Top Five Business Associate Questions and Answers
When the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was enacted in 2009, business associates were added to the list of those who were responsible for complying with HIPAA. For example, just like covered entities, business associates are required to implement information safeguards including the "CIA triad - confidentiality, integrity, and availability. Collectively, the CIA triad should be at the center of any healthcare organization's security program.
After the U.S. Department of Health and Human Services (HHS) issued the "Final Rule" in 2013, several provisions of the HITECH Act were implemented. This ultimately led to business associates being susceptible to the same penalties covered entities are. This also led to additional scrutiny on covered entities to be sure they fulfilled their obligations in executing HIPAA-compliant business associate agreements with all of their business associates.
Even today, there remains some
confusion about business associates, including when an agreement is necessary,
and what their compliance requirements are. To help clear up some of the
confusion, here are the top 5 business associate questions and answers:
Top 5 Questions and Answers
Question: Do you need to have a BAA with a hospital that
you have an outside clinic at? Or is it covered under continuity of care?
Answer: A business associate
agreement would not be necessary with a hospital you have an outside clinic at.
For treatment purposes, this is an example of an exception and would be covered
under continuity of care. However, you could ask for an agreement to be in
place if the hospital performs certain functions or activities that involve the
use or disclosure of PHI, such as if the hospital provides medical
transcription services, billing services, or other functions on your behalf.
Question: You are updating your BAAs. Several vendors
will not sign your BAA. They are sending you their BAA agreement. What
recommendations do we have in this situation?
Answer: Under HIPAA you (the covered entity) are required to enter into a
HIPAA compliant BAA with your vendors who create, receive, transmit or maintain
PHI. When vendors will not sign your BAA and send you their BAA, you must
thoroughly review the agreement to ensure it includes all elements specified in
the HIPAA Privacy Rule. A compliant agreement must include assurances PHI will
be properly safeguarded and in the event of a breach, all required notification
procedures must be clearly explained.
Remember, if the vendor is providing services on your behalf and
not the other way around. Therefore, you are not required to sign their BAA
(most likely a BAA their legal or compliance department have put together) and
could require them to sign your BAA, other than under limited circumstances.
For example, in the event of a large vendor (e.g., Google) they most likely
will not sign your agreement. They have a standard, well-vetted agreement, you
can feel comfortable signing knowing it will satisfy HIPAA requirements.
Question: You have received letters from Durable Medical
Equipment business associates (BA) that state they do not require a signed BAA
because they are classified as a Health Care provider and do not qualify as a BA.
Would this include laboratories as well?
Answer: Laboratories can be
covered entities and health care providers. However, laboratories could also be
business associates depending on what services they provide for you. You should
ask for a BAA if the laboratory performs certain functions or activities that
involve the use or disclosure of PHI, such as if the laboratory provides
billing services or other functions on your behalf (in addition to their lab
services).
Question: When submitting a BAA to a vendor you did not
previously have a BAA with, is it a best practice to date it when you began
doing business with the vendor, or is the current date ok?
Answer: We recommend documenting when the BAA was signed and when
services began. The BAA must also include a termination date. If it is a BA you
intend on providing services for your organization for a long period of time,
we would recommend a perpetual agreement and including "event" language such as
this agreement shall continue in force so long as any underlying contract
between the Provider and Business Associate remains in force. If you intend on
the BA only providing services for a short period of time (1 year or less),
then entering a date that reasonably covers the "term" of the agreement, is our
recommendation.
Question: Are business associates required to complete a
security risk analysis (SRA) and have a compliance program in place?
Answer: Since
2009, business associates are required to undertake an SRA and determine how
best to implement the required and addressable standards and implementation
specifications under HIPAA. This includes having a HIPAA compliance program in
place that includes all required policies and procedures, completing training,
etc.
Have additional questions? Reach out to us to schedule a free
consultation!