HIPAA Security Requirements for Business Associates

Lee Slaton, Vice President of Healthcare at Smart Training, writes, “Business Associate Agreements can be get-out-of-jail-free cards in worst-case HIPAA scenarios.” A Business Associate Agreement is a document between covered entities and business associates. This document ensures the business associates are compliant with HIPAA.

Are Business Associate Agreements required by HIPAA?

Yes.HIPAA requires Business Associate Agreements.

As a reminder, HIPAA is the Health Insurance Portability and Accountability Act of 1996 requires Business Associate Agreements.Both covered entities and business associates are required to abide by HIPAA. Both are legally required to safeguard protected health information (PHI).

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 expanded HIPAA. The U.S. Department of Health & Services (HHS) enforces HIPAA. In 2009, the HHS developed regulations under the HITECH Act relating to business associates. These regulations cover business associate obligations and Business Associate Agreements.

Business Associate Agreements are required under the HIPAA Security Rule.Not complying with HIPAA can lead to costly fines.

What is a Covered Entity?

HIPAA-covered entities include health plans, clearinghouses, and health care providers. The Centers for Medicare & Medicaid Services has a free tool to help you figure out if your practice is a covered entity.

What is a Business Associate?

With whom do covered entities need signed Business Associate Agreement with? Business associates. A business associate is a person or entity that performs functions for a covered entity that involve the use or disclosure of PHI.

Here are some examples of business associates:

• Medical transcription companies
• Data conversion, de-identification, and data analysis service providers
• Software solutions that touch PHI
• Document storage or disposal companies
• Law firms
• Companies involved in claims processing, repricing, or collections
• Telehealth providers

Whether a company is considered a business associate or not depends on if they are performing business associate activities. If the company needs to access PHI, it’s considered a business associate.Not sure if the person or business is a business associate? Give your regional HHS office a call, and they can help.

Keep in mind that a covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. For example, Jim Moore, Smart Training’s Certified HIPAA Professional, writes of laboratories:

Many times, the lab has told our client that the lab is a Covered Entity under HIPAA, and that a BAA is not required. However, if the lab isn’t actually owned by a healthcare provider, then the lab is not a Covered Entity. Even if it were a Covered Entity, the law specifically states that “a Covered Entity may be a Business Associate of another Covered Entity.” Just being a Covered Entity doesn’t get the lab off the hook.

Jim Moore continues, “If a lab you use will not sign a BAA with your office, find another lab!”

What does my document need to include?

Covered entities can be fined for not having a Business Associate Agreement at all. But an incomplete agreement can also cause a HIPAA fine. Your document must include:

• The types of PHI the covered entity will provide the business associate
• Allowable uses and disclosures of PHI
• Measures the BA must take to protect PHI
• The actions the business associate must take in the event of a PHI security breach
• The HIPAA Security Rule safeguards the business associate must implement
• Timescale and responsibilities for notification requirements (telling the covered entity about a breach)
• Consequences for failing to comply with HIPAA

Your Business Associate Agreement should make the business associate responsible for:

• Inappropriate disclosures
• Reporting breaches
• Financial responsibility for reporting

Is my Business Associate Agreement up-to-date?

Smart Training’s Lee Slaton writes of Business Associate Agreements, “Check the documents and make sure they were written after September 2013, and make the business associate directly subject to the HIPAA Security Rule.”

Can my practice use a document sample?

Your practice can’t use a Business Associate Agreement sample as is. The document must be modified to fit your unique situation to properly address your practice’s relationship with the business associate. You should have different, specialized documents for each business associate to sign.

Will Business Associate Agreements indemnify my practice?

Business Associate Agreements help to indemnify your practice. Indemnify means to secure against legal liabilities. If you do not have agreements in place, your practice can suffer a HIPAA fine.

One of the worst HIPAA fines for lack of Business Associate Agreements took place in 2016. The practice, North Memorial Health Care of Minnesota, also failed to conduct a risk assessment. The covered entity had to pay $1.55 million to the Office for Civil Rights (OCR) to settle the case.

Another example shows that the cost of not having an agreement, without the risk assessment violation, is $31,000.

But does a Business Associate Agreement completely indemnify a covered entity?

No.HIPAA Journal writes,
Unlike most contracts, a HIPAA Business Associate Agreement does not necessarily indemnify a covered entity against financial penalties for a breach of PHI. If a covered entity fails to obtain “satisfactory assurances” that a business associate is HIPAA-compliant prior to entering into a contract, and a breach of PHI subsequently occurs, the covered entity may be considered liable for the breach.

The document is still legally required. But it might not completely save you from HIPAA fines. A business associate also needs to conduct a HIPAA risk assessment.

Do Business Associates need to be HIPAA trained?

According to the HIPAA Security Rule, business associates should implement a security awareness and training program. The HITECH Act expanded HIPAA training requirements to include business associates. Business associate training isn’t an option. But there are no specific HIPAA training requirements.

However, business associates are responsible for 22% of HIPAA breaches.The best way to reduce breaches and the risk of fines is to provide in-depth business associate HIPAA training.

Smart Training Helps you Reach HIPAA Compliance

If you need more HIPAA help, Smart Training’s Essentials and Platinum+ provide written HIPAA-compliant Business Associate Agreements. Our Certified HIPAA Professional, Jim Moore, will specialize your Business Associate Agreements at no extra cost.

If you don’t have either of these plans, request a demonstration with our Compliance Officer.

It’s never too late to reach HIPAA compliance, and Smart Training can help.