Steps to Avoid Bad Business Associate Agreement Behavior

Most likely your physician practice has a HIPAA privacy notice posted, and some form of a Business Associate Agreement (BAA) that is used with third parties.  However, carelessness with regard to compliance with HIPAA has recently been the source of significant settlements between federal regulators and organizations that have failed to meet HIPAA requirements. This means that every covered entity should be taking a careful look at its HIPAA compliance to make sure it has satisfied all the requirements and is doing everything possible to satisfy legal requirements.

Recently, federal regulators entered into a $400,000 HIPAA settlement with an organization that acted as a business associate to various covered entities.  Although the investigation stemmed from a properly reported HIPAA breach, when investigators were provided with requested HIPAA documentation they determined the form of BAA being used was outdated and did not incorporate all of the revisions required under the HIPAA Omnibus Final Rule.

This settlement and similar recent ones should be a warning to covered entities, such as physician practices, to take a closer look at their HIPAA compliance to be sure the documentation in place can withstand an investigation.  Some of the steps to take to prepare for such an investigation include the following:

1. Make sure you have a procedure in place to identify all business associates with which the practice does business.  Do you know how a "business associate" is defined? Make sure that the list of business associates includes lawyers, accountants, consultants, IT companies, billing companies, and other who might access to protected health information (PHI). 

2. Do you have a BAA with everyone on the list of business associates?  If not, it is essential that a BAA be executed immediately.  Whether you have a form of BAA provided from counsel, a colleague, or obtained online, take the time to assure your BAA is updated with the latest requirements.  Talk to your counsel if you are uncertain.

3. If your practice has a BAA in place with businesss associates, how old is the form that was used?   There have been changes in the requirements for BAAs and each covered entity needs to be responsible for making sure documents are updated or replaced.  Do not rely on counsel or other third parties to "remind" you when these forms need to be updated.

4. To the extent that your business associates are subcontracting any services, you should also confirm that an updated sub-BAA is executed. 

5. Make sure that your practice has a policy to continue to update your business associate list from time to time, and review changes in the law that may require replacement or amendment of existing BAAs going forward. 

6. It's advisable for the practice to also review and revise its written HIPAA Privacy and Security Rule Policies and Procedures.  This will include designating one or more individuals to be responsible for ensuring that Business BAAs are signed before any PHI is disclosed.  These policies and procedures should be distributed to the workforce and appropriate workplace training should be provided.

There are so many regulatory requirements that must be satisfied at both the state and federal level by physician practices.  However, having a proper policy in place to make sure that HIPAA is a priority, can make a significant impact (legally and financially) should the practice be audited or if there is a HIPAA claim against the practice.  Some easy steps can make sure that your practice has an effective process in place to be able to survive any HIPAA audit or investigation that may occur.