Many companies have recently begun receiving Business Associate Agreements from healthcare entities, including hospitals, clinics, physician offices, public health facilities and similar types of organizations. Business Associate Agreements, a contract required under HIPAA and the HITECH Act, enable healthcare organizations to legally work with outside service providers. The agreement covers information that a business may have accessed or could access in the provision of services. This information not only includes actual medical information relating to patients, but also their names, addresses, social security numbers and other identifiers, which are protected by HIPAA/HITECH.
The Office of Civil Rights, the governmental entity which enforces HIPAA/HITECH, has published a draft Business Associate Agreement on its website (OCR.gov) and most healthcare entities either use this draft agreement or something very similar. However, what is not clear from the Agreement, unless you are familiar with the rules and requirements of HIPAA/HITECH, are the obligations placed on you as a Business Associate once the Agreement is signed.
Before assessing your obligations as a Business Associate you should first make a determination as to whether or not this label is being properly applied to your services. HIPAA Business Associates are those entities who access or could access individually identifiable patient information as part of the services provided. If all you do is provide the phone lines for the hospital then your company is a conduit and is not considered a BA. If you provide internet access but no direct technical support that is also part of the conduit exception. If you provide cleaning services the service itself does not require access to data, so you are not a business associate. However, if you provide technical support, access the provider’s systems, provide cloud based storage, do data destruction or could access at any point individual patient information, even by accident, then you are considered a Business Associate.
Under the Rules released in 2013, Business Associates are now liable for any privacy or security breach which may occur regarding the information which is within their control. Not only is the Business Associate responsible for the breach and any damage which might occur due to the breach, the Business Associate also has to engage in all of the HIPAA/HITECH assessments required by the rules. This requires among other things:
- You must have a named privacy officer for the company;
- You must have a named security officer for the company;
- You must complete a full security audit with periodic updates;
- You must have policies and practices in place, including administrative safeguards, to address privacy and security issues;
- You must provide a log and audit trail for information access;
- You must have employee training on these items; and
- You must have an employee disciplinary plan in place for HIPAA/HITECH breaches.
Failure to have any of these items in place can lead to significant liability for the Business Associate. Further, Business Associates bear liability for any subcontractor they engage. The Office of Civil Rights has indicated that it will be auditing business associates over the coming five years, beginning in 2015, to determine compliance with all of the technical requirements of HIPAA/HITECH. OCR has also indicated that because Business Associates are typically for profit entities OCR anticipates larger fines and greater enforcement action for Business Associates than their not-for-profit counterparts, such as hospitals or clinics. Several fines for hospitals or similar organizations have exceeded a million dollars and have included significant responsibilities under a corrective action plan.
For anyone covered by HIPAA/HITECH, the recent pilot audit program by OCR, as well as prior audits, indicates that the most common issues in privacy are failure to grant appropriate access, compliance with the minimum necessary standard, which is the standard that requires you release only a limited amount of information if that information is sufficient to answer the question and a failure to obtain proper authorizations. Perhaps more problematic for Business Associates is security concerns including failure to provide for risk analysis, and issues relating to media storage and disposal where media is not properly encrypted during the storage process or disposal occurs without proper destruction. Recently OCR issued a 1.2 Million Dollar fine to Affinity Health Plan, based in New York, for the inappropriate re-sale of copy machines which contained patient identifiable information on the copier hard drives. Failure to provide proper audit controls and tracking information used or accessed is also a significant issue in many OCR complaints. Even simple items have resulted in big issues. Failure to timely update a security patch can lead to a breach. At Idaho State they forgot to put up the firewall after standard maintenance leaving information exposed for over 10 months. Although information was not improperly accessed Idaho State self reported and were fined over $400,000.00.
Business owners need to be aware that “business as usual” will probably not be appropriate for your role as a Business Associate. You need to implement policies which highlight your HIPAA/HITECH obligations, provide for appropriate employee training and in many instances dovetail your policies with those of the covered entities you serve in order to maintain appropriate HIPAA compliance and, to limit your liability for fines and other damages.