HIPAA Updates: Is your practice in compliance?

Part Two: The Business Associate Rules

The new HIPAA regulations significantly expand the law's reach. The law now applies not only to health care providers and health plans, but also directly to their “business associates,” including contractors and subcontractors.  In fact, the law can even apply to subcontractors that don’t have a formal business associate agreement with a medical practice or other health care provider.

The law defines a “business associate” as an individual or organization not employed by the covered entity's workforce, who provide services that “involve the use or disclosure of individually identifiable health information.”  [i]   

As a result, companies who are business associates of a medical practice may be audited, and fined, for breaking the business associate rule under HIPAA. These include not only health information exchanges, e-prescribing gateways, and patient safety organizations, but also document storage firms or data centers that host or back up electronic information. Anyone who might encounter patient data can be liable.

As you review the information below and your current practices, please let us know if we can be of help with any compliance questions you might have.

• Who is liable under the business associate rule?

Medical practices are not liable for the actions of business associates. However, in the event that the medical practice or the health care providers learn of a breach or violation, they are required to take reasonable actions to remedy the breach or end the violation.  Those actions can lead up to, if not result in, the termination of the contract with the business associate or the notification to the Department of Health and Human Services Office for Civil Rights.  

• Avoiding liability under the business associate rule

Medical practices need to make sure their contractors all sign business associate agreements that describe the responsibilities of the business associate under HIPAA. Typically these agreements are evergreen, meaning they automatically renew, unless the agreement terms specify otherwise. Per the U.S. Department of Health & Human Services website the following should be included in the written business associate agreement: 

• "Establish the permitted and required uses and disclosures of protected health information by the business associate;

• Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;

• Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;

• Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;

• Require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings;

• To the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation;

• Require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;

• At termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity;

• Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information;

• Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract. Contracts between business associates and business associates that are subcontractors are subject to these same requirements." [ii]  

HIPAA Reviews Available

To ensure that your medical practice is in full compliance with all the requirements of HIPAA and the new regulations, please feel free to reach out to us for a more in-depth discussion.

[i] www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html 

[ii] www.hhs.gov/ocr/privacy/hipaa/understanding