HHS Proposes Modifications to the HIPAA Privacy Rule as Part of the Continued Effort to Improve Patient Care and Eliminate Unnecessary Regulatory Barriers.

Business Associates: Top 5 Q&A

Top Five Business Associate Questions and Answers

When the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was enacted in 2009, business associates were added to the list of those who were responsible for complying with HIPAA. For example, just like covered entities, business associates are required to implement information safeguards including the "CIA triad - confidentiality, integrity, and availability. Collectively, the CIA triad should be at the center of any healthcare organization's security program.

After the U.S. Department of Health and Human Services (HHS) issued the "Final Rule" in 2013, several provisions of the HITECH act were implemented. This ultimately led to business associates being susceptible to the same penalties covered entities are. This also led to additional scrutiny on covered entities to be sure they fulfilled their obligations in executing HIPAA compliant business associate agreements with all of their business associates.

Even today, there remains some confusion about business associates, including when an agreement is necessary, and what their compliance requirements are. To help clear up some of the confusion, here the top 5 business associate questions and answers:

Top 5 Questions and Answers

Question: Do you need to have a BAA with a hospital that you have an outside clinic at? Or is it covered under continuity of care?

Answer: A business associate agreement would not be necessary with a hospital you have an outside clinic at. For treatment purposes, this is an example of an exception and would be covered under continuity of care. However, you could ask for an agreement to be in place if the hospital performs certain functions or activities that involve the use or disclosure of PHI, such as if the hospital provides medical transcription services, billing services, or other functions on your behalf.

Question: You are updating your BAAs. Several vendors will not sign your BAA. They are sending you their BAA agreement. What recommendations do we have in this situation?

Answer: Under HIPAA you (the covered entity) are required to enter into a HIPAA compliant BAA with your vendors who create, receive, transmit or maintain PHI. When vendors will not sign your BAA and send you their BAA, you must thoroughly review the agreement to ensure it includes all elements specified in the HIPAA Privacy Rule. A compliant agreement must include assurances PHI will be properly safeguarded and in the event of a breach, all required notification procedures must be clearly explained.

Remember, if the vendor is providing services on your behalf and not the other way around. Therefore, you are not required to sign their BAA (most likely a BAA their legal or compliance department have put together) and could require them to sign your BAA, other than under limited circumstances. For example, in the event of a large vendor (e.g., Google) they most likely will not sign your agreement. They have a standard, well-vetted agreement, you can feel comfortable signing knowing it will satisfy HIPAA requirements.

Question: You have received letters from Durable Medical Equipment business associates (BA) that state they do not require a signed BAA because they are classified as a Health Care provider and do not qualify as a BA. Would this include laboratories as well?

Answer: Laboratories can be covered entities and health care providers. However, laboratories could also be business associates depending on what services they provide for you. You should ask for a BAA if the laboratory performs certain functions or activities that involve the use or disclosure of PHI, such as if the laboratory provides billing services or other functions on your behalf (in addition to their lab services).

Question: When submitting a BAA to a vendor you did not previously have a BAA with, is it a best practice to date it when you began doing business with the vendor, or is the current date ok?

Answer: We recommend documenting when the BAA was signed and when services began. The BAA must also include a termination date. If it is a BA you intend on providing services for your organization for a long period of time, we would recommend a perpetual agreement and including "event" language such as this agreement shall continue in force so long as any underlying contract between the Provider and Business Associate remains in force. If you intend on the BA only providing services for a short period of time (1 year or less), then entering a date that reasonably covers the "term" of the agreement, is our recommendation.

Question: Are business associates required to complete a security risk analysis (SRA) and have a compliance program in place?

Answer: Since 2009, business associates are required to undertake an SRA and determine how best to implement the required and addressable standards and implementation specifications under HIPAA. This includes having a HIPAA compliance program in place that includes all required policies and procedures, completing training, etc.

Have additional questions? Reach out to us to schedule a free consultation!