Establishing clear business associate agreements are important for not only remaining HIPAA compliant, but for adequately safeguarding patient PHI. -Sara Heath, HealthIT Security
In 2016, the Office for Civil Rights (OCR) put a spotlight on Health Insurance Portability and Accountability Act (HIPAA) -affected business associates (BAs). “A ‘business associate’ is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity,” according to the U.S. Department of Health and Human Services. To maintain compliance during daily workflows and random audits, covered entities (CEs) and BAs must understand their rights and responsibilities under the HIPAA Privacy Rule on a granular level.
The OCR notes that BAs cannot block provider PHI access or terminate that access under the HIPAA Privacy Rule, for any reason. If, for instance, the CE is behind on their payment, the BA does not have the legal right to revoke access to their PHI. Let’s explore this relationship further:
Understand the Responsibilities of Healthcare Business Associates
Technically, the HIPAA Privacy Rule only holds CEs liable for compliance activities. However, it does allow covered entities to share protected health information (PHI) with certain outsiders known as BAs. BAs (e.g., legal, accounting, consulting, data aggregation, management, and financial services firms) are required to use the information only as permitted and described in the binding agreement with the CE—this includes a written contractual obligation to uphold the standards outlined in the HIPAA Privacy Rule.
To clarify responsibilities of BAs, the OCR offers a post under its FAQ section. BAs can have critical access to PHI from a data management standpoint. Third-party vendors are often hired to store, transmit and manage protected health information for covered entities in the healthcare industry, and under HIPAA Privacy Rule 45 CFR §164.502(a)(3), BAs may use or disclose PHI per their legally binding arrangement and as the law requires.
In real-world scenarios, this means a BA cannot:
- Willfully withhold information from the covered entity as a form of consequence or punishment
- Use PHI in a way inconsistent with the outlines of a business associate agreement (BAA)
- Destroy PHI, unless clearly described as part of a data cleanup, aggregation, or other redundancy-eliminating activity
If a BA fails to make satisfactory assurances to the covered entity or reneges on its agreement, it will face penalties. In 2016, the OCR pursued its first action against a BA in Pennsylvania. Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), provided management and IT services as a business associate to six skilled nursing facilities. An unencrypted, non-password protected smartphone was stolen onsite in 2014, and the impact exposed 412 private patient records at six nursing homes. CHCS paid a penalty of $650,000 for violating HIPAA’s Security Rule, due to insufficient policies. (The Security Rule governs electronic protected health information.) The case clearly illustrates the need for all covered entities and business associates to understand their rights and responsibilities under HIPAA, before entering into a business arrangement.
Create Clear Business Associate Agreements
Since many BAs perform electronic PHI data transmissions (ePHI), storage and handling, a comprehensive agreement can help protect ePHI while maintaining HIPAA compliance. According to HIPAA regulations, every business associate agreement must include the following:
- A PHI use description. Every agreement must contain clear and complete information about access to PHI and how the business associate will use the information.
- A nondisclosure agreement. All business associates must agree not to disclose or use PHI except as permitted by the agreement or as the law requires.
- An outline of PHI safeguards. The business associate needs to list safeguards in place designed to protect PHI from inappropriate disclosure or use.
- An outline of the business associate’s responsibilities. Business associates must voluntarily disclose any PHI breaches, comply with OCR audits, and respond to covered entity requests for PHI within a reasonable time.
While many basic BA agreement templates exist online, including within Department of Health and Human Services’ website, healthcare organizations and business associates can take their contracts one step further, and hire a HIPAA compliance attorney before agreeing to the terms of a BAA. The Health Information Trust Alliance (HITRUST) created the HITRUST Business Associate Council, to help healthcare vendors and covered entities discuss the process of creating a business associate agreement—use this resource to your advantage.
Prepare for Business Associate Audits in 2017 and Beyond
A business associate agreement builds the foundation for a strong partnership between associates and healthcare organizations. In 2016, the OCR relaunched an audit program that chooses covered entities and business associates at random. Business associates may face penalties for violations found during the investigation. Covered entities may also face penalties, depending on the situation.
Auditors specifically look for security risk analysis and management programs, technology-based systems and services, security accountability, data privacy measures, and documentation for all of the above. To reduce the possibility of noncompliance issues, covered entities and business associates should clarify breach protocols, including in-house audits and reporting.
Optimize PHI Security as a Business Associate
Current regulations add pressure on BAs to protect ePHI at all costs. HIPAA penalties can cost a company hundreds of thousands of dollars. With an ever-expanding cyber threat landscape, every business associate needs to consider in-house policies for ePHI security. Since many BAs handle PHI online and offline, they must be fully aware of the requirements of the HIPAA security rule that governs electronic PHI.
Business associates are responsible for protecting data in motion and data at rest. As a service provider, business associates should use HIPAA compliance as a launching pad for creating a more secure operating environment, in general. Encryption, security-driven data storage, firewalls, and automated log management activities offer multiple benefits as part of both compliance practices and enterprise-wide information security strategies.
BAs: Keep HIPAA Compliance in Mind Moving Forward
As more healthcare organizations rely on business associates to perform business-critical activities on their behalf, the need to align data privacy efforts becomes increasingly important. Creating legally binding contracts, maintaining open channels of communication, and implementing proactive security programs reduces the risks for all stakeholders. HIPAA compliance activities between both parties serve as the foundation for a risk management strategy.
Additional Resources on This Topic:
photo credit: Christoph Scholz Hacker mit Einsen und Nullen – seitlich via photopin (license)