's responsibility. So if you are a provider, you are responsible for having an agreement with your business associates. If you are a business associate who has a subcontractor, you as a business associate are required to have a business associate agreement with the subcontractor. Either party can draft it. It makes no difference. It needs to be signed and the agreement must meet the minimum necessary points that are required by HIPAA.

Q: Can a collections agency be considered an business associate?
A: Sometimes. It depends on what information is being given to the collections agency. If that agency is collecting for healthcare treatment, if you're giving them information on what treatments were provided then yes, you would need to have a business associate agreement for that disclosure.

Q: Would another practice or lab renting space in your office be considered a business associate?
A: If there is no sharing of protected health information from the lessor or the lessee, no. However each entity is should be vigilant they are remaining compliant and protecting their information... for example, being careful to lock the door and not let the lessor come in and look at your records or vise-versa.

Q: If you have a letter of protection from an attorney, are they treated like an insurance or a Business Associate?
A: A Business Associate is someone who does an activity for a covered entity. With a letter of protection, the attorney is only acting for and on behalf of the patient, and the patient is not a covered entity. The attorney is not a business associate because they're not doing anything for a covered entity. If on the other hand, the attorney is acting on behalf of the healthcare provider, which is unlikely, then there would be a business associate relationship.

Q: What recourse should be taken if a business associate refuses to sign the BAA?
A: Find a different business associate to work with! It's the law that they need to compliant with this, and it would put you in a very compromised position.


Comments on the Webinar

Have some insight on HIPAA you'd like to share? Maybe a question you'd like answered? Leave comments below!