Business Associates

Are your vendors HIPAA compliant...are you sure?

First, let’s go over some important definitions under the HIPAA guidelines:

Covered Entities (CE): Healthcare providers, health plans, health care clearinghouses who electronically transmit any Protected Health Information (PHI)

Business Associates (BA): Any individual or organization that creates, receives, maintains or transmits PHI on behalf of a Covered Entity (CE)

Subcontractors: Create, receive, maintain or transmit PHI on behalf of a B.A.

As a healthcare provider if you are considered a “(CE) Covered Entity”, you are required to follow the HIPAA Compliance guidelines. But your responsibilities do not just end there. As a CE, all your vendors who handle Protected Health Information (PHI) and are considered Business Associates under HIPAA, and their subcontractors must also be compliant!

20% of all breaches on the Wall of Shame are caused by a Business Associate,
If one of your Business Associates or their Subcontractors gets audited, so will you!

Second, let’s identify exactly what A Business Associate is? From the HHS government HIPAA site: "A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity."

The long list of industries considered Business Associates includes:

  • Administration
  • Data Processing
  • Accounting firms
  • Management services
  • IT Providers
  • Shredding services
  • EHR/EMR Providers
  • Leasing Firms
  • Answering services
  • Transcription services
  • Document storage
  • Attorneys
  • Claims processing
  • Consultants
  • Financial services
  • IT Equipment Vendors
  • Data Center
  • Telephone vendors
  • Cloud computing providers
  • Medical billing
  • Collection agencies
  • Software vendor

3 Important HIPAA Rules and Acts that affect your relationship with your Business Associates (Vendors)

The HIPAA Security Rule (2005)

The HIPAA Security Rule deals with electronic Protected Health Information. (ePHI)

Although the actual rule is only 8 pages long, it is a very technical rule, but we can break it down here so it’s easier to understand.

There are 3 types of security safeguards required under the rule:

  1. Administrative Safeguards - Includes security management processes, workforce security, information access management, security training and awareness, contingency plan evaluation, and business associate contract
  2. Physical Safeguards - Includes facility access controls, workstation use, workstation security, and device and media control
  3. Technical Safeguards - Includes access control, audit control, integrity, personal or entity authentication and transmission security

The HITECH Act of 2009
(Health Information Technology for Economic and Clinical Health Act)

The HITECH Act was enacted to promote the adoption of health information technology, named HER (electronic health records). HITECH gives health providers incentives for making medical records digital, as well as add more technical requirements to hospitals and doctors who are using HER.
But the HITECH Act also included something that affects all your Business Associates. It extended the privacy and security rules of HIPAA to Businesses Associates and their subcontractors.

The HITECH ACT basically put Business Associates and their subcontractors on the compliance hook!

After 2009, this Act required your Business Associates to implement the same compliance documents and training that is required by you...a Covered Entity! And keep in mind, if your vendors/Business Associates and their subcontractors are Audited, there is a very good chance you will be as well!

The Omnibus Rule (2013)

Under the Omnibus Rule, Business Associates are independently responsible to comply with HIPAA privacy, security and breach rule and are subject to fines.

Practices were no longer responsible for HIPAA violations committed by their BA’s

But keep in mind, that if your Business Associate is audited there is a very good chance you will be as well! So, it is your responsibility to make sure they are the HIPPA guidelines!

The Omnibus rule also states that each Business Associate that you have must be operating under a written agreement with your practice. And this agreement includes the language laid out in the provisions of the Omnibus Rule. As well, this Rule made BA’s responsible if their subcontractors are not compliant!

What are your responsibilities with your Business Associates?

First, you are required to have an up-to-date Business Associate Agreement (BAA) with every one of your business associates. And this agreement must be reviewed and updated every year. You need to confirm the Business Associate uses the PHI for what it was engaged for and that they will safeguard the PHI from misuse. They also need to help you comply with some of your duties when it comes to the privacy rule!

The Business Associate Agreement

The agreement between a Covered Entity (CE) and a Business Associate (BA) governs the BA’s creation, use, maintenance and disclosure of PHI. And it must comply with HIPAA Security, help a CE satisfy privacy rules and treat subcontractors as Business Associates.

And a key take-away here is, you can’t just sign a BA agreement with your vendors and leave it need to update it, confirm it and review it every year!

And these contracts must be created and signed before a vendor, individual or subcontractor performs activities regarding PHI.

What are Business Associates directly liable for?

  • Impermissible uses and disclosures
  • Failure to provide breach notification to the CE
  • Failure to provide access to a copy of the ePHI to either the CE, the individual, or the individual's designee
  • Failure to follow minimum necessary standards when using or disclosing
  • Failure to provide an accounting of disclosures

When is a BAA Not Needed?

Treatment: PHI being disclosed to a healthcare provider for treatment purposes
Payment: PHI being disclosed to a health plan for payment purposes
Operations: PHI being disclosed for the purpose of healthcare operations, administrative and management activities, such as planning, resolving complaints or complying with HIPAA

If you have any vendors who have not or are not willing to sign the BA Agreement and become HIPAA compliant … you absolutely must hire a new vendor who will!

One of your biggest takeaways from this information should be understanding the importance of having written and yearly reviewed Business Agreements with any vendor or subcontractor that interacts with your patients PHI. And there is no wiggle room here. You need to review, update and confirm these with every Business Associate on a yearly basis or you will be subject to an audit and possibly fines!