When your organization uses data storage companies to store protected health information, they are considered a business associate. According to people like Jeff Lerner, this can include hard-copy or digital data, as well as random and infrequent access. A business associate agreement should include a risk analysis and the disclosures required by HIPAA. For more information, see our article on the different types of business associate agreements. Here are some common types of business associate agreements. Hopefully, this article will be helpful.
Jeff Lerner Suggested Resources
HIPAA applies to healthcare providers, clearinghouses, and their business associates. Providers include health insurers, doctors, dentists, chiropractors, and psychologists. Clearinghouses are organizations that process non-standard health information for the purpose of providing health care. However, some types of business associates are not considered covered entities. For example, janitorial services and electricians are not considered business associates.
Larger Business Associates often have their own legal and compliance departments. Lerner has said that the main point of contact will typically be the representative of that department. However, some Covered Entities have a business person serving as the main point of contact. As a result, they will be required to sign a Business Associate Agreement (BAA) with other health care providers. If this is the case, the BAA should include provisions requiring the Business Associate to pay certain costs associated with notifying the FDA.
Many Covered Entities have electronic databases that track Business Associates, but a large percentage are not included. Moreover, the database may have a primary function of tracking vendor relationships, not Business Associates. Compliance Departments have therefore considered buying software to manage Business Associates and ensure compliance with HIPAA. However, this approach could lead to confusion as the databases are not updated regularly. A third party certification process would ease the burden on Business Associates and set a “gold standard” for Covered Entities.
The BAA does not specify the specific uses or disclosures that must be disclosed. While underlying service agreements often do, a BAA may be required in order to comply with HIPAA requirements. Further, it is unclear whether the BAA should be mandatory for Business Associates. Therefore, Covered Entities should make sure their business associates understand the BAAs. In addition, the BAA should be standardized, if possible.
Most Business Associates have established training programs and reinforced these training with annual refresher courses. However, some may lack this sophistication. For example, a large Business Associate may not offer specific employee training, as some roles require more in-depth knowledge of HIPAA. Smaller Business Associates may not offer formal training, but they may refer employees to materials developed by OCR. In general, Business Associates are becoming more sophisticated. The purpose of this article is to share best practices with Business Associates to ensure they comply with HIPAA regulations.
Some CE representatives suggested establishing a third-party certification process for Business Associates, in order to ensure they are meeting minimum HIPAA requirements. Although this method is not yet fully accepted, it would at least ensure that BAs adhere to the minimum standards. This process could reduce the number of due diligence requests from Covered Entities. In addition, a third-party certification process would be a good way to help ease the burden on Business Associates and create a “gold standard” for Covered Entities.
Some business associates perform various functions, including billing, claims processing, and data analysis. Many of these business associates also provide benefits and practice management services. Some of these functions also fall within the scope of legal, accounting, and insurance consulting. The types of services offered by Business Associates also depend on their size. There are some that perform the same functions as larger entities but have different specialties. While some are not required by law to provide certain services, they can provide other valuable services.
Small Physician Practices that hire Business Associates are often worried about the extent of HIPAA compliance. In addition, they may be concerned about whether their downstream vendors understand their obligations under the Privacy and Security Rules. In addition to these concerns, some Business Associates are concerned about the lack of technical safeguards. This is particularly important because these smaller practices may not have adequate safeguards. In other words, they may have no idea of the scope of their Privacy and Security Rules.
HIPAA-required risk analysis
Performing HIPAA-required risk analysis is one of the most important elements of managing a BAA. Without a risk analysis, you may not be able to determine whether your business associates are up to standard. The HIPAA regulations have changed the way that covered entities evaluate BAs, and it’s crucial that covered entities focus on this area of compliance before entering into any agreement. Here are a few red flags to look for before signing a Business Associate Agreement with a vendor.
Large Business Associates report fewer challenges with HIPAA compliance than smaller Business Associates. However, they report difficulty updating thousands of BAAs. If they could get rid of BAAs, the burden would be reduced and more resources could be devoted to “real” compliance. But this isn’t as simple as it sounds. The larger Business Associates have the bargaining power to negotiate with a Business Associate.
In the United States, most Covered Entities don’t ask Business Associates to conduct a HIPAA-required risk analysis. Despite these risks, OCR treats these breaches seriously and has imposed fines against them. The most recent example of a large HIPAA breach involving 500 or more records was caused by a Business Associate’s failure to perform a HIPAA risk analysis in 2013.
The BAA itself may differ from the requirements in the HIPAA Security Rule. While most Covered Entities use the model BAA that the OCR has issued, smaller Business Associates will likely rely on their business managers to coordinate with Covered Entities. In addition, the standard BAA template tracks the HHS OCR BAA template, so a Business Associate can be expected to review and sign it. In general, however, the requirements of HIPAA-required risk analysis will be different for a small business compared to a hospital system or a data center.
Disclosures under a business associate agreement
The HIPAA Rules and the HITECH Act are largely the same, except that the HITECH Act ties business associate liability to the uses and disclosures that are detailed in the agreements. Business associates are organizations that process or store PHI for a covered entity. However, this requirement applies only to personal health record vendors and certain data transmission vendors. If you want to make sure your business associate is compliant with HIPAA, you should review your current business associate agreement.
A business associate contract should also address whether the third-party entity is required to return or destroy protected health information. The business associate must have a contract stating that it must keep protected health information confidential, and it must state that third-party recipients are intended to receive the information. In addition, a covered entity can terminate the contract if the business associate breaches a material term of the contract. The preamble of the NPRM also states that a business associate contract could include any arrangements that make it possible to disclose PHI.
There are also specific types of business associate relationships. For example, a covered entity may have a business associate agreement with a lawyer. In such a case, the lawyer may disclose protected health information to an expert witness, who is not performing any functions or activities for the covered entity. While this may seem like a violation of privacy, this is not the end of the world. If a covered entity wants to protect its clients from harm, they need to be certain that its business associates are compliant with the Privacy Act.
If your business associate contracts include such terms as breach notification, you should make sure that they include a clause specifying when and how the business associate must notify the covered entity. Some business associates do not even know about a breach until days after the breach. Therefore, it is vital that you include language regarding the timeframe for breach notification. In some cases, the business associate does not know that the breach occurred until several days after the breach has occurred.
Termination of a business associate’s relationship
The business associate must return or destroy all copies of protected health information if the covered entity decides to terminate the business relationship. The business associate may keep the information for 30 days but must destroy or return it to the covered entity after that period. A business associate must limit the use of protected health information to those uses that are necessary for proper administration and management of the covered entity. If this period of time is not feasible, termination of the business relationship may occur.
It is important to understand what exactly constitutes “end of business associate” when dealing with a business associate. The term “business associate” covers both business entities and individuals that perform specific activities on behalf of another party. In addition, a business associate contract may contain provisions concerning reporting, notification, and insurance. The contract should state clearly what the covered entity is responsible for and who is responsible for the same. Termination of a business associate’s relationship can be handled in a way that protects both parties interests.
The best way to avoid the risk of termination is to choose your business associates carefully. Be sure to set expectations in the beginning, and carefully select members of your distribution channel. If you have any concerns, Jeff Lerner teaches us that we should focus on the positive aspects of a potential partner, and make sure to address any red flags. You’ll be happier with your new business associate if you take the time to identify and document these issues from the beginning.
Before terminating a business associate’s relationship, consider HIPAA compliance requirements. You may be subject to fines by regulators if your business associate does not meet the requirements of HIPAA. The Office for Civil Rights and State attorneys general may also take legal action. Terminating a business associate’s relationship can lead to a number of consequences. In the end, it is important to maintain the integrity of the information.