What About Business Associates and Business Associate Agreements?

What Is a Business Associate?

If you use any outside entity to assist with your ePHI or EMR, including a hosting company, you already have at least one Business Associate (BA). BAs are the companies that help health providers perform activities that involve the use or disclosure of PHI. By law, any BA, health provider, person, or business must comply with privacy and security rules (see security and privacy rules section) when disclosing PHI. They must have an agreement signed called a Business Associate Agreement (BAA).

What Is a Business Associate Agreement (BAA)?

As defined in the U.S. Health Insurance Portability and Accountability Act of 1996, A HIPAA Business Associate Agreement is a legal contract between a HIPAA Covered Entity (CE) and BA. The BAA should detail:

1. The respective role and responsibilities that a health provider and a hosting company have regarding protecting PHI.
2. The ways in which both parties will be held liable for any breaches, so if one member violates the terms of the agreement, the other has legal recourse.

Do I Need BAAs?

Business Associate Agreements (BAAs) satisfy HIPAA regulations. They safeguard sensitive personal data and records of patients by making both health providers and their BAs responsible and liable for proper storage and transmission. If you use any outside entity to assist with your ePHI or EMR, including a hosting company, you must have a BAA signed with that organization.

Remember, simply having a BAA doesn’t mean your responsibilities related to HIPAA are complete! You and your BAA should have clearly defined what type of actions they take to protect data. Health providers and their BAAs cannot excuse liability by claiming they shouldn’t have to follow HIPAA regulations if proper actions are not taken to safeguard patients’ data. If a BAA is not issued, it’s incomplete or is violated, then both associates may find themselves in a lot of trouble with HIPAA.

What Does a Good BAA Look Like?

A good BAA protects both the health provider and the Business Associate in the event of a breach. It’s important that your BAA uses proper legal language. If only one party is responsible for a breach of PHI, then a BAA should clearly hold that party responsible. The first thing that a good BAA must include is an acknowledgment that the entity issuing it is obligated to HIPAA regulation. Your BAA must also include an acknowledgment that the entity signing is obligated to HIPAA regulations.

Selecting a Compliant Business Associates

What should you consider when selecting a BA?

Does your BA:

• Have documentation to show they are a HIPAA Compliant Business Associate?
• Use software that has been 3rd-party audited for compliance? (See security and technical requirements)
• Have a track record of serving their clients without breaches to PHI?

The Cost of Noncompliance

“Your practice, not your Electronic Health Record vendor, is responsible for taking the steps needed to comply with HIPAA privacy & security standards.” – THE OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH INFORMATION TECHNOLOGY

HIPAA violations come with hefty fines. Noncompliance can come with a penalty of up to $1.5 million. These monetary penalties motivate facilities to operate in full compliance with HIPAA and hold accountable those who don’t. Penalties are based on the severity of the violation and the facility’s knowledge of the noncompliance. While that might lead you to think that it’s better to claim non-knowledge of a breach if it occurs, you are responsible for reporting breaches as promptly as possible according to HIPAA.

The Four Tiers of HIPAA Violations:

1. Unaware violators: Facilities can receive penalties ranging from $110 to $55,010 per violation if they couldn’t have reasonably been aware of a breach.
2. Reasonable cause: The penalty ranges from $1,100 to $55,010 per violation if the violation is not deemed willful neglect.
3. Willful neglect is corrected: If a violation is due to willful neglect but is corrected in a timely manner, the penalty ranges from $11,002 to $55,010 per violation.
4. Willful neglect not corrected: If a violation is due to willful neglect but is not corrected in a timely manner, the maximum penalty of $55,010 per violation applies.

Learn more and refer to the HHS bulletin

To comply with HIPAA criteria it’s important to know what PHI must be protected. Laws require health providers and BAAs to protect both past and present patient data to qualify for reimbursements under the Affordable Care Act (ACA). Medical facilities and practitioners must also:

1. Comply with EHR rules
2. Allow patients to obtain access to their EHR in most circumstances