Business Associate Agreement:
As a healthcare professional and in light of the extensive changes (that’s an understatement…) and rules established by the Department of Health and Human Services (HHS), it is critical that you take the time to review your current and entire list of third-party vendors and business associates to determine whether or not they understand and are compliant with the 2013 Health Insurance Portability and Accountability Act (HIPAA). You should start by making a comprehensive list of all the companies and individuals which you do business and who – in some way – come in any sort of contact with a patient’s Personal Health Information (PHI). It’s important that you make sure all of your business associate agreements that need to be current and in place – are.
In January of 2013, HHS released its HIPAA Omnibus Final Rule. Within this HIPAA Omnibus Rule, noteworthy changes were made regarding several important topics, including the issue of business associates. This new rule not only explains what qualifies someone or some entity as a business associate, but also states the required components now necessary in business associate agreements.
Need a sample BAA (for a new or existing vendor)? Click Here to download a Business Associate Agreement.
To put a potentially-complex concept simply, a business associate is defined as a patient safety organization, a health information organization, an e-prescribing gateway, a person offering a personal health record, and/or any other individual or vendor who creates, receives, transmits, and/or maintains PHI on behalf of HIPAA covered entities, such as: health plans, health care clearinghouses, and health care providers that transmit health information electronically. In addition, since these vendors often use subcontractors to provide their services to covered entities, even those subcontractors are now also considered business associates and must also enter into and comply with a business associate agreement. All of the requirements for a business associate agreement between your covered entity and the selected individual(s) or vendor(s) also and equally apply to your business associates’ subcontractor agreements. As a result, it is crucial that you are certain the business associates with whom you do business have developed and implemented (and are in compliance with) business associate agreements with their subcontractors.
Additionally, this Final Rule explains that – with or without the existence of a formal business associate agreement on file, an individual or vendor is still considered to be a formal business associate from the second that individual or person creates, receives, transmits, and/or maintain PHI for a covered entity of for another business associate.
While business associates who are in violation of any of the Security Rule’s administrative, physical, and/or technical safeguards can be found criminally or civilly liable as a result of not adhering to The Health Information Technology for Economic and Clinical Health (HITECH) Act while handling electronic PHI, covered entities can now be found liable as a result of the new HIPAA Omnibus Rule if they don’t take the time to ensure that all of their business associates (and subcontractors) are compliant. So, as a result of the HIPAA Omnibus Rule, business associates that are not compliant will not only experience additional negative consequences from HIPAA, but also be held directly liable to HHS.
When is a Business Associate Agreement Necessary?
Simple. Whenever the covered entity with which you are employed as a healthcare professional does business with an individual or a vendor (and/or those vendors’ subcontractors) that creates, receives, transmits, and/or maintains PHI. Examples of services that business associates may be providing include: claims processing, data analysis, billing, offsite record storage, legal services, accounting services, document shredding services, actuarial work, consulting services, management help, data aggregation services, administrative assistance, accreditation services, and/or financial services, among other examples. It is important to keep in mind that these (and other) examples of third party providers are only referred to and considered formal business associates if – and only if - their particular services with your covered entity specifically involve your disclosure of PHI to them.
While the HIPAA Omnibus Rule certainly presents many critical compliance obligations required of business associates, it does intentionally leave out a number of different areas for you and the parties involved to address. This includes not only leaving it up to the covered entity to determine the business associate’s scope of permitted uses, but also leaving it up to both parties (the covered entity and the business associate) to determine which of the two would be responsible for providing an individual with his/her own PHI when it is requested.
Although it may seem as if every vendor who does business with your HIPAA-covered entity needs a business associate agreement, this is not the case. Here’s when the agreement is not necessary: disclosing PHI to a healthcare provider for treatment purposes only, working with an insurance plan regarding a medical payment, assisting a government agency with an official investigation, staff members of a covered entity’s workforce, janitorial services, and the postal service.