HIPAA Regulatory Alert

Don't wait: Start reviewing BA agreements now

Business associates a liable for breaches as covered entities

Although business associates are now subject to compliance with the HIPAA Security Rule and the use and disclosure provisions of the HIPAA Privacy Rule, as a result of the Health Information Technology for Economic and Clinical Health (HITECH) Act, hospitals should not assume business associates are taking steps to ensure their compliance.

"There is no requirement that covered entities [CEs] police their business associates and make sure they are compliant, but it is in the best interest of both organizations to make sure the business associates have everything in place," says Robert W. Markette, Jr., an attorney with Gilliland & Markette in Indianapolis. "Within the business associate agreement, the CE is asking the business associate to affirm that programs are in place to comply with HIPAA requirements," he says. Most CEs, however, should take the extra step to double-check their key vendors to make sure everything is in place, he suggests. Once the rules are final, there will be a six-month window of time for business associates to finalize their programs to meet requirements; but six months is not a lot of time, he points out.

Business associate agreements should address the role and responsibilities of business associates in a privacy or security breach in more specific language. Address questions such as breach notification requirements and financial responsibility for responding to a breach, says Phyllis A. Patrick, MBA, FACHE, CHC, cofounder and managing director of AP Health Care Compliance Group, which has offices in Pittsburgh and Purchase, NY. "All that needs to be spelled out," she says.

In addition to making business associates subject to compliance with HIPAA requirements, a business associate's subcontractors must also be compliant, points out Patrick. "Business associates must also impose compliance requirements on their subcontractors, and a CE must include that requirement in their agreement with the business associate," she adds.

This is the time to start revising your business associate agreements, suggests Markette. "Although the rules are not final, I don't anticipate major changes from the proposed rules," he says. "Develop a new agreement form, but be prepared to modify it if necessary after the final rule is published," he adds.

Although you need to prepare a business associate agreement that complies with current requirements and anticipated requirements, you don't have to redo all vendors' contracts or agreements at once, says Patrick. "If you are at the point where a new contract is due, incorporate the up-to-date agreement," she says.

Another way to prepare for revision of all business associate agreements is to take a close look at who you have designated as a business associate, suggests Patrick. "I have heard people say that their hospital has 2,000 business associates," she says. "That is an unbelievably high number of business associates," she says. One reason for the high number could be an automatic assumption that all vendors must sign a business associate agreement to comply with HIPAA, she says. "If the vendor does not have access to protected health information [PHI] as part of their job with the hospital, there is no need to classify the vendor as a business associate for HIPAA purposes," she says.

Conduct a risk analysis for your vendors to identify which really accesses PHI, suggests Patrick. "The vendor who shreds your documents definitely should sign a business associate agreement, while the company that cleans your offices probably should not sign one," she says. "Even I've been asked to sign business associate agreements by clients for projects where I have not needed access to PHI to complete the work for the hospital," she points out. By evaluating who is a true business associate, you can cut down the number of agreements you need to track and modify, she adds.

Once you've identified your true business associates, develop a relationship with them that will improve communications during a potential breech, suggests Patrick. (See story above for tips on working with vendors.) "You may not be able to meet with all of your vendors during the year, but you should be able to hold periodic conversations with your high-risk vendors," she says. One way to identify key vendors is to involve department managers who work with different vendors, she says. "This helps prioritize vendors who have the most access to PHI, and it helps educate managers about HIPAA and HITECH regulations and their part in ensuring compliance," she says.

Because CEs have up to 60 days to identify a potential breach, investigate it, and notify affected parties, it is critical that your business associates report their suspicions or discovery of a potential breach as soon as possible, says Markette. "I usually put 'within 24 hours' into the agreements," he says. The business associate may have investigated a potential breach and determined that no information was compromised, but the CE still needs to know, he points out. "If the business associate says there was a breach but the information was encrypted, it is reasonable for the CE to ask for proof that the information involved in the breach was encrypted."

[For more information about business associate agreements and HITECH requirements, contact:

Phyllis A. Patrick, MBA, FACHE, CHC, Co-Founder & Managing Director, AP Health Care Compliance Group. Phone: (914) 696-3622. E-mail: Phyllis@aphccompliance.com.

Robert W. Markette, Jr., Attorney, Gilliland & Markette, 3905 Vincennes Road, Suite 204, Indianapolis, IN 46268. Phone: (317) 704-2400 or (800) 894-1243. Fax: (317) 704-2410. E-mail: rmarkette@gillilandmarkette.com.]