Are business associate agreements really important?
Let’s explore the question in the blog below. First, let’s take a look at three HIPAA fines imposed by the Office of Civil Rights (OCR) in 2019 and 2020.
- In 2019, two organizations paid more than a million dollars for not signing business associate agreements.
- Cottage Health paid $3 million, and
- Sentara Hospitals paid $2.17 million.
- In June 2020, the OCR penalized another covered entity for a similar violation. Lifespan will pay $1,040,000 as penalty. It must ensure that all business associate agreements are in place within 90 days.
What you need to know about Business associate agreements
What is a Business Associate Agreement (BAA)?
Under the US law, all healthcare providers need to follow the Heath and Insurance Portability and Accountability Act (HIPAA) if their work involves patients’ protected health information (PHI).
If a covered entity wants to outsource their work, they need to follow certain rules set by HIPAA. Activities or functions involving protected health information can be outsourced only if –
- The vendor has been classified as a Business associate, and
- You have signed a business associate agreement (BAA) with the vendor.
Disclosing PHI to a business associate
A covered entity can disclose PHI to a vendor only after receiving satisfactory assurance about how the vendor would use the PHI. The assurance should be in the written form. Vendors need to assure that they will –
- Use the PHI only for the purpose for which they have been engaged,
- Safeguard the PHI from misuse, and
- Help the covered entity comply with their obligations under the Privacy rule.
Business associate subcontractor agreements
Vendors must follow the same rules, when subcontracting their work.
- The vendor must sign a business associate agreement with the subcontractor.
- The agreement should have assurances like the one that the business associate gave to the covered entities.
The three HIPAA rules apply to the subcontractors of business associates as well. The subcontractors too must follow the same standards as the business associates. Neither one can use the PHI for purposes not in their business associate agreement.
The agreement needs to be in place before the disclosure of PHI happens. Failure to have a signed business associate agreement with a business associate is a HIPAA violation. Covered entities, business associates, and sub-contractors can be penalized for the violation.
Exceptions to business associate agreement standards
HIPAA allows a few exceptions to the BAA rule. No such contract is required if you are disclosing the PHI to –
- Health care providers for the treatment of an individual.
- Health plan sponsor
- Health plans and agencies, where the activity is authorized by law.
The OCR considers the agreement as a written assurance from the vendor. By signing a contract the vendor assures that it has
- Conducted the risk assessment as required, and
- Put in place all necessary protections.
What should business associate agreements include?
As per the HIPAA rules, the business associate agreement must
- Describe how the business associate can use the PHI. It should specify both the permitted and required PHI use.
- Provide that the business associate will not use or further disclose the PHI other than as permitted or required by the agreement or by the law.
- Require the business associate to protect the PHI from inappropriate usage or disclosure.
- Require the business associate to report HIPAA breaches to the covered entity.
- Include assurance from the business associate that it would return or destroy the PHI upon termination of the contract.
Business associate agreements between business associates and their subcontractors must follow the same rules as mentioned above. The OCR can take action against business associates for failing to address a breach or violation by their subcontractor.
How to comply with the BAA standards?
Before you hire a vendor, figure out if it should be labeled as a business associate. You should label a vendor as a business associate if the job involves creating, disclosing, maintaining, receiving, or transmitting PHI on your behalf.
Next, you’d want to understand if the vendor can follow HIPAA. Ask the vendor to conduct a risk assessment of their system, and put in place a risk-management plan.
The next step would be the signing of a business associate agreement with the vendor. Remember, this should all happen before you begin disclosing PHI to the vendor.
But why go through all this trouble? That’s because it would help establish liability in case of a data breach. Unless there is a signed business associate agreement in place, OCR can hold covered entities liable for HIPAA violations by their business associates.
Penalties for not signing a BAA
Covered entities can also be penalized for not signing business associate agreements with their Business associates. Here are some more examples in which covered entities were fined because of carelessness with business associate agreements.
- North Memorial Health Care of Minnesota. The hospital paid a fine of more than $1.5 million for not signing a written agreement with its business associate.
- Care New England Health System paid nearly $400,000 for failing to update its business associate agreement with its business associate.
How often to update your BAA?
The case of Care New England underlines why covered entities must review and update their contracts with vendors regularly. As per HIPAA, you must change your business associate agreement, if
- HIPAA regulations have been updated, or
- Your relationship with the business associate has changed.
Under the law, the final responsibility of protecting a patient’s PHI rests with the covered entity.
Direct liability clauses and indemnity provisions
In case of a serious breach, the OCR would scrutinize the business associate agreement closely. If the business associate is at error, then the OCR would hold the business associate liable. But, in case of serious negligence, the covered entity could be fined too.
That’s why you must ensure that your business associate agreement with your vendor is well-drafted. Be very specific. It should include language that indemnifies you of your vendor’s mistakes. The contract should underline how you interpret permitted and accepted use of PHI.
Moreover, be really specific about their legal liabilities under the three HIPAA rules. Pay special attention to important issues such as –
- Reporting breach incidents
- Risk analysis and risk management plan
- Providing timely service to patients when asked for a copy of their PHI, or amending it.
- HIPAA training for employees
- Compliance documentation.
Business associate agreements should have become a norm by now. Unfortunately, it’s still not so. A vendor saying that they are HIPAA compliant is not enough. Even if it’s a cloud service, or your email service provider, you need to have a business associate agreement with them.
If you have any queries about business associate agreements, please post your queries in the comments section below.