A colleague recently shared a news release about a physicians’ group that was hit with a $500,000 fine. The fine wasn’t a result of fraud, a misfiled prescription, or malpractice, as one might expect. Instead, the physicians’ group simply failed to have business associate agreements in place.
This led me to wonder two things. First, how common is it for people to go through eight or more years of school to become a doctor without fully understanding HIPAA? And second, if practitioners realize the importance of protecting patients, do they understand what they can put in place to protect themselves as the practitioner?
Who is protected by a Business Associate Agreement?
Business associate agreements, known as BAAs, are legally binding documents that outline how PHI will be handled between the covered entity and the business associate and who is responsible should a breach occur. This agreement is what can protect your business and you as a practitioner should a business associate experience a breach. Today, we’ll look at who business associates are and how they differ from a covered entity as well as who needs to have a BAA and what happens if one isn’t in place.
What is a Business Associate Agreement and What Does it Do?
A business associate agreement is a legally binding document that establishes parameters for what is and is not allowed pertaining to the use of PHI between two organizations that handle it. For example, a pharmacy and a software company or a doctor’s office and a document storage company.
Do Business Associate Agreements Expire?
No, they do not expire. Once BAAs are in place, they are valid unless a regulatory rule change occurs. The last requirement change occurred in 2013 when HHS updated their HITECH requirements. HHS gave 18 months’ notice for BAAs to be updated and implemented. However, some facilities may not have complied with this change, so it’s important to check any active BAAs. If they were created after September 2013 and include the revised/new HITECH requirements, they should be in good shape. It should be noted that, for a BAA to be effective, it needs to be signed and dated by both the business associate and the covered entity. To obtain a free copy of a BAA, please visit the R.J. Hedges website.
What is a Business Associate and how is it Different from a Covered Entity?
These terms and what they entail can get confusing, so let’s look at how the HHS defines them:
“Business Associate – A person or entity who, on behalf of a covered entity, performs or assists in performance of a function or activity involving the use or disclosure of individually identifiable health information, such as data analysis, claims processing or administration, utilization review, and quality assurance reviews, or any other function or activity regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule. Business associates are also persons or entities performing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity where performing those services involves disclosure of individually identifiable health information by the covered entity or another business associate of the covered entity to that person or entity. A member of a covered entity’s workforce is not one of its business associates. A covered entity may be a business associate of another covered entity.”
So, what does that definition actually mean? If you hire a company or a person, outside of a W-2 employee, that in their course of work accesses, uses, distributes, or handles PHI, they are considered a business associate and should have a BAA. Examples include delivery companies, shredding companies, software or IT companies, accounting and billing companies, call centers, and even 1099 employees.
“Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage.”
This means that companies that transmit data directly to a health plan are considered to be a covered entity. Examples of covered entities include a physician’s office, pharmacy, Blue Cross/Blue Shield, or NSC. Covered entities do not need a BAA as they are constantly sharing information and are expected to protect said information.
If you would like to view more of the official definitions, check out the Department of Health and Human Services (HHS).
Who Needs to Have a Business Associate Agreement?
While the HIPAA Privacy Rule outlines how PHI can be used and disclosed, the HIPAA Security Rule outlines what safeguards must be in place to protect PHI. In other words, the HIPAA Privacy Rule requires business associate agreements to be in place, and the HIPAA Security Rule outlines how the BAA will “implement administrative, physical and technical safeguards that reasonably protect the confidentiality, integrity and availability of the PHI that it creates, receives, maintains or transmits on behalf of the covered entity”.
Business associates include:
- 1099 employees
- Accrediting bodies
- Answering services/messaging services
- Delivery companies
- EHR/EMR companies/consultants
- Hosting servers
- IT companies
- Medical billing/coding companies/consultants
- Mobile apps and texting services
- Patient safety organizations
- Point of sale systems
- Practice management software
- Nursing homes, personal care homes, adult communities, assisted living communities
- Shredding services
- Staffing agencies
- Website development companies
What Happens if You Don’t Have a Business Associate Agreement in Place?
Failing to have BAAs in place is like playing with fire; you might get lucky, but you can easily get burned. There are three potential outcomes:
- Absolutely nothing happens; it’s only a problem if you’re caught or run into an issue.
- HSS sends you a hefty fine.
- A breach occurs by one of the companies that should’ve had a BAA, your business is now in the news, and you’re responsible for any exposed PHI.
Though it’s possible that nothing will happen, this could be a very expensive risk to take:
- A Florida contractor physicians’ group was fined $500,000 after sharing protected health information with an unknown vendor without a BAA in place
- A business associate was forced to pay a $100,000 fine despite it being closed
How Can BAA’s Benefit Practitioners?
You’re researching a new partner for your facility. You’ve checked references and received a recommendation from a colleague. They’re licensed, insured and bonded. Do you need to have a business associate agreement? The answer is always yes. There are many things outside of your control, and any number of the following can happen in your facility or to any of your business associates:
- Dishonest employees
- Improper disposal
- Lack of training
- Lost or stolen devices
- Third party disclosures
- Unauthorized release
- Unencrypted data
- Unsecured records
Its best practice to follow the rules and send BAAs to all your BAs.
I’m a firm believer in, “Do what you do best and contract the rest.” If you’re unsure of how to stay on top of regulatory changes or are unsure if your policies, procedures, training, documents and BAAs can pass muster, contact a consultant to do the heavy lifting for you. The R.J. Hedges & Associates HIPAA Compliance Program has over 70 policies and procedures and an additional 75 support documents. These support documents include the NOPP, disaster recovery plan, risk analysis, risk assessment, breach assessment and workforce classification for PHI access. This program comes with business associate agreements that have stood up in the light of breaches. If you already have a program in place and want to see how compliant you are with HIPAA rules and regulations, feel free to take our free HIPAA Assessment.