Periodically we are asked questions about Business Associates and how to handle a breach.
Recently, we were asked the following question:
Under HIPAA concerning Business Associates, if you don't have a Business Associate Agreement (BAA) with a vendor and they generate a breach, are you required to be notified by the vendor of the breach and terminate the relationship immediately?
Below is the response we provided to one of our clients.
Law
Under the HIPAA Privacy Rule [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] a covered entity is required to obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate. A "business associate" is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity. In other words, a business associate is a person or entity who performs functions or activities that create, receive, maintain or transmit PHI on behalf of, or provide services to, a covered entity.
Further, a business associate agreement is needed if:
- A person or entity creates, receives, maintains, or transmits PHI for a function or activity regulated by HIPAA, such as: claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, and practice management.
- A person or entity who provides legal, accounting, consulting, management, administrative, accreditation or financial services where services involve disclosure of PHI to the person or entity.
- A person or entity who will be able to access PHI on a routines basis, and/or there is a possibility that the PHI in the person or entity's custody or control could be compromised. For example, a document shredding company.
Finally, according to HHS:
If a covered entity finds out about a material breach or violation of the contract by the business associate, it must take reasonable steps to cure the breach or end the violation, and, if unsuccessful, terminate the contract with the business associate. If termination is not feasible (e.g., where there are no other viable business alternatives for the covered entity), the covered entity must report the problem to the Department of Health and Human Services Office for Civil Rights. See 45 CFR 164.504(e)(1).
With respect to business associates, a covered entity is considered to be out of compliance with the Privacy Rule if it fails to take the steps described above. If a covered entity is out of compliance with the Privacy Rule because of its failure to take these steps, further disclosures of protected health information to the business associate are not permitted.
HCP's Response
The business associate requirements apply to a person or entityperforming a function involving PHI on behalf of a covered entity or its business associate. If you took reasonable steps to mitigate the potential breach you learned of, and are unsuccessful because of lack of assurances, safeguards, or other potential threats to PHI terminating the relationship is a reasonable option. In fact, HHS clearly states "further disclosures of protected health information to the business associate are not permitted."
If you have any additional questions please do not hesitate to contact us.