Complying With New Business Associate HIPAA Rules: 4 Changes to Know

When the HIPAA Omnibus Final Rule went into effect in March 2013, one of the most significant changes to HIPAA Privacy and Security Rules involved "business associate" (BA) agreements, and the rules that govern the relationship practices have with BAs.

Failure to properly follow these new rules governing agreements with BAs can lead to substantial penalties that have the potential to ruin a medical practice's reputation and cripple it financially.

Here are four changes practices should know about, and what they need to do to reduce their risk of exposure to penalties.

1.BAs can now be held directly liable for HIPAA breaches - but this doesn't protect covered entities.

Under the revised rules, a BA can now be held directly liable and subject to civil and criminal penalties for committing HIPAA violations. Individuals or companies considered BAs (which can include IT service providers such as my company and many others; see below to learn how the definition of BA has expanded) should be taking a number of steps to become compliant with the Omnibus Final Rule - steps practices need to know about, as is discussed in #4.

These steps include:

• Conducting a risk assessment of the methods used to protect patient health information (PHI);

• Developing and/or revising policies and procedures based upon that analysis to ensure HIPAA compliance is maintained;

• Training staff members on HIPAA rules and the BAs responsibility to protect PHI; and

• Entering into BA agreements with applicable subcontractors (see #3 to learn more about the changing responsibility of subcontractors)

While BAs can now be held directly liable, this rule change does not mean practices are no longer liable for improper use or disclosure of PHI by the BA, says John Morrone, Esq, an associate with Frier & Levitt in Pine Brook, N.J.

"Some covered entities [CE] may now have a false sense of security that because HIPAA reaches directly to the BA, they are not as culpable as they once were," he says. "In fact, a BA that's negligent or worse in handling PHI can cause significant liability to the CE. This makes it incredibly important to have a well-drafted BA agreement."

Not only is a practice statutorily required to have a BA agreement with any organization or individual PHI is disclosed to, the BA agreement should serve other purposes. It should clearly delineate the reporting obligations of the BA, in the event of a HIPAA violation, to the practice so the practice can comply with its reporting requirements to the government and affected patients.

"Another important element we put into all of our BA agreements is an indemnification provision that should the BA be responsible for causing a data breach, it is financially obligated to compensate the CE for the costs of responding to a breach," Morrone says. "These amounts can be fairly significant. It can cost hundreds of thousands of dollars just to do the reporting that's required under federal law."

2. The definition of BA has changed.

Under the revised rules, the definition of BA has been completely reworded. A BA now includes any vendor that creates, receives, maintains, or transmits PHI on behalf of a CE, even those that do not access PHI. BAs can now include organizations involved in patient safety activities, health information organizations and PHI data storage companies.

With this expanded definition, practices should determine whether any existing contracts should be replaced with BA agreements. In addition, practices should also review existing BA agreements. It is a common practice for BAs to request inclusion of a clause that removes themselves and their subcontractors from liability under HIPAA. A practice should now strongly object to its inclusion since BAs are now liable under the new rules.

3. The definition of BA has expanded to include subcontractors.

Subcontractors are now considered a BA of a practice if it has access to the practice's PHI. Practices would be wise to request information on these subcontractors, and research them as if the practice were contracting directly with the subcontractor.

Practices should require its BAs to ensure any subcontractors it may engage on its behalf that will have access to the practice's PHI agree to the same restrictions, conditions and requirements that apply to the BA with respect to such information.

Practices should also include in its BA agreement a stipulation that requires BAs to receive approval from the practice prior to engaging any new subcontractors that will have access to the PHI.

4. Practices must take steps to confirm its BAs follow HIPAA.

If a practice delegates duties to a BA, the practice now has a responsibility to confirm - to the best of its ability - the BA is handling those duties in conformity with HIPAA rules. There are a few steps practices should take.

Practices should request and review copies of the BAs risk assessment, and the policies and procedures developed to ensure the BA maintains HIPAA compliance. This should include the policy and procedure that states the practice will be notified if a breach occurs.

Practices should request information about a BA's HIPAA training program. Practices should also request a copy of a BAs cybersecurity insurance, which is designed to mitigate losses from a variety of cyber incidents, including data breaches.

While it is critical to take these steps to confirm a BA's services are HIPAA compliant, it is perhaps even more important for practices to perform careful due diligence on the companies it is considering as partners.

"The fines for not complying with HIPAA are as high as $1.5 million," Morrone says. "Having a well-drafted BA agreement can go a long way, but with so much at stake, CEs must carefully choose those companies they are engaging with to handle PHI."