HIPAA Business Associate Compliance
HIPAA Business Associate Compliance is a Minefield
In February 2013, the Final Omnibus Rule introduced measures relating to HIPAA Business Associate compliance. The Rule not only redefined what a Business Associate (BA) was, but made portions of the Privacy and Security Rules directly applicable to BAs, applied provisions within the HITECH Act to BAs, and stipulated that BAs must have written Business Associate Agreements with their subcontractors.
In late 2016 – almost four years after the Final Omnibus Rule was enacted – the California Healthcare Foundation funded research into HIPAA Business Associate compliance. In the compilation of the “Business Associate Compliance with HIPAA” report, researchers conducted telephone interviews with sixteen Covered Entities ranging in size from small physician offices to large integrated health systems.
The researchers focused on the number and size of contracted BAs, the types of services performed by BAs, the “sophistication levels” of BAs, and the Covered Entities efforts to conduct due diligence on BAs and oversee HIPAA Business Associate compliance. It is important to note that, in California, BAs may also be covered by the state´s Confidentiality of Medical Information Act (CMIA).
Many Covered Entities Do Not Understand what a Business Associate Is
One of the key findings was that many Covered Entities do not understand what a Business Associate is. Although it was excusable that larger Covered Entities could only estimate how many BAs they contracted (due to multiple relationships originating throughout their organizations), many adopted a “better safe than sorry” approach to HIPAA compliance.
Some Covered Entities insisted that every business with whom they had a relationship signed a Business Associate Agreement, irrespective of whether they were likely to come into contact with Protected Health Information (PHI) or not. In one case, a Covered Entity had its landscaper sign a Business Associate Agreement as it was conceivable the landscaper could come into contact with PHI.
Several Covered Entities required other healthcare providers – who were also Covered Entities and who were receiving PHI for their own treatment or healthcare operations purposes – to sign Business Associate Agreements, even though the PHI would be incorporated into the receiving Covered Entity´s records and not returned or destroyed at the expiration of the Agreement as required.
Smaller Business Associates have Lower “Sophistication Levels”
What was not surprising in the report was that smaller BAs and those that are newer to the healthcare industry (i.e. software vendors) are less likely to be familiar with their obligations under HIPAA and the Final Omnibus Rule. While larger, more sophisticated, BAs may have a specific officer or team dedicated to HIPAA Business Associate compliance, smaller BAs do not have the same level of resources.
However, despite complaining that “PHI is just data to information technology vendors”, few Covered Entities put a great deal of effort into establishing Business Associate compliance with HIPAA – the reasons given including a lack of resources, time-sensitivity, and provisions within the Business Associate Agreement to allow the Covered Entity to revisit the Agreement if due diligence concerns arise.
The oversight of Business Associate compliance with HIPAA was even more lax. Most Covered Entities interviewed for the report did not audit their BAs or solely focused on their compliance with the requirements of the HIPAA Security Rule. Only a few said they had asked to see the BA´s HIPAA-required risk assessments, or their policies and procedures in the event of a breach of PHI.
Find Out More about HIPAA Business Associate Compliance
Since the enactment of the Final Omnibus Rule in February 2013, Covered Entities are responsible for breaches of PHI by their BAs. Therefore it is essential that every Covered Entity understands what a Business Associate is, investigates their “sophistication level”, conducts due diligence on the BA and oversees the Business Associate compliance with HIPAA.
To find out more about HIPAA Business Associate compliance, what qualifies a business as a Business Associate, and what should be included in a Business Associate Agreement, do not hesitate to download our free HIPAA Compliance Guide – a sixty-four page guide covering the majority of topics Covered Entities need to know in order to be compliant with HIPAA.