Keeping up With Business Associate Agreements
HIPAA clearly states providers should have business associate agreements with vendors that receive, maintain, or transmit protected health information,
The Department of Health and Human Services (HHS) has on its website settlement agreements it made in 2016 with covered entities. These entities, found to be in violation of HIPAA, were fined and required to perform corrective action.
Although HIPAA clearly states providers should have business associate agreements with vendors that receive, maintain, or transmit protected health information, one quarter of the 13 settlements listed were related to these agreements. The providers receiving fines either neglected to have a business associate agreement in place or were using those not updated since the Omnibus rule came into effect in 2013.
In many instances, HHS only realized the agreements were not in place after a breach occurred with either the covered entity or business associate. “Several cases end up being brought because the path of investigation starts with a vendor and ends up with a covered entity,” said Kirk Nahra, a partner with Washington DC's Wiley Rein LLP.
As often happens, breaches can open Pandora's Box. For example, during its investigation HHS found that Minnesota's North Memorial Health Care, fined $1.5 million, not only lacked a business associate agreement, but also a risk analysis.
“For someone to be perfect on everything else, but just missed this one thing would be surprising,” Nahra said. “There is often a broader set of HIPAA problems and the investigation is just triggered by the fact there is no business associate agreement.”
There are no good excuses at this point to neglect having business associate agreements in place with your vendors. But providers are clearly still getting tripped up in this space.
Kim Stanger, a partner at Boise, Idaho's Holland & Hart LLP, said it is likely because smaller organizations do not know who does and does not qualify as a business associate. At larger organizations, vendors are probably falling through the cracks or people are entering into relationships without alerting their privacy officer.
Nahra recommends a few measures you can implement to shore up your business associate agreement process. First, centralize your contract process and put 1 person in charge. Random people should not be signing contracts with vendors without having someone checking them to determine if they qualify as business associates.
Next, periodically review your contracts to make sure everyone who should have an agreement does. Nahra has worked with organizations who go through their checks every year and require anyone who was paid for services sign an agreement. He said this is not an ideal way to do things, but at least you will not miss anyone.
Finally, keep all business associate agreements in 1 location and create a process for maintaining them for 6 years after their termination date.
“I am surprised at how often people cannot find them when asked,” he said. “They tell me someone had it, but they do not work there any more so no one knows where it is at.”
Every vendor does not need to know the same things about your patients. As in your office, nurses need some information and the billing staff may need something else. If someone does not need Social Security numbers or other protected health information, do not give it to them. By carving out some data, you may eliminate their need for a business associate agreement altogether.
Use your forms
Some vendors may want you to use their business associate agreements, but whenever possible, use your own. If they insist, make sure their agreement entails all of the points required under HIPAA.
Aside from simply having a business associate agreement in place, a trend in the industry is to perform some due diligence on vendors before, and while, working with them. Nahra said there are a couple of ways to handle this.
One is through front-end due diligence. You can have vendors fill out a privacy or data security questionnaire when you are vetting them.
You can also monitor them on the back end. This, however, is more difficult and costly. Instead of tracking all of your vendors, for example, you might want to consider choosing the 5 biggest vendors or a handful of vendors that deal with the largest amount of information and check with them to make sure they perform an annual risk assessment.
In spite of this trend, this policing is not required by HIPAA. And Stanger advises his clients against the practice. If you take on the task of reviewing a business associate's practices and do not do a good job, you could be liable if a breach occurs. Also, a covered entity is responsible under HIPAA for helping rectify a business associate's violation or terminate their contract. Finding one will just increase your own cost and burden with the vendor.
“I am cautious about advising covered entities to actively get copy of policies,” Stanger said. “Under HIPAA, all they have to do is get an associate to sign an agreement so it doesn't place the burden on the entity to be the police.”