Operational challenges abound in the healthcare industry. This creates opportunities for technology companies, consultants and others to offer supportive services and innovative solutions. Many of those supporting organizations will qualify as business associates under the Health Insurance Portability and Accountability Act (HIPAA). In this post, we explore what it means to be a business associate, the rules that apply, and how proficient compliance keeps regulators away, sustains existing customer relationships, and provides a competitive advantage.
Let’s start with the basics. Covered entities are healthcare providers, insurers or clearing houses that meet HIPAA’s definition of a covered entity and must comply with HIPAA (Covered Entity). Any individual or organization that provides services to a Covered Entity and uses or has access to patient information (aka protected health information or PHI) to provide those services is a Business Associate.
Business Associates come in all forms. Below is a list of examples of types of Business Associates:
- Billing service providers
- Information Technology companies with access to PHI (even if only momentary or supervised)
- Quality Assurance Consultants
- Accountants and attorneys
- Document storage (physical facilities and electronic or cloud storage)
- Accrediting organizations
- Shredding companies
- Collection agencies
Business Associates are subject to certain requirements under HIPAA’s Privacy, Security and Breach Notification Rules. There is no way around these requirements. All Business Associates must comply.
The Business Associate Agreement
The most recognized requirement of a Business Associate is the Business Associate Agreement (BAA). HIPAA requires that Covered Entities enter a BAA with all Business Associates and requires that Business Associates comply. At a minimum, a BAA must obligate the Business Associate to:
- Only use or disclose PHI as permitted in the BAA;
- Take steps to protect paper and electronic PHI;
- Report any unauthorized uses or disclosures of PHI to the Covered Entity;
- Ensure that any subcontractor agrees to the same terms that apply to the Business Associate with respect to PHI;
- Make PHI available for the Covered Entity’s compliance with access, amendment, and accounting requests, if applicable;
- Make its relevant internal practices and records available to the Secretary of the Department of Health and Human Services (DHHS); and
- At termination, return or destroy the PHI or extend the protections in the BAA.
Most BAAs contain these required terms. Covered Entities, however, often add other terms. Examples include cyber liability insurance coverage requirements, indemnification for any issue that the Business Associate causes, additional breach notification obligations, or very narrow timeframes for reporting breaches or potential breaches to the Covered Entity.
It’s critically important that a Business Associate read and understand all the obligations in the BAA. A Business Associate can (and should) negotiate any contract terms that are not required under HIPAA and that are too burdensome on the Business Associate.
Best Practice: Establish a BAA review process to ensure that the Business Associate understands its obligations and negotiates terms that are not required. Also, the Business Associate should consider creating its own form BAA for use with Covered Entities. This will ensure an understanding of the obligations in the BAA and will help protect the Business Associate from more onerous terms that may be in the Covered Entity’s standard BAA.
Good For Business: Every business benefits from knowing and understanding its contractual obligations. Doing so reduces the risk of litigation or other disputes. Finally, a Business Associate that has a clear BAA review process or standard form will only enhance its reputation as a Business Associate that knows and understands HIPAA compliance.
Business Associate HIPAA Privacy Rule Requirements
While not all the HIPAA Privacy Rule regulations apply, Business Associates must comply with several of its provisions in addition to complying with a BAA. The most notable include: (1) making reasonable efforts to limit the use of PHI to the minimum necessary to carry out the task; (2) cooperating with DHHS’ investigations and reviews; (3) not retaliating against an individual for filing a complaint, participating in an investigation or opposing an act or practice that violates HIPAA; and (4) entering into subcontractor agreements and acting when the subcontractor materially breaches that agreement.
Best Practice: It is best to have policies that address compliance and training on the above, especially the minimum necessary standard. Everyone performing work on behalf of the Covered Entity must understand their obligations. It’s also advisable to have an established subcontracting process that addresses vendor due diligence, contracting requirements and monitoring the subcontractor’s activities.
Good For Business: Using the least amount of PHI necessary is a solid business practice regardless of the type of information at issue. It reduces paper and electronic storage costs and, when less data is maintained, there is less data to lose in the event of a data breach. With respect to subcontractors, a Business Associate will be held responsible for the failures of its subcontractors, therefore, it is behooves the Business Associate to vet and keep an eye on all subcontractors.
Business Associate HIPAA Security Rule Requirements
Unlike the HIPAA Privacy Rule, the HIPAA Security Rule imposes the same obligations on Business Associates and Covered Entities. Given the prevalence of security breaches today, compliance with the HIPAA Security Rule arguably is the most important HIPAA requirement. It’s also the most resource intensive. Unfortunately, many Business Associates pay little attention to these obligations.
The HIPAA Security Rule requires that reasonable measures be implemented to protect the confidentiality, availability and integrity of electronic PHI. Below is an over-simplified list of the HIPAA Security Rule requirements:
- Adopt a complete set of HIPAA security policies outlining compliance with the entire HIPAA Security Rule and provide training on the same.
- Conduct an enterprise-wide risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI. See A Conversation with IT Direct About the HIPAA Risk Analysis and a recorded webinar on the same subject for more information on conducting a risk analysis.
- Implement a risk management process that addresses identified risks and vulnerabilities and mitigates those risks to a reasonable level.
DHHS’s Office for Civil Rights can initiate an enforcement action against Business Associates directly, and it does so regularly. HIPAA Security Rule compliance failures have resulted in many six, seven and eight figure settlements or penalties against both Covered Entities and Business Associates. See The Crushing Cost of HIPAA Security Rule Non-Compliance for more details.
Best Practice: Do the work. It’s worth the effort. The government offers a free HIPAA risk analysis toolkit here. It can be a bit clunky to use, especially since it is designed for Covered Entities, but it is a low-cost option. There are also IT security vendors who can perform the risk analysis. Be certain to select a vendor that knows and understands HIPAA. As for the policies, if you already have extensive information security policies, they may just require some tweaking to meet HIPAA requirements.
Good for Business: Meaningful compliance with the HIPAA Security Rule will reduce the risk of a security incident. Plain and simple. That’s good for everyone. Additionally, a Business Associate that shows a true understanding of the HIPAA Security Rule and its obligations as a Business Associate will have a distinct advantage over competitors.
Business Associate HIPAA Breach Notification Rule Requirements
Finally, HIPAA’s Breach Notification Rule obligates Business Associates to notify the Covered Entity of a breach. Under the regulation, notification must be made within 60 days of when the Business Associate knew or should have known about the breach. The notice must include all the details the Covered Entity needs for breach reporting. Be aware, however, that the BAA may require more expedited notice or more direct Business Associate involvement in breach response.
Best Practice: Create a process for flagging notification and breach response obligations in BAAs. If the Business Associate uses its own standard BAA, it will be easier to track these obligations.
Good for Business: As noted above, every business benefits from knowing and understanding its contractual obligations.
There are many benefits to embracing HIPAA compliance. First, it keeps regulators away. Second, it’s crucial to a Business Associate’s reputation. If a Business Associate mishandles a Covered Entity’s PHI, it’s likely to lose the customer (and possibly others). Third, compliance enforces sound business practices. Finally, for those Business Associates that can effectively communicate their commitment to compliance, they will have a significant competitive advantage over others.
In a nutshell, complying with HIPAA is good for business!