The Omnibus Final rule implementing HITECH made some changes affecting Business Associate (BA) agreements. While Sept. 23 was the compliance deadline for most obligations under the Final Rule, some agreements enjoy a grace period and may not need to be updated until September 2014. But you should take the opportunity now to make sure you haven’t overlooked any issues concerning your BA agreements and set up a procedure to ensure going forward that you have an up-to-date BA agreement with every entity with whom you do business for which the law now requires a BA agreement.
We’ll help check your existing arrangements with outside entities, make sure you understand how the September 2014 grace period works and ensure that your BA agreements comply with the latest changes.
|
Resources for BA Agreements HHS’s Sample Business Associate Agreement HHS Guidance on Business Associates Omnibus Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, Jan. 25, 2013, Federal Register, Vol. 78, No. 17, pages 5566-5702 |
What is a BA agreement?
A BA agreement is a written agreement between a covered entity and another entity performing some function on its behalf that involves protected health information (PHI). The agreement typically describes the function to be performed, the uses of PHI permitted under the agreement and the BA’s obligations under HIPAA to properly safeguard the PHI.
What are the deadlines?
Generally, BA agreements must be in compliance with the new requirements as of Sept. 23, 2013. But, there is a grace period for some qualifying agreements, giving you until Sept. 22, 2014. An agreement qualifies for “deemed compliance” and that September 2014 deadline if:
1) It was entered into before Jan. 25, 2013 and complied with the requirements that were in effect on Jan. 25, 2013; and
2) The BA agreement wasn’t renewed or changed between March 26, 2013 and Sept. 23, 2013.
Deemed compliance lasts until whichever occurs first:
1) The date of a contract renewal or modification on or after Sept. 23, 2013; or
2) Sept. 22, 2014.
That means “if you had a HIPAA compliant agreement in effect, you have an extra year to make changes,” explains Washington, D.C. health care lawyer Kirk Nahra of Wiley Rein. While it may be nice to have that extra year, Nahra advises that you don’t wait to update those qualifying agreements and revise them as soon as you can. For example, you’ll need to prohibit the BA from marketing and sale of PHI. You don’t want to let them do that for a year, says Nahra.
|
Terms/Acronyms You Should Know BA – Business Associate. BAA – Business associate agreement. Omnibus Final Rule – HHS Rule published January 25, 2013 with September 23, 2013 compliance deadline for most obligations. Rule implements HITECH. HIO- Health information organization; for example an entity that facilitates exchange of health care information among providers through a network. HITECH – Health Information Technology for Economic and Clinical Health Act which addresses privacy and security for health information and use of health information technology. PSO –Patient safety organization; for example, an entity that analyzes safety event information for a provider. PHI – protected health information; information relating to an individual’s health care or payment for health care services which can identify the individual (for example, name, address, social security number). Conduit – an entity who merely transmits information and does not routinely access the information; a mere courier such as the postal service, UPS or similar carrier. OCR – Office of Civil Rights, subdivision of Health and Human Services, responsible for enforcing HIPAA requirements. |
Who must have a BA agreement?
Combining the pre-existing definition of BAs and the changes in the Omnibus Final Rule, the following entities must enter into a BA agreement with covered entities:
- Any entity other than a member of the covered entity’s workforce who “creates , receives, maintains, or transmits” PHI for a function regulated by HIPAA including processing claims, analyzing data, utilization review, quality assurance and patient safety activities, billing and practice management functions. [42 C.F.R. 160.103].
- Any entity (other than a covered entity’s workforce member) providing services to the covered entity that involve disclosure of PHI including “legal, actuarial, accounting, consulting, data aggregation… management, administrative, accreditation, or financial services.” [42 C.F.R. 160.103].
- Patient safety organizations (PSOs) and others involved in patient safety activity. The Omnibus final rule expressly added this category to the general definition of a business associate. Patient safety organizations receive information about patient safety events from providers and analyze events for providers. Therefore, HHS acknowledged in the preamble to the rule that the pre-existing definition’s reference to entities performing “analysis” of PHI would probably capture patient safety organizations. But the Patient Safety Quality Improvement Act provides that patient safety organizations must be treated as BAs under the Privacy Rule so this change reflects that requirement.
- Health information organizations (HIO) (e-prescribing gateways or health information exchanges) that transmit and maintain PHI. The Omnibus Final Rule expressly added this entity to the BA definition. HIOs are entities that routinely access PHI rather than being a mere conduit. The Omnibus rule doesn’t define HIOs. HHS noted that that the lack of definition is intentional because the industry is constantly developing and changing. But the rule promises guidance on this term. The preamble to the rule does describe the meaning of the “conduit” exception as a narrow one that only applies to entities who provide “mere courier services” such as the postal service or UPS or electronic couriers such as an internet service provider. Conduits transport but don’t access information other than on random or infrequent basis as needed to perform transportation service. Although temporary storage during transmission of PHI may qualify as a conduit, entities that store health information or maintain it on behalf of a covered entity are covered as BAs—even if the entity doesn’t view the health information. The difference is the “transient versus persistent nature” of ability to access the information, according to HHS’s preamble to the rule. [Final Rule, Jan. 25, 2013, pages 5571-72].
- Personal health record vendors that offer a personal health record on behalf of a covered entity.
- Subcontractors of business associates: that includes even entities with whom the BA doesn’t have a formal subcontractor agreement –i.e. anyone to whom the BA “delegates a function, activity or service,” who isn’t a member of the BA’s workforce. Such function or service would be “creation, receipt, maintenance or transmission of protected health information.” [42 C.F.R. 160.103; Final Rule, Jan. 25, 2013, page 5573].
Applying the BA definition in your practice
|
Grace Period for Data Use Agreements A data use agreement is similar to BA agreements. It allows a party to use a limited data set if assurances are made the entity will comply with HIPAA. Like BA Agreements, those agreements also received a grace period for compliance under the Omnibus Final Rule. If data use agreement was entered into before Jan. 25, 2013 and it complies with requirements of 164.514(e) –despite 164.502(a)(5)(ii)—it is compliant until 1) The date of a contract renewal or modification on or after Sept. 23, 2013 OR |
Consider who qualifies as BA now under the current definition. Is there anyone you deal with or are now contracting with who didn’t previously but now does qualify as a BA? Make sure they have a BA agreement. Use our handy checklist to help you do that. Use our checklist and table to help you record and track the results of your review to show you considered every vendor or outside organization working with the practice. Use your record to keep track of BA agreements and maintain them in compliance with HIPAA.
Why is this important? Because you want to find any missing, out-of-date or noncompliant BA Agreements before the government does. “People from OCR can show up in a lot of different ways now,” warns Chicago healthcare attorney Rick Hindmand of McDonald Hopkins. For example, OCR or other agencies could have reason to review your BA agreement compliance if they are performing a meaningful use audit, investigating a breach or performing an audit for other reasons. “The policy of OCR is if there are more than 500 individuals involved in a breach, OCR comes in and does an investigation and asks for policies and procedures and your BA agreements,” Hindmand explains. He notes a surgical practice was fined last year for failing to have required BA agreements. HHS reported that the group was fined $100,000 for, among other things, failing to have BA agreements with “Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.” [See HHS Press Release, April 17, 2012, http://www.hhs.gov/news/press/2012pres/04/20120417a.html]
Tip: Don’t just rely on the fact that you are getting a BA agreement with a vendor for protecting PHI. Conduct a due diligence review of your BAs and potential BAs, says Hindmand. “Due diligence is important to make sure the CE knows the BA has good reputation,” he explains.
What must be in your BA agreement?
Your BA agreements should include the following:
- Describe uses and disclosures of PHI permitted for the BA and stipulate the BA won’t use or disclose PHI except as permitted by the contract or required by law.
- Require BA implement safeguards to protect PHI from unauthorized use or disclosure including compliance with HIPAA Security Rule requirements for electronic PHI.** (The Omnibus Final Rule added the requirement that BA agreements require the BA to comply with the HIPAA Security Rule).
- Require BA cooperate with an individual’s request for disclosure of their PHI, an individual’s request to amend their PHI and requests for accounting.
- Require BA comply with Privacy Rule requirements related to BA’s obligations under the arrangement with covered entity. ** The OMNIBUS final rule obligates the BA to comply with Privacy Rule when carrying out a covered entity’s obligations under the Privacy Rule.
- This includes limiting PHI disclosure to limited data set or minimum necessary, prohibition on unauthorized marketing communications, sale of PHI and the requirement to honor an individual’s request that PHI not be reported to a health plan.
- Cooperate with necessary books and records disclosures to HHS so HHS can determine BA’s compliance with Privacy rule.
- Destroy or return all PHI at termination of contract with covered entity.
- Require BA obligate subcontractors to agree to same restrictions and obligations that apply to BA concerning PHI. ** This requirement is new under the OMNIBUS Final Rule.
- Allow termination of contract if BA violates “material term of the contract.”
- Address direct liability of BAs. ** This is new under the OMNIBUS Final Rule.
- Obligate BA to report security incident of which the BA becomes aware, including “breaches of unsecured protected health information” without delay. This is new under the OMNIBUS Final Rule. HIPAA requires a covered entity to notify affected individuals no later than 60 days from discovery so consider your obligations in deciding how quickly you want the BA to be obligated to notify you. Also address how notification of individuals regarding the disclosure or breach will be handled.
|
Are you a business associate? Health care lawyer Rick Hindmand warns that even medical group practices should consider if they or some of their physicians could be business associates of another covered entity. For example, Hindmand explains that a physician acting as a medical director at a hospital medical department and performing a quality control function, could be a business associate. If the physician or practice is doing a service for a covered entity that doesn’t involve treatment, BA rules could apply. For example, a large medical group practice contracts with another practice to provide billing services or enters into an office sharing arrangement subleasing space and services to the physician (such as receptionist or other administrative services), it could trigger a BA relationship. |
Warning: Nahra warns that you should carefully consider what you want to obligate BAs to do when drafting and negotiating a provision concern breach notification. Don’t just copy the language from the statute. If you do, you may be delegating to the BA the decision-making concerning what constitutes a breach, he advises. On the other hand, if you require the BA to report more broadly, then your entity will need to sort through those reports. So carefully consider what information you want your BA to report and when. In doing this, consider the four criteria we discussed last month that determines when a breach requires action.
Other issues to consider. Nahra notes that often in negotiating these agreements, indemnification and payment of costs are the biggest issues parties struggle to negotiate. So evaluate what you want from your BAs concerning cost and indemnification and develop a strategy to deal with those issues, Nahra advises.
Use our handy checklist to make sure every BA Agreement addresses these issues. Also, for help drafting your BA agreement, see HHS’s sample BA Agreement via the link provided in the Resources section of this article.
