Business Associates and HIPAA

Business Associates and HIPAA

Recently there has been some confusion about HIPAA and Business Associates. There have been many questions submitted with regard to what is a Business Associate and what are their responsibilities under HIPAA. The following information should be helpful to you.

As a covered entity, your practice hires Business Associates (BA) to handle your patients' PHI on your behalf. Because you are a covered entity, you must comply and ensure the compliance of your BAs to HIPAA Privacy, Security, and HIPAA HITECH. Your BA's activities can reflect on you.

The lax days of complying with privacy and security laws have been over for BAs since HIPAA HITECH was signed into law. BAs of covered entities must comply directly with the HIPAA Security and Privacy Rules the same as a covered entity, according to the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Security Rule, which complements the HIPAA Privacy Rule, includes safeguards for protecting patients electronically protected health information (PHI), based on three components:

(1) Administrative: Organizations must have procedures that show how they will comply with the security rule

(2) Physical: Organizations must control how patients' records are physically accessed and prevent inappropriate access

(3) Technical: Organizations must have a system to control computer access and monitor and protect communication that flows electronically over open networks.

Until February 17, 2009, when President Obama signed the American Recovery and Reinvestment Act of 2009 (ARRA) into law, only covered entities were required to comply with the Security and Privacy Rules. However, the HITECH Act, or Title XVIII of the ARRA, specifies that BAs (defined by the Centers for Medicare & Medicaid Services (CMS) as those who do not work for a covered entity but handle PHI) must comply with both HIPAA Rules (the complete Security Rule and the use of disclosure provisions in the Privacy Rule). The compliance date was February 18, 2010. Business Associates can no longer say that they do not have to comply with HIPAA. They can no longer argue that they don't have to have safeguards in place. Section 13401 of the HITECH Act includes the new BA requirements. The act also states that civil and criminal penalties for violations of the HIPAA and compliance audits apply directly to BAs. Covered entities must incorporate these additional requirements in their agreements with BAs, according to the law. The BA Agreements we at HCSI have supplied to you contain these additional requirements.

BA Requirements

The HITECH Act calls for BAs to do the following:

(1) Comply with the use and disclosure requirements of the HIPAA privacy rule (Section 13404) and include those terms in the contract with the covered entity.

(2) Notify the covered entity of any individual whose unsecured PHI has been inappropriately released or obtained

(3) Ensure that the notification meets the following provisions of Section 13402:

  • A breach is considered discovered on the first day a covered entity or BA knows or should have known about it
  • BAs must notify covered entities of any breaches and provide detailed information about the breach, along with the names and contact information of individuals involved
  • Covered entities and BAs must notify individuals about a breach as soon as possible, but no later than 60 days following the discovery of the breach
  • Delays in the notification must include evidence demonstrating the necessity of the delay.

(4) When notifying individuals (or their next of kin if an individual has died) about a breach, the covered entity or BA giving notification must:

  • Provide written notification by first-class mail or, if the individual has indicated a preference, via e-mail (consent must be obtained for e-mails) and send follow-up mailings, if necessary, as more information becomes available
  • Post a notice about the breach on the home page of the BA's website or in major print or broadcast media in the event the incident involves 10 or more individuals whose contact information is out of date
  • Send notices to prominent media outlets if a breach involves more than 500 residents in a state or jurisdiction
  • Immediately notify the U.S. Department of Health and human services (HHS) secretary of a breach that involves more than 500 people
  • Submit an annual report to the HHS secretary documenting any breaches that involved fewer than 500 people during the year
  • Maintain a log for breaches involving fewer than 500 individuals

(5) Include the following information in the notification:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
  • A description of the types of unsecured PHI that were involved in the breach (e.g., full name, Social Security number, date of birth, home address, account number, or disability code)
  • The steps individuals should take to protect themselves from potential harm resulting from the breach
  • A brief description of what the covered entity and BA are doing to investigate the breach, mitigate losses, and protect against further breaches
  • Contact information, including a toll-free telephone number, e-mail address, website, or postal address, so individuals can ask follow-up questions and obtain additional information