“The times they are a changin’,” Bob Dylan sang in the Sixties. And they still are, especially when it comes to HIPAA and its regulaltions regarding Business Associate Agreements. The Omnibus Rule that went into effect in September of 2013 makes it clear that business associates of healthcare practices now have to comply with many of the provisions of the HIPAA Privacy Rule, all of the HIPAA Security Rule, and HIPAA’s Breach Notification Rule.
While Business Associate Agreements have been part of HIPAA since it began, the big changes since the passage of the Omnibus Rule include:
- An expanded definition of the term “Business Associate”
- A requirement for business associates to report breaches of unsecured Protected Health Information (PHI) to you, the covered entity, regardless of the risk of potential harm.
- A requirement for business associates to ensure that any of their subcontractors that create or receive protected health information agree to the same restrictions and conditions that apply to the business associate itself.
- New authority for Health and Human Services (HHS) to regulate business associates directly, to hold them accountable, fine them or take them to court if and when their non-compliance compromises PHI.
In this blog I’ll talk about these changes, how they affect offices like yours, and how having Business Associate Agreements in place can potentially save a practice from financial ruin.
What is a Business Associate under HIPAA?
Here’s the official definition from the HHS website:  A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.
In other words, business associates under HIPAA are organizations or individuals who conduct business with you or for you involving the use or disclosure of individually identifiable protected health information. Access to PHI is the operative phrase here.
Under the Omnibus Rule, business associates include: subcontractors (no matter how far downstream they are from a practice), companies that provide data-transmission services, document and data-storage organizations, personal health-record vendors; and even financial institutions, if they have access to PHI.
So, the lab you rely on for test results, the accounting firm that processes your insurance claims, the email service you use when sharing PHI with other providers — these and other business associates of yours are now required to:
- Implement policies and procedures that address the HIPAA’s administrative, physical, and technical safeguards
- Ensure that all employees receive HIPAA security training on how to protect PHI
- Perform a detailed HIPAA Risk Assessment to determine how good the organization is at safeguarding PHI
In other words, your business associates now have to comply with HIPAA in many of the same ways you do.
Are business associates aware of their obligation to be HIPAA compliant?
Some are, but many are not. But that doesn’t change the fact that under the Omnibus Rule, your business associates are directly liable for non-compliance and are subject to civil and criminal penalties.
Compliance in these instances isn’t determined based upon whether a Business Associate Agreement is in place. Instead, it’s determined by whether an organization or individual fits the HIPAA definition of a business associate. As a result, the obligation to comply with HIPAA belongs to your business associates, even if you don’t have BAAs with them.
If the law says my business associates are themselves responsible for being HIPAA compliant, why do I need BAAs?
There are two very compelling reasons. The first is for your own peace of mind, to ensure that the patient information you entrust to your associates is as safe with them as it is with you.
The second reason, to put it bluntly, is to “cover your butt.”
Let’s say, for instance, that a business associate of yours has a security breach and as a result, hundreds of your patients’ insurance ID numbers fall into the hands of scammers. You will NOT be held responsible if you have on record an appropriate Business Associate Agreement with that company or individual. BAAs indicate to HHS investigators that you’ve done your part, you’ve addressed the issue of HIPAA compliance with your business associates, and you’ve acted in good faith to protect patients’ information.
However, if you DON’T have such an agreement in place, you can – and most likely, will — be liable for that breach.  Why? Because you blithely handed over PHI without taking the necessary step of a BAA to ensure that your business associate knew about HIPAA’s requirements and was doing its part to fulfill them.
Civil monetary penalties can cost a practice as much as $50,000 per violation, with a cap of $1.5 million per year for multiple violations.
Scary? You bet. Avoidable? Definitely.
In an upcoming blog, I’ll offer some practical information on how to go about having BAAs on record at your office.