The definition of a Business Associates (BAs) changed under HIPAA 2.0 to broaden the scope of who is considered a BA as well as exactly what a BA is obligated to do for compliance. While the changes seem obvious and not too complicated to implement according to those writing the Omnibus Final Rule, the rest of us, actually in the trenches, know the real story.
In the past, the small provider segment has been lax in managing their BAs. Many of these relationships are between small businesses that have been in place for years. In some cases, these relationships go back before HIPAA regulations. I know I have had relationships with many of my clients since before 1996 when the original law was written. There is a great deal of trust that all parties are always going to do what is “right”. Because of all that trust and long-term relationships, all BAs should step up now and get their compliance plan up and running. Those folks need your help in order to keep doing business with you, legally.
It is certainly comforting to see the Omnibus Final Rule clearly state they expect to issue more guidance concerning BAs as the industry implements these changes. There are so many gray areas and BA relationship chains, there will certainly be a great deal of confusion. But, none of that changes the compliance requirements in place today.
So what do you do now? Here are some suggestions I urge all Covered Entities (CEs) and their BAs to review and discuss with each other.
- CEs, BAs and potential BAs should review and understand the new definition of a BA. Those details are included at the end of this list for those who need to review them. Document every decision you make in the process. The decisions of who to include and who not to include are important to be able to reference your reasoning today when you are asked about it years from now.
- Both CEs and BAs must get their Business Associate Agreements (BAA) updated and out for signature to all of your BAs. Yes, CEs can be BAs and BAs can have other BAs. Everyone needs to sign a contract. Each contract must be at least as stringent as the one before it in the chain. So, a CE sends a BAA that includes set requirements for uses and disclosure. All contracts the BA signs with other BAs to do the work for the CE must have at least the requirements in the CE BAA (BOY, that’s a lot of acronyms. You might need to read this one again, slowly).
- If you are a BA, then accept that fact and take action now on your compliance requirements. Your CE clients have a lot more on their plate to deal with besides nudging you along. Keep in mind, a CE is obligated to stop doing business with your company if you are not going to commit to compliance.
- If you aren’t sure if you are a BA then figure it out now. Don’t wait for someone to tell you. We offer a simple questionnaire to help you determine your status. If you have any question on whether or not the regulations apply, please, get legal advice. Keeping properly compliant is a time consuming effort, so don’t do it unless you need to for your business. If you are a BA, however, you must be compliant in order to keep your HIPAA clients.
- If you are a CE, start checking on your BAs right now. If you have a BA that you know is a BA but they don’t want to become compliant, you have very specific steps you need to follow in order to protect your compliance status.
- Take reasonable steps to cure the problem with the BA and get compliance in line
- If a BA still doesn’t comply, you must terminate the business contract on HIPAA compliance grounds.
- If there is no other entity you can get the service provided by the non-compliant BA, you must report them to HHS.
For those who have missed it. What does the new definition of a BA include?
- Any person or entity who “creates, receives, maintains, or transmits” protected health information on behalf of a covered entity
- The term “subcontractor” is now defined as a person to whom a Business Associate has delegated a function, activity, or service that the Business Associate has agreed to perform for a Covered Entity or another business. Those subcontractors are now required to sign a Business Associate Agreement with the Business Associate because a subcontractor is also a BA.
- It also specifically states as an example that a data storage company, whether digital or hard copy, qualified as a Business Associate even if they do not view the information or only does so on a random or infrequent basis.
- Business Associates are separately and directly liable for violations of the security rule and the portions of the privacy rule that applied to them.
- A person becomes a Business Associate by the definition of the activities and relationship of the Business Associate, not by entering into a Business Associate Agreement. Therefore, liability applies to a Business Associate’s activities even if no Business Associate Agreement is in place.
- Covered Entities and Business Associates must obtain and document satisfactory assurances of their Business Associates through the written contract and other agreements such as memorandum of understanding. Each agreement in the Business Associate chain must be as stringent or more stringent as the agreement above it in the chain with respect to permissible uses and disclosures.
Breaches reported to HHS continue to have a high percentage including BAs failure to protect information and CEs failure to monitor them. It goes to reason that this area will be subject to more enforcement once these rules are out of the grace period, if not before.
In the next article I will continue with more details on the Plan of Attack for HIPAA 2.0. If you need help getting this done. Contact us and look at some of the options we offer for Compliance Assistance.