During our most recent webinar Business Associates 101: Everything you need to know about Business Associates and HIPAA Compliance Programs we received 10 questions during our Q and A session. Below are the questions and answers we provided for each of those questions. Following the questions and answers, we have included 5 Things to Do Now that are mentioned on our final slide of the webinar.
10 Questions and Answers
- Question Do you need to have a BAA with a hospital that you have an outside clinic at? Or is it covered under continuity of care?
Answer A business associate agreement would not be necessary with a hospital you have an outside clinic at. For treatment purposes, this is an example of an exception and would be covered under continuity of care. However, you could ask for an agreement to be in place if the hospital performs certain functions or activities that involve the use or disclosure of PHI, such as if the hospital provides medical transcription services, billing services, or other functions on your behalf.
- Question You are updating your BAAs. Several vendors will not sign your BAA. They are sending you their BA agreement. What recommendations do we have in this situation?
Answer Under HIPAA you (the covered entity) are required to enter into a HIPAA compliant BAA with your vendors who create, receive, transmit or maintain PHI. When vendors will not sign your BAA and send you their BAA, you must thoroughly review the agreement to ensure it includes all elements specified in the HIPAA Privacy Rule. As we mentioned in the webinar, OCR will hold you the covered entity ultimately responsible. A compliant agreement must include assurances PHI will be properly safeguarded and in the event of a breach, all required notification procedures must be clearly explained.
Remember, the vendor is providing services on your behalf and not the other way around. Therefore, you are not required to sign their BAA (most likely a BAA their legal or compliance department have put together) and could require them to sign your BAA. In fact, we recommend including indemnification of Covered Entity language such as:
Business Associate agrees to indemnify and hold harmless, to the extent allowed by law, the Covered Entity, its officers, employees, and agents (individually and collectively "Indemnitees") against any and all losses, liabilities, judgments, penalties, awards, and costs (including costs of investigations, legal fees, and expenses) arising out of or related to:
A breach of this Business Associate Agreement relating to the Obligations and Activities required by Business Associate; or
Any negligent or wrongful acts or omissions of Business Associate or its employees, directors, officers, subcontractors, or agents, relating to their HIPAA Privacy and Security requirements, including failure to perform their Obligations and Activities under this Business Associate Agreement.
- Question You asked if a BAA requires an indemnification clause and if so, should it be capped?
Answer The HIPAA Omnibus Business Associate Agreement (BAA) that we have available in our forms section includes important language for both Covered Entities and Business Associates. We added an indemnification of the Covered Entity section:
Business Associate agrees to indemnify and hold harmless, to the extent allowed by law, the Covered Entity, its officers, employees, and agents (individually and collectively "Indemnitees") against any and all losses, liabilities, judgments, penalties, awards, and costs (including costs of investigations, legal fees, and expenses) arising out of or related to:
A breach of this Business Associate Agreement relating to the Obligations and Activities required by Business Associate; or
Any negligent or wrongful acts or omissions of Business Associate or its employees, directors, officers, subcontractors, or agents, relating to their HIPAA Privacy and Security requirements, including failure to perform their Obligations and Activities under this Business Associate Agreement.
We also added a sentence regarding Uses and Disclosures by Business Associate:
Business associate agrees to make uses and disclosures and requests for protected health information consistent with the Covered Entity's minimum necessary policies and procedures.
For more information please click on the following link to access our article titled: New and Improved Business Associate Agreement. In this article, we discuss Indemnification of Covered Entity, Permitted Uses and Disclosures by Business Associate, and recommendations for the revised business agreement.
- Question What is LEIE?
Answer LEIE is the acronym for OIG's List of Excluded Individuals and Entities.
For more information please click on the following link and access an article we recently published titled: Managing Business Associates to Ensure Low Risk
- Question You have gotten letters back from Durable Medical Equipment BAs that state they don't require a signed BAA because they are classified as a Health Care provider and don't qualify as a BA.
Wouldn't laboratories fall under this too?
Answer Laboratories can be covered entities and health care providers. However, laboratories could also be business associates depending on what services they provide for you. You would want to ask for a BAA if the laboratory performs certain functions or activities that involve the use or disclosure of PHI, such as if the laboratory provides billing services or other functions on your behalf (in addition to their lab services).
- Question You asked where we got the statistic in our webinar that stated: 87% of BA's have had multiple security incidents in the past two years.
Answer Here is the study that produced that statistic: Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data (Ponemon Institute, May 2015). The Ponemon Institute surveyed 90 covered entities and 88 business associates to arrive at their findings.
Remember, under the HIPAA Omnibus Rule, security incidents are presumed to be reportable data breaches unless healthcare organizations demonstrate through a four-factor assessment that risks are low.
- Question When submitting a BAA to a vendor you didn't previously have a BAA with, is it a best practice to date it when you began doing business with the vendor, or is the current date ok?
Answer We recommend documenting when the BA was signed and when services began. The BAA must also include a termination date. If it is a BA you intend on providing services for your organization for a long period of time, we would recommend including "event" language such as this agreement shall continue in force so long as any underlying contract between the Provider and Business Associate remains in force. If you intend on the BA only providing services for a short period of time (1 year or less), then entering a date that reasonably covers the "term" of the agreement, is our recommendation.
- Question You asked what is meant by "Category" in the first column on the BA spreadsheet.
Answer This is where you can document if the entity you are doing business with is a Business Associate or a Vendor. After listing all of the entities that you may consider to be business associates, ask yourself the four questions on the Decision Matrix. At that point, you can put either Vendor or Business Associate in column one of the spreadsheet.
If you find that some of the entities are Vendors, you may want to consider reviewing the confidentiality agreements that you've had them sign. We have a Sample Vendor Confidentiality agreement in the Forms Library as well. Here is a link to that form: (Sample) Vendor Confidentiality Agreement.
If you choose to use our Corporate Plus Program (click on the hyperlink) that we discussed during the webinar you would then upload your Vendor and Business Associate information for us to check through the OIG's List of Excluded Individuals and Entities (LEIE). Once uploaded, the system would check these entities as well as your staff members against the LEIE on a monthly basis.
- Question You asked how you can access the presentation after the webinar.
Answer The link to the recorded webinar will be published in your Insider Newsletter next Wednesday, the 18th of May.
- Question How do I access the Business Associate & Subcontractor Spreadsheet?
Answer Here is the hyperlink to the Covered Entity Business Associate Audit Spreadsheet.
5 Things to Do Now
- Use the Business Associate Decision Making Matrix and Audit spreadsheet
- Review your BA Agreements and update as needed (conduct phone audits as necessary)
- Upload your Business Associate Agreements to the Website (using your Corporate Plus Program)
- Ensure that your Breach Notification process in your BA agreement is written in a clear and easily understandable manner.
- Make sure your implemented Policies and Procedures are in line with Federal Guidelines see your HIPAA Security Training.
If you have any questions please do not hesitate to contact one of our professional consultants: by email at support@healthcarecompliancepros.com or by phone at 855-427-0427.