A requirement of the Health Insurance Portability and Accountability Act (HIPAA) that should not be ignored is the business associate agreement. “Say a doctor has a security breach. If the government comes in to investigate, they will ask to see the business associate agreement,” said Kirk Nahra, a partner with Wiley Rein LLP. “If you don’t have one, it makes it look like you don’t care about this stuff and that makes it worse.”
If an audit is done and health care providers have at least some kind of agreement on file, the providers would likely have an easier time with auditors because it shows some effort was put into following the rules, according to Nahra. Fortunately, business associate agreements are among the easiest requirements with which to comply, he said.
Who is an associate?
All vendors or subcontractors that create, receive, transmit, or maintain patients’ protected health information are subject to the agreements, including technology vendors who have information stored on the cloud even if they don’t plan to access the information.
Large organizations may have a lot of vendors that may need coverage, but small groups may only have 2 or 3 vendors, Nahra said. It is important to consider groups like a billing service, an accounting firm that may be dealing with outstanding claims, and technology companies that could have remote access to your computers.
Ron Rawson, a privacy officer at Saint Louis University, recommends going through contracts and weeding out people who don’t have access to patient information. Send agreements out to anyone who does have access.
Rawson said entities with access to information that would not need agreements include: state or federal government agencies, which receive data you report for registries; courier services that transport sealed documents; medical laboratories; and other physicians.
Build a template
Business associate agreements can be built as part of a vendor contract, but Rawson said it is more practical to offer them separately. This way, if the service contract changes over time, the business associate agreement will remain in effect.
The HIPAA Omnibus rule required that, as of September 2013, business associates are legally liable for complying with HIPAA; it is no longer the responsibility of the physician to ensure vendors comply. However, Nahra said this change shouldn’t lull physicians into a false sense of security.
“Now a consulting firm is regulated by these rules,” he said. “If you fail to have a contract, they have to follow theirs, but you are still violating the rules by not having one.”
Some vendors, like an accountant, may not know they need an agreement so they may not have them on file. Their contracts also may not be complete or hit all of the points a physician needs.
There are at least 2 topics not required to be in business associate agreements that physicians should address. First is the disclosure of information. Most physicians will want to limit the use of patient information, and any restrictions on data disclosure need to be spelled out in the agreement.
“If there is a consulting firm that wants to give advice to other people and use your data, you have to make it clear that they can’t use it,” Nahra said. “A vendor’s agreement may give more rights to that information than what they [providers] want.”
The second area to note is breach reporting. This isn’t required to be spelled out, but should be in case data are ever released inappropriately.
Points to touch on include:
- when the vender should notify you in case of a breach
- who is responsible for notifying patients
- Who will be responsible for the cost of a breach