Posts Tagged agreement

What Are the Top Three Concerns When Negotiating Business Associate Agreements?

What Are the Top Three Concerns When Negotiating Business Associate Agreements?

Business Associate Agreements (“BAAs”) are a necessary tool for ensuring HIPAA compliance, and the negotiated terms of BAAs are becoming more and more important as we venture into an era of mass cyber attacks and related HIPAA breaches. Covered entities, such a physician practices, are required to enter into a BAA anytime they hire a third-party contractor to perform a service on the covered entity’s behalf if such contractor will require the use of and/or access to the covered entity’s protected health information (“PHI”) in order to perform such service. Examples of potential business associates include accountants, attorneys, billing companies, consultants, and marketing agencies.

Although BAAs contain a large amount of form, standard language, below are my top three provisions to address when negotiating a BAA:

  1. Indemnity. The indemnity provision concerns whether or not the business associate will be responsible for any costs the covered entity incurs as a result of the business associate’s actions. If the business associate violates the terms of the BAA and/or HIPAA and such violation results in a fine, penalty, investigation, claim, etc. against the healthcare provider, the indemnity provision allows the healthcare provider to pursue the business associate and recoup such costs. It holds the business associate responsible for the incident responsible for the associated costs.
  2. Breach Reporting. Every BAA should address how quickly breaches of unsecured PHI, security incidents, and other improper uses and disclosures of patient information will be reported to the covered entity following the discovery by the business associate. I generally recommend no more than a 10-day notice period. The BAA should also specify what information will be provided in the notice, how the business associate will work with the covered entity to address the incident, and, with regard to a breach of unsecured PHI, who will be responsible for the costs of breach notification and who will provide the breach notification.
  3. De-identification of Data. De-identified data is not covered by HIPAA. Thus, if business associates are allowed to de-identify the patient data provided by a healthcare provider, they can use that data for any purpose, including a purpose directly profiting the business associate. For that reason, many healthcare providers disfavor allowing their business associates to de-identify patient data, and either prohibit de-identification entirely or limit the permitted uses and/or disclosures of de-identified data by the business associate to specific purposes (e.g., data aggregation or research).

Although it did not make my top three, seeing as more and more states are developing and expanding breach notification requirements and the obligations surrounding the privacy and security of patient information, the choice of law provision in a BAA is becoming more important. For providers located in Alabama, Alabama should serve as your choice of law—the location where the patient was treated and the location of the generation of the medical information.

Kelli Fleming is a Partner with Burr & Forman LLP and practices exclusively in the firm’s Health Care Industry Group. Burr & Forman LLP is a preferred partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

What is a Business Associate Agreement, and Why Should You Care?

What is a Business Associate Agreement, and Why Should You Care?

Health care providers are primarily concerned with the treatment and wellbeing of their patients. They gather and maintain tremendous amounts of protected health information[1]  (PHI) throughout the treatment process and commonly share that PHI with third parties who assist them with carrying out their work. This process of sharing PHI with a third party, non-workforce member, may create a business associate relationship. With the passage of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, medical practices are now required to identify business associate relationships and enter into Business Associate Agreements (BAAs). Failure to comply can led to heavy fines imposed by the Department of Health and Human Services.

A common challenge to compliance with this regulation is assessing whether an individual or entity falls within the definition of a Business Associate.  To make this determination, medical practices are required to identify third parties who create, receive, maintain, or transmit PHI on behalf of the covered entity, including subcontractors. After documenting this process, an appropriate BAA must be executed to govern the relationship and to protect any PHI.

BAAs are contracts that dictate how a Business Associate must use, disclose and safeguard PHI, as well as the covered entity’s responsibilities to the Business Associate. At a minimum, the BAA must include the following provisions:

  • Establish the permitted and required uses and disclosures of PHI by the Business Associate;
  • Provide that the Business Associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
  • Require the Business Associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI;
  • Require the Business Associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured PHI;
  • Require the Business Associate to disclose PHI as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accountings;
  • To the extent the Business Associate is to carry out a covered entity’s obligation under the Privacy Rule, require the Business Associate to comply with the requirements applicable to the obligation;
  • Require the Business Associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by the Business Associate on behalf of the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
  • At termination of the contract, if feasible, require the Business Associate to return or destroy all PHI received from, or created or received by the Business Associate on behalf of, the covered entity;
  • Require the Business Associate to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the Business Associate with respect to such information; and
  • Authorize termination of the contract by the covered entity if the Business Associate violates a material term of the contract. Contracts between Business Associates and their subcontractors are subject to these same requirements.[2] (DHHS, 2013)

Don’t Think This Applies to You? Think Again!

Business Associate relationships are voluminous in medical practices.  More often than not, the modern medical practice will have multiple relationships that require a BAA. A few examples may include:

  • Tech support for an Electronic Health Record (EHR)
  • Data storage services
  • Repair services for copiers with hard drives
  • Data destruction
  • Cloud hosting
  • CPA firms that provide accounting services
  • Independent medical transcription services
  • Claims processing

Business Associates May Face Penalties as Well

In June of 2016, Catholic Health Services of the Archdiocese of Philadelphia settled with HHS for $650,000 when it was discovered that they may have violated the HIPAA Security Rule. CHCS provided management and information technology services to the nursing home company creating a Business Associate relationship. HHS alleged that the theft of a CHCS iPhone without password protection compromised the PHI of numerous nursing home residents.

“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”

Medical practices should be eager to institute BAAs where appropriate as they shift liability to the Business Associate for the inappropriate conduct of the Business Associate. Medical practices should not allow any relationship with contractors to exist without first analyzing the need for a Business Associate Agreement. If not, the medical practice could be required to perform breach notification or pay litigation costs for the actions of the Business Associate. It is paramount that your medical practice attain BAAs when necessary and have a system in place to track them. A proper tracking system will notify you when BAAs expire. Additionally, a proper tracking system will ensure that nothing slips through the cracks.  Understand that if during an audit it is determined that your medical practice lacks the necessary BAAs, has expired BAAs or that they don’t have the required provisions, your entity could be fined for non-compliance with the HITECH Act.

It is important to note that there are a number of exceptions to the Business Associate Agreement requirement that may apply. Some exceptions include conduits, workforce members and janitors. To protect your practice, you should have a qualified professional perform a risk analysis to determine if a BAA is necessary and to fashion a BAA to the specific relationship.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

[1] PHI includes many common identifiers, like a patient’s name, date of birth, address, social security number, full-face photo or any other personal identifiers.

[2] Department of Health and Human Services. (2013) Business Associate Agreement Contracts. Retrieved from https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

Posted in: Liability

Leave a Comment (0) →