Tip: Ensure your business partners know how to respond to a breach. You may feel like you’ve mastered HIPAA because you’ve implemented strong policies and procedures at your organization. But, if your business associates (BAs) don’t adhere to the same level of compliance that you do, then it can all be for naught. Why? Though BAs are directly liable for certain violations of HIPAA and the HHS Office for Civil Rights (OCR) can bring enforcement actions against them, covered entities (CEs) still shoulder the bulk of the blame. In fact, OCR offers guidance that outlines which “party is ultimately responsible for satisfaction of various responsibilities and patient rights” while “defin[ing] the legal liability boundaries between entities,” explains HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “Where the BA is not responsible, the hiring entity is.” Essentially, in its guidance on BAs’ direct liability for violating HIPAA, OCR “puts the covered entities on the hook for making sure their business associates are providing services on their behalf according to the rules,” Sheldon-Dean warns.
And that’s where the business associate agreement (BAA) comes into play and remains a critical tool for CEs. Because if your partners, vendors, and subcontractors are creating, receiving, maintaining, or transmitting protected health information (PHI) — you need an ironclad BAA. For example: Consider the OCR’s current focus on the Right of Access provision. With a BAA in place, a CE can require the BA to provide a patient with a copy of their records and OCR can bring enforcement actions if the BA doesn’t comply. However, if the BA charges the patient an exorbitant fee for processing the ePHI, the CE is liable. “The HITECH Act does not apply the fee limitation provision to business associates,” OCR reminds. “A covered entity that engages the services of a business associate to fulfill an individual’s request for access to their PHI is responsible for ensuring that, where applicable, no more than the reasonable, cost-based fee permitted under HIPAA is charged. If the fee charged is in excess of the fee limitation, OCR can take enforcement action against only the covered entity,” the agency cautions. Maximize Your BAA With This Federal Insight If you think your BAs won’t notify you after a violation or data incident, you’re not alone. “Not only do a large percentage of CEs believe they will not be notified of security breaches or cyberattacks by their BAs, they also think it’s difficult to manage security incidents involving BAs and impossible to determine if data safeguards, security policies, and procedures at their BAs are adequate to respond effectively to a data breach,” OCR says. Creating a BAA can be a daunting task, but the feds offer some helpful tips to get you started with the process. Here are six steps to add to your HIPAA compliance and BAA planning to-do list, according to OCR guidance: Step 1: Determine Your BA’s Role One of your first goals in BAA creation is to define your vendors’ and partners’ obligations and activities, including how and for what purpose they’ll use or disclose PHI/ePHI, OCR maintains. This is important so that your BA can report to you any patient data use or disclosure that’s not defined in the contract, including breaches of unsecured PHI and any security incidents. In addition, you’ll need to discuss HIPAA provisions such as the availability of ePHI in a designated record set, minimum necessary standards, and staff training. Step 2: Hammer Out a Breach Reporting Timeline You’ll need to set a timeframe on how quickly you expect your BAs to report a breach, security incident, or cyberattack. Keep in mind that CEs are liable for untimely breach reporting to affected individuals — and that includes OCR and the media. Rule of thumb: The quicker the violation is reported, the faster a CE or BA can respond, OCR points out. Reporting an incident rapidly can help minimize damages caused by the security incident, protect and prevent further loss of ePHI, preserve evidence for forensic analysis (if necessary), and regain access to and secure your IT systems. Step 3: Design an Incident Response System Not only should you negotiate a reporting timeframe in the BAA, but your BAs and subcontractors need to know what they’re required to document in the breach or security incident report they create for you. Your partners should include the following in their reports, OCR says: Step 4: Mandate Training on Breach Reporting CEs and BAs alike should train their workforce members on HIPAA compliance from protecting PHI/ePHI to breach reporting. It is especially critical that employees feel safe to report a violation or data security incident to curtail the breach’s impact and increase the chances of timely resolution — and this kind of education as well as retraining after an incident needs to be in the BAA.
Both CEs and BAs should “train in incident management, top to bottom,” Sheldon-Dean recommends. “Staff need to feel like they are empowered to report their suspicions of information security incidents, the handling of incidents needs to be clearly defined, and top management needs to understand the impacts of incidents and the necessity to prevent them as reasonably practicable.” Step 5: Conduct Security Audits on Your BAs Ideally, you want to investigate the HIPAA track record of your BAs and partners before you enter into business with them. But, if that’s not possible, you should conduct security audits and assessments regularly to evaluate their privacy and security practices, OCR advises. You may want to add these check-ups to the BAA as a requirement or vet your partners as part of your annual risk analysis. Step 6: Include a Termination Clause Sometimes things don’t work out, and you may cease to work with a BA or change EHR vendors. Before that happens, you’ll need to have protocols in place to figure out what to do if the BAA is terminated. The contract must include whether the BA is going to retain and safeguard PHI/ePHI, return it to you via a predetermined means, or destroy the materials, OCR says. Resource: Review OCR guidance at www.hhs.gov/sites/default/files/hipaa-cyber-awareness-monthly-issue-4.pdf?language=es and www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.