HIPAA Privacy and Security Rules require compliance from not only covered healthcare entities, but their Business Associates (BAs).
HIPAA Business Associate (BA) compliance rules were introduced in 2013 in the Final Omnibus Rule. This important rule not only redefined what a Business Associate is, but also applied provisions within the HITECH Act TO BAs. To understand what a business associate is, we first must understand all of the HIPAA terminology.
First, What is a Covered Entity?
First of all, what is a HIPAA Covered Entity? The Privacy Rule states that it is any health plan, healthcare clearinghouse, or any healthcare provider who accesses or transmits Protected Health Information (PHI) in physical or electronic form.
Some examples of Covered Entities are:
- Medical clinics
- Hospitals
- Surgery centers
- Insurance companies
- Healthcare billing companies
- Mental health clinics
There are many more businesses that would be considered Covered Entities – which is always defined by their need to access PHI to perform services.
When a covered entity outsources work, hires a subcontractor, or partners with another company, these are likely to fall into the category of a Business Associate. These third parties are hired to perform a function, activity, or service for the original HIPAA Covered Entity.
What is a Business Associate?
Any Business Associate with any access to the PHI of a Covered Entity must sign a HIPAA Business Associate Agreement (also called a HIPAA BA Contract). The contract should specifically list what type of PHI is being disclosed to the BA, and for what reason(s). The contract should also cover any subcontractors of the BA who might be permitted to use PHI. These subcontractors to Business Associates are also required to comply with HIPAA, which requires an additional BA agreement (contract) to be in place.
Some examples of Business Associates are:
- A third-party claims processor
- A consultant hired for case management in a hospital
- An independent medical transcriptionist providing services
- An attorney whose legal services require access to PHI
- An IT consultant who works within the electronic medical record (EMR)
Business Associate Contracts
Over three years after the Final Omnibus Rule, in the latter part of 2016, the California Healthcare Foundation funded a study to research HIPAA BA compliance among different types of Covered Entities – ranging from small physician clinics to large integrated health systems. After interviews and analysis, the researchers concluded that many Covered Entities do not have a good grasp on the definition of a Business Associate. Some erred on the side of caution and asked all businesses they had a relationship with to sign a BA agreement, regardless of the likelihood of contact with Protected Health Information (PHI) – in some cases even including services like landscaping.
This all-in approach may seem to be the safest, however Business Associates and agreements must also comply with a list of specific requirements in each contract. Each BA contract must contain the elements listed in 45CFR 164.5049(e).
Examples of just some of these contract specifics are:
- Describe the permitted and required uses of PHI by the BA
- Provide that the BA will not use or further disclose the PHI other than as permitted in the contract.
- Require the BA to use appropriate safeguards to prevent unauthorized use or disclosure of PHI.
A blanket BA agreement for everyone is not a good idea, because each agreement should be customized for the particular type of PHI being accessed, and why.
Consequences of Non-Compliance
Unlike typical contracts, a HIPAA Business Associate Agreement does not necessarily guarantee a Covered Entity will not receive financial penalties for a breach by the BA. In fact, both the Covered Entity and the BA can be penalized, especially if it is found that the Covered Entity failed to obtain “satisfactory assurance” that a BA was HIPAA-compliant prior to the agreement. If this due diligence is not performed, the Covered Entity can be found liable for the breach.
When trusting a Business Associate with valuable PHI, it is important that healthcare providers and their clinic managers select partners that understand the importance of HIPAA compliance. FormDr takes away the burden of compliance by coming to the table prepared. In fact, FormDr is completely transparent about its very detailed compliance and security plans, providing the information on its website.
To find out more about FormDr and the ways we mitigate risk for our partners, contact us here for a free consultation.