Chat with us, powered by LiveChat

Business Associate Management Strategies

Post Contributed by Alan Davis, Proteus Consulting

business associate

Business Associate (BA) management is an important facet of a Covered Entity (CE) HIPAA security program.  Yet many BAs are playing “catch up” to comply with the HIPAA Security Rule updates brought about by the HITECH Act.  CEs are now challenging themselves to properly manage their BA relationships as they begin to realize that both parties are directly liable to comply with the HIPAA Security Rule, Breach Notification Rule, and applicable portions of the Privacy Rule.

Accurately identifying BAs is the first step to an effective BA management strategy. CFR 45, §160.103, defines what constitutes a BA relationship and provides examples of when a BA relationship is not necessary. Companies subcontracted by a BA that create, receive, maintain, or transmit protected health information are also BAs, and must comply with the HIPAA Rules. The work being performed, and not the contract or agreement, defines whether a BA relationship exists.

The BA contract, also known as a Business Associate Agreement, is the proper means to articulate the permitted use of protected health information and ensure a BA’s compliance with the HIPAA Rules.  We recommend a “lifecycle” approach to ensure compliance during the contract process.  Pre-contract due diligence should include a security questionnaire to the BA and include proof that the BA has completed a current and proper security risk assessment (a BA requirement as of September 23, 2013 per the HIPAA Omnibus Rule).  Post-contract controls should articulate how contract compliance will be monitored and include event management procedures.  Lastly, the contract should include termination processes and procedures.

Although privacy and security are not a checklist, here are some thoughts to help manage BA relationships:

◦ Evaluate who is and who is not a Business Associate (include BA subcontractors);

◦ Keep track of individual contract dates and formally assign a person to manage the process.  Review each contract at least annually;

◦ Ensure that your contract stipulates in writing that subcontractors will agree to the same data use controls;

◦ All BA contracts need to be updated if not compliant with current HIPAA Rules;

◦ CEs are accountable to report all BA breaches to Health and Human Services (HHS) (including subcontractors to the BA);

◦ Technologies (encryption, firewalls, etc.) do not relieve BAs of compliance with the HIPAA Rules;

◦ BAs may be inspected during a CE Office of Civil Rights (OCR) audit;

◦ 2014 was a record year for HHS collections from non-compliant CEs and BAs.

Breaches are expensive, sometimes even enough to close a practice or supporting company.  BAs are responsible for ~25 percent of all incidents and have affected millions of patients; some CEs are uncomfortable becoming more intrusive and some BAs remain slow to engage the HIPAA Rules.  Both business’ reputations and revenue is based on patient trust, and all should agree that a formal, compliant BA contract is a responsible part of HIPAA compliance and electronic protected health information security.





– Alan is the Principal of Proteus Consulting, LLC, of Hayden, Idaho.  

Is a Covered Entity Liable For, or Required to Monitor The Actions of Its Business Associates?

Luckily, the answer to this question is a good one for covered entities. Business associates are liable for their own actions and every piece of protected information they are given. The important thing that covered entities need to be sure of is to properly enter into a contract that protects the privacy of protected information.

Monitoring or overseeing the work or actions of business associates is not required nor is it expected. Business associates are wholly responsible for complying with the privacy safety measures spelled out in the contract between the covered entity and the business associate.

The biggest concern a covered entity has when it comes to its business associates is acting upon the information or evidence that their business associates are not doing or complying with the contract. If a covered entity neglects to act on evidence found, or discovered, that indicates the business associates are not in compliance with the precautions in place in the contract, then the covered entity can be charged for neglect.

The actions that a covered entity is expected to take when a breach or violation is discovered are: take appropriate action to secure the breach or end the violation, if it is not possible to secure the breach or end the violation the entity is expected to terminate the contract.

There are several details that can’t be succinctly explained in a short summary, therefore, it is up to the covered entity to make sure they are operating within the policies of the HIPAA laws.

Weren’t Business Associates Already Subject to HIPAA Before September 2013?

Before September 23rd, 2013, business associates were subject to upholding the provisions in the contracts by which they were governed. That meant that the contracts controlled the type, amount, and use of protected information a business associate was able to handle. Now through the new HIPAA policy changes, covered entities no longer determine the liability of a business associate.

Business associates, through the new policies enforced in September 2013, are now held accountable for all the actions they take that affect protected health information. That means that apart from entering into a contract that is compliant with the new HIPAA policies, a covered entity has no liability when it comes to what a business associate does with protected health information in the course of fulfilling their contractual obligations.

This is good news and bad news for covered entities. It means that covered entities don’t need to monitor or dictate a business associate’s every move. This makes for a much less labor intensive management of business associates.

It also means that there is greater responsibility placed on the covered entity for the violations and breaches of security that are discovered by covered entities. A covered entity can be charged with neglect if they discover or find evidence suggesting a violation or breach and do not take the appropriate steps in reporting it.

The largest change that both business associates and covered entities must be aware of is that business associates are now liable for being compliant in all their actions with protected health information.

If you don’t know where to start, we suggest learning more about our HIPAA compliance software which will help you conduct a HIPAA Security Risk Analysis and is the cornerstone of a good HIPAA Risk Management plan. This effort should identify gaps in compliance, identify vulnerabilities and provide reasonable suggestions to remedy any remediation items.  This is the expectation for Business Associates in addition to signing appropriate agreements with their healthcare clients.

Can A Business Associate Self-Certify or Be Certified By A Third Party As HIPAA Compliant?

Too often there are misconceptions about new laws or policies because there has been too little effort to educate or to elaborate on details concerning the changes that the new laws or policies will effect.

That is the case with the new HIPAA laws that have been in effect since September 2013. Evidence of this is the overwhelming number of people who are asking for clarification on many of the details of the new changes and restrictions applicable to their organizations.

The question that serves as the title of this post is an example of the many questions that have been surfacing ever since the initiation of the enforcement of the new policies regarding the new HIPAA laws. To answer that question it is a simple response in the negative. No, a business associate cannot self-certify or be certified by a third party as HIPAA compliant.

The reason behind this is the business associate has a responsibility towards the covered entity while performing their paid duties to be subject to exactly the same restrictions and laws that the entity is. Therefore it is required that the business associate be under contract in order to be HIPAA compliant.

So, what must the contract include in order to be compliant under the new HIPAA law?

The contract must make them accountable for the proper use of protected medical information. It must also restrict the business associate to how it uses said information. Additionally, it must make available any health information to the parties to whom it belongs as well as the covered entity.

Apart from these there are several other details that a covered entity should research and abide by for protection and comply with the new HIPAA laws.

What’s The Difference Between A Covered Entity & Business Associate?

Knowing the distinction between a covered entity and a business associate is essential because the Health Insurance Portability and Accountability Act Privacy Rule is administered differently between the two. If you understand the difference, then you understand who has access to your medical data and what authority they possess to do with that medical information.

The HIPAA Privacy Rule protects a person’s medical records and their other personal health information, as well as gives that patient rights to their health information. But it also applies to covered entities and business associates, in that it requires each to follow specific rules and sets restrictions and conditions on the use and disclosure of certain patient information.

Legally, the HIPAA Privacy Rule just applies to covered entities. A covered entity can be health plans, health care clearinghouses or health care providers that electronically transmit any type of health information. Examples of these are your doctor, hospital, insurance company and health insurance plan — no matter if it’s a private, employee, state or federal plan.

But it’s common for a lot of health care providers and health plans to use the services of other individuals or a business to help carry out their health care functions. Thus we get business associates.

More specifically, a business associate is an individual or entity that executes particular responsibilities that include the use or disclosure of protected health information in support of, or as a service to, a covered entity. A health plan, health care clearinghouse or covered health care provider could be a business associate for another covered entity, but a member of the covered entity’s personnel is not considered a business associate.

Possible business associates are an attorney, a CPA firm, an independent medical transcriptionist or a pharmacy benefits manager. Services provided by business associates can be accounting, billing, claims processing or data management. And of course, these are just a few examples of each.

Covered entities hold the responsibility for guaranteeing its business associates are safeguarding protected health information. The contract between a covered entity and its business associate must be HIPAA compliant, and if a business associate breaches its contract, then it’s up to the covered entity to correct that breach or terminate the contract.

Google – A HIPAA Compliant Business Associate?

google logo

Last month, Google announced that they will sign a HIPAA Business associate agreement (BAA) with organizations who are using their Google Apps services: Gmail, Calendar, Drive, and Google Apps Vault.

HIPAA (Health Insurance Portability and Accountability Act) is a set of laws requiring secure access to identifiable healthcare information. All organizations must comply in protecting specific information including name, address, health information and payment records (referred to as “protected health information” or PHI).

The BAA is required when two or more entities share PHI in order to outline the responsibilities between the parties as to the security of the information as well as outline accountability in case of a breach.

To sign up for the BAA with Google, an administrator must answer the following three questions online:

  1. Are you a Covered Entity (or Business Associate of a Covered Entity) under HIPAA?
  2. Will you be using Google Apps in connection with Personal Health Information?
  3. Are you authorized to request and agree to a Business Associate Agreement with Google for your Google Apps domain?

After responding, the administrator will be taken to the BAA for review and signature.

If your organization is looking for email, calendar, and document storage that is HIPAA compliant, Google is a great place to start.