Onus is on you to determine business associates under HIPAA
With more vendors qualifying as business associates under the Health Insurance Portability and Accountability Act (HIPAA), some covered entities are wondering just where the responsibility lies for making that determination and ensuring compliance. The consensus is that the healthcare provider must be responsible, partly to protect yourself.
The final HIPAA rule broadened the definition of business associates to include subcontractors, data transmission companies, personal health record providers, and entities performing patient safety activities that have access to protected health information (PHI). The new definitions will be effective on Sept. 23, 2013. (For more on the new definitions, see the HIPAA Regulatory Alert included in this issue.)
Providers cannot wait for business associates to make their own determination because an incorrect conclusion leaves the healthcare provider at risk, says Kimberly Short Kirk, JD, an attorney with the law firm of Moore & Van Allen in Charlotte, NC. "A party becomes a business associate by definition — their function and what they do — and not what they decide," she explains. "I wouldn't wait for parties to self-identify. You will not be helped later on by saying that the vendor declared themselves not a business associate and so you did not take the steps to make sure they were handling PHI properly."
Don't make the mistake of assuming that vendors take HIPAA as seriously as you do and are acting in good faith to determine if they are business associates, cautions Eric D. Fader, JD, an attorney with the law firm of Edwards Wildman Palmer in New York City. Too many vendors have avoided making a valid determination and opted instead to "just stick their heads in the sand and keep saying they're not business associates," Fader says.
"It's a dangerous strategy because if there is a data breach, everybody is going to potentially get in trouble anyway under HIPAA," Fader says. "I advise my healthcare clients to enter into business associate agreements [BAAs] with all of their outside service providers who might have access to protected health information. It's really just cheap insurance so that in the event of a breach you can show the government that you took every step to ensure that you were meeting your obligations."
Fader points out, however, that signing a BAA does not make a vendor a business associate if they're actually not one in the opinion of the Office of Civil Rights (OCR). Signing a BAA even when the vendor might not be a business associate does no harm and could eliminate some worry, Fader says.
Conversely, a vendor who OCR considers a business associate is subject to the privacy rules whether they sign a BAA or not, notes Robert D. Belfort, JD, a partner with the law firm of Manatt, Phelps & Phillips in New York City. Avoiding the agreement is not a path to immunity, he says, and risk managers might need to point that out to vendors who are reluctant to sign.
Existing BAAs must be revised to reflect the HIPAA final rule by Sept. 23, 2014, and most amendments will require mutual consent, Belfort says. "Hospitals should have a master list of all their business associates and they should be working to have each of those properly amended by that deadline," he says. "If there are arrangements with data storage companies that were not considered business associates, those will not appear on your master list. That process also should include determining what agreements you had with those vendors and completing their agreements by the deadline."
The provider must take the reins when determining business associates because the OCR will hold it ultimately responsible for failures by a vendor, says Bob Janacek, chief technology officer with DataMotion, a secure data delivery provider in Morristown, NJ. "The covered entity can be held liable when a business associate or subcontractor is not compliant, so that means the provider should have visibility all the way down the chain," he says. "There is risk, a long tail of risk, because the protected health information originated with them. The provider should know who is touching that information and how."
Janacek points out that providers might be comfortable with the HIPAA compliance program of the first vendor in the chain, but the subcontractor might have fewer resources or understanding of HIPAA obligations. Each additional subcontractor might be less and less able to protect PHI.
"As those companies get smaller and smaller down the line, they're going to look to the provider for guidance and resources," he says. "They may not even be aware of the need to comply with HIPAA. They may consider themselves in a different business altogether and not even consider that they are obligated to comply with HIPAA."
•Eric D. Fader, JD, Counsel, Edwards Wildman Palmer, New York City. Telephone: (212) 912-2724. Email: email@example.com.
• Robert D. Belfort, JD, Partner, Manatt, New York City. Telephone: (212) 830-7270. E-mail: Rbelfort@manatt.com.
•Kimberly Short Kirk, JD, Attorney, Moore & Van Allen, Charlotte, NC. Telephone: (704) 331-3524. Email: firstname.lastname@example.org.
•Bob Janacek, Chief Technology Officer, DataMotion, Morristown, NJ. Telephone: (800) 672-7233. Email: bobj@