HIPAA Business Associates Agreements

Healthcare IT Firms Need to Be HIPAA-Compliant

In accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), business associates (vendors and their subcontractors) of a HIPAA covered entity (hospitals, medical practices, health insurance providers, etc.) must enter into contracts to assure that business associates appropriately safeguard protected health information.

A good example of a Business Associates Agreement can be found at the UT Health Science Center.

Health and Human Services specifically defines a Business Associate as:

“A person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.  A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.”

Clearly, directly contracted business associates such as an EHR (electronic health record) provider, will be careful to meet or exceed what is required under the HIPAA security rule and will provide evidence of this to a covered entity. This does not, however, make the covered entity totally compliant. As a covered entity it is your responsibility to make certain that all of your Business Associates and their subcontractors do the same. As an example; you may have a relationship with attorneys who represent your entity and to whom you must provide PHI in certain situations. You must have a signed Business Associates Agreement. The attorney, in order to be compliant, must have performed a Security Risk Assessment and have Business Associates Agreements with subcontractors that may create, receive, maintain or transmit PHI (Protected Health Information). A cloud storage vendor is a good example.

There Is Strict Liability for Vendors

It is typical that less sophisticated business associates may not have met the requirements under the security rule. Unfortunately, there is no free pass.

Under the statute, HIPAA business associates are now directly liable:

  1. for impermissible uses and disclosures of protected health information;
  2. for a failure to provide breach notification to the covered entity when unsecured protected health information is lost or inappropriately accessed;
  3. for a failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement);
  4. for a failure to disclose protected health information where required by the Secretary of the Centers for Medicare & Medicaid Services (“CMS”) to investigate or determine the business associate’s compliance with the HIPAA Rules;
  5. for a failure to provide an accounting of disclosures of protected health information, and last, but far from least, for a failure to comply with the requirements of the Security Rule.

There is far more for a business associate to consider than what I have stated here.  A manager or business associate owner must contact an attorney or a HIPAA compliance expert, to be sure that their business is completely in compliance.  What is most important for a covered entity is that the entity is ultimately responsible for ensuring compliance with HIPAA, and for any breech of PHI by the entity or its Business Associates.

If your medical practice is in need of HIPAA-compliant IT support and IT consulting, Magnet Solutions Group can help you meet your technology goals safely.