Question regarding Business Associate Agreements
We were recently asked a question by one of our clients regarding their Business Associate Agreements (BAAs). Below is the question we were asked and our response.
Does your BAA conform to all updates to the law? Are we in compliance with all that is stated in the email below?
1. Who is your HIPAA Privacy and Security Official?
2. Have all members of your organization including sub–contractors been through HIPAA Privacy and Security training in the last twelve months? Who conducted the training and how is it documented?
3. Have you had a Security Risk Analysis performed in the last twelve months? Who conducted the analysis and how is it documented? What were the major findings and recommendations for remediation? What actions have been taken toward remediation? May I see a summary of the report?
4. Do you have a written Disaster Recovery Plan, Incident Response Plan, Business Impact Analysis, and Emergency Mode Operations Plan in place?
5. Can you describe to me your obligations under the Breach Notification Rule?
- HIPAA Audits to resume: The most common question – and the greatest deficiency – lies in the failure to perform, document, and update a proper Security Risk Analysis.
- A settlement was recently reached wherein the group was required to pay $750,000 and enter into a corrective action plan that includes performance of a regular Security Risk Analysis. This example serves to underscore the importance of encryption and the performance of a regular Security Risk Analysis.
Under the HIPAA Privacy Rule, a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.
A covered entity's contract or other written arrangement with its business associate must contain the elements specified at 45 CFR 164.504(e). For example, the contract must: Describe the permitted and required uses of protected health information by the business associate; Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract. Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
Just last year, we updated our HIPAA Omnibus Business Associate Agreement (BAA) that we have available in our forms section to include important language for both Covered Entities and Business Associates. We added an indemnification of Covered Entity section:
Business Associate agrees to indemnify and hold harmless, to the extent allowed by law,the Covered Entity, its officers, employees, and agents (individually and collectively "Indemnitees") against any and all losses, liabilities, judgments, penalties, awards, and costs (including costs of investigations, legal fees, and expenses) arising out of or related to:
A breach of this Business Associate Agreement relating to the Obligations and Activities required by Business Associate; or
Any negligent or wrongful acts or omissions of Business Associate or its employees,directors, officers, subcontractors, or agents, relating to their HIPAA Privacy and Security requirements, including failure to perform their Obligations and Activities under this Business Associate Agreement.
We also added a sentence regarding Uses and Disclosures by Business Associate:
Business associate agrees to make uses and disclosures and requests for protected health information consistent with Covered Entity's minimum necessary policies and procedures.
Based on the facts restated above, in our opinion and this is by no means legal advice, we reviewed your BAA and found that it conforms to HIPAA Privacy Rule requirements. To the extent that you feel you need additional indemnification by your business associate or your subcontractor, you could consider adding the indemnification of Covered Entity language and/or the Uses and Disclosures by Business Associate language above. However, in our opinion, your BAA meets HIPAA standards consistent with HIPAA Omnibus Requirements.
It appears the email your received focused greatly on the importance of a Security Risk Analysis. We would like to let you know our Security Risk Analysis meets and exceeds HIPAA and Meaningful Use Stage 1 and Stage 2 requirements. In fact, we recently updated it to include sections specific to Meaningful Use attestation to make it easier for auditors to understand. Specifically, we added an EHR Reporting Period question:
Is this Security Risk Analysis being performed or reviewed for Stage 1 or Stage 2 Meaningful Use?
Please enter the Meaningful Use reporting period for which this SRA is being performed. (e.g. 4th Quarter 2015, Full Year 2015, etc.)
We are confident our SRA and follow up action plan ("recommendations for remediation") are more than sufficient and ensure you are in compliance with both HIPAA and Meaningful Use requirements.
Have you performed your SRA? Are your BAAs compliant? Do you have compliance questions? We can help. For more information, or to request an answer to any questions you may have please feel free to comment below or send us an email at [email protected].com or reach us by phone toll–free at 855–427–0427.