Home Health & Hospice Week

Warning: Your agency's small size won't save you from HIPAA penalties.

If your medical records vendor gets caught violating patient privacy laws, you'd better make sure you have a business associate agreement in place to protect you.

In the news: Recently, the HHS Office for Civil Rights required the Center for Children's Digestive Health, a small provider operating from seven Illinois locations, to fork over $31,000 in fines for a “potential violation” of HIPAA due to a missing business associate agreement (BAA) with Filefax, a third-party vendor, dating back as far as 2003, a release says.

The corrective action guidance suggests the lack of a BAA was discovered by the feds during a “compliance review” in 2015. That’s the same year Filefax was making news by being named in an Illinois Attorney General lawsuit for dumpingpatient records illegally, according to the Chicago Tribune. The physician practice in that case followed HIPAA breach protocol, including notifying its patients who were affected.

That violation doesn’t appear to have affected CCDH’s case. But “CCDH impermissibly disclosed the PHI of at least 10,728 individuals to Filefax when CCDH transferred the PHI to Filefax without obtaining Filefax’s satisfactory assurances, in the form of a written business associate agreement,” the resolution agreement stated. The CCDH’s situation was avoidable, but the firm failed to ensure its patients’ safety by following up with the vendor’s execution of a BAA.

Nuts and bolts: Business associates and their subcontractors maintain PHI and ePHI just as your agency does. The level of their interaction with your agency depends on the complexity of the service they provide. A BA is someone who performs one of these five services for a covered entity, suggested Ryan Boggs, a manager at IT advisory at BHG in Charlotte, North Carolina, during a session at HIMSS17 titled “Managing Risk As a Business Associate:”

• Legal work
• Accounting
• Billing
• Transcription
• Claims processing

Review: When you have identified an entity as a BA, you “must execute written contracts … to make sure they safeguard PHI according to HIPAA standards,” explains Jo-Anne Sheehan, senior instructor with Certification Coaching Org., in Oceanville, New Jersey. “Business associates must do the same with any of their subcontractors who can be considered business associates.”

Tip: When you’ve got a signed BAA on file, it binds the entity to HIPAA — so make sure you get them signed, if law allows, before sharing PHI. “Business associates are subject to most of the same privacy and data security standards that apply to covered entities, and may be subject to HHS audits and penalties,” Sheehan says.

But how broad is the “business associate” label? Does it expand to your office’s cleaning service? “Business associate agreements include organizations that may create, receive, maintain, or transmit health information,” notes HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems in Charlotte, Vermont. Because your cleaning staff is not accessing health information in any way, they won’t typically be considered “business associates.”

An implemented BAA protects you if a breach occurs. Moreover, due to the costs, both financial and personal, that arise from a violation, the complexity of a BAA to enforce HIPAA compliance make it particularly complicated. That’s why it is important to know the difference between a BAA and confidentiality agreement.

Reasoning: “The cleaning staff should be under a confidentiality agreement but not necessarily a business associate agreement,” Sheldon-Dean advises. “If you start asking your cleaning staff to look in the waste baskets and bring you any pieces of paper that have health information as kind of a compliance check, then they are doing something with PHI on your behalf and they’d be a business associate.”

Warning: This type of contract protects you should an accident or theft happen, but it does not completely discharge you from liability. The language of the confidentiality agreement “puts the company on the hook if it should breach its obligations with respect to confidentiality,” says attorney Kathleen D. Kenney of Polsinelli in Chicago. “Most third parties with access to PHI will meet the definition of a business associate, but in the rare instances where they do not, having contractual protections in place puts a provider in a better position.”

Kenney adds, “But this certainly does not absolve the provider from its own obligations to ensure safeguards as OCR will only look at the provider if an incident occurs and the third party does not meet the definition of a business associate.”

A BAA protects you and your agency up to a point, which is why it’s important to thoroughly vet your BAs and analyze and manage the risk from the get-go. “Essentially, it’s your brand. If something happens at a third party, it’s your news,” reminded Rodney Murray, principal at IT Advisory at BHG in the HIMSS17 session.

Best bet: Protect your agency from any missteps a BA makes by getting a signed BAA on file.

Note: HHS-OCR guidance on constructingBAAs is at www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associateagreement-provisions/index.html.