Medicare Compliance & Reimbursement

Reader Question:

Don't Forget BAs Are Liable for HIPAA Breaches, Too

Question: We know that our practice must comply with the HIPAA Breach Notification Rule and notify the impacted individuals if there’s a breach. Are our business associates (BAs) liable, too, or are they off the hook when it comes to notifying?

Codify Subscriber

Answer: BAs, just like CEs, “have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach,” cautions the HHS Office for Civil Rights (OCR) guidance.

In fact, much confusion exists over the role vendors and BAs play in care delivery and HIPAA compliance. And that’s why OCR released an updated fact sheet, reminding these partners exactly where their liability falls. The list of 10 provisions focuses on the BA’s responsibility to the Rules — and how failure to abide by them leads to OCR enforcement.

Check out the direct liability of BAs at  www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html.

Reminder: Though the HIPAA Notification Rule does concern BAs and requires them to follow through on required notification procedures, remember that CEs have the extra duty of fulfilling other administrative requirements per OCR and HIPAA after a breach.

According to the feds, CEs are held to a higher standard and must follow up after a breach with certain administrative requirements, including written breach notification “policies and procedures;” staff training on the protocols; and “sanctions against” employees who don’t comply with the rules.

Expert advice: Don’t ignore a breach — accept it and follow the policies and procedures, advises attorney Lauren M. Ramos, with McGuireWoods LLP in Richmond, Virginia. “Collect all the facts as quickly as possible, mitigate the damages to [the] greatest extent possible, and loop in legal counsel as early as possible.”

OCR looks favorably on those who comply with the HIPAA breach requirements, Ramos indicates. “Providers should remember that OCR does not investigate every breach, especially small ones. In fact, OCR likely investigates only a small percentage of all reported breaches. Following the correct procedures and reporting a breach does not mean that an OCR investigation is inevitable,” she counsels.

Resource: Find OCR breach notification guidance at  www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.