HHS Business Associates Agreements
By David Briggs
SAALFELD GRIGGS PC
For many dental practices, the fact that the U.S. Department of Health and Human Services (HHS) issued new regulations earlier this year related the HITECH Act went completely unnoticed. These rules came in addition to a litany of tighter privacy and security requirements, including new rules on when you have to alert patients about a breach of their privacy. HHS’s new rules force covered entities, including dental practices, to focus on ensuring that their “business associates” are keeping PHI private.
Who Are Business Associates?
The new rules increase the importance of understanding which of your contractors are “business associates”. Under the HITECH Act, a business associate is any person (individual or entity) who helps a covered entity with a function or activity involving the use of personal health information. A business associate can include an outside contractor doing processing or administration, data analysis, practice management, accounting, consulting, data aggregation management, and legal services. Employees of a practice are not considered business associates. Because the definition has been very technical, some practices decided that they would rather call all contractors “business associates” rather than review how to properly label the contractor. However, because covered entities face liability for breaches caused by their business associates, entities that want to reduce their exposure need to be more careful in defining (and — if possible — limit) who is a business associate.
Requirements of Business Associates
In the past, business associate agreements commonly focused on liability issues, including agreements from the business associate to indemnify the covered entity from any liability in the event of a breach of a patient’s privacy. The new regulations emphasize that contracts with business associates must discuss privacy obligations not only for the business associate, but any subcontractor. The regulations go so far as to require that business associates (and subcontractors) not only report when there has been an actual breach of privacy, but they must also report any unsuccessful attempt to gain access to PHI. In updating your business associate agreements, covered entities should still include provisions about indemnification, but also you must pay careful attention to the privacy obligations called out in the new regulations. Among other elements, your contracts must now require your business associates to:
- Use appropriate precautions to prevent unauthorized use or disclosure of PHI;
- Report to the covered entity when PHI has been used outside the terms granted or where there has been a breach of unsecured PHI;
- Conduct a risk assessment to determine whether a breach of a patient’s privacy has occurred;
- Comply with individual requests for copies of PHI;
- Destroy or return all PHI received from or created on behalf of a covered entity when feasible;
- Ensure that any subcontractors that will receive access to PHI will agree to the same restrictions that apply to the business associate regarding PHI;
- Restrict their ability to sell and use PHI for marketing purposes; and
- Authorize the covered entity to terminate the contract if the business associate violates the material terms of it.
Liability
Until January of this year, a covered entity was not liable for the breaches of a business associate if the entity had a compliant business associate contract in place and complied with HIPAA’s requirements concerning acting on known contract breaches by the business associate. The new regulations eliminate that safe harbor. Now, once a business associate is determined to be an agent of the covered entity, the entity will be liable for all HIPAA violations, not only of the business associate, but any of the business associates’ subcontractors.
Consequence of a Breach By a Business Associate
While covered entities are not required to monitor a business associate’s HIPAA compliance, covered entities are required to take action if it has substantial and credible evidence of a violation of HIPAA privacy requirements. Once a covered entity has that knowledge, it must take reasonable steps to cure the breach or end the violation. If those steps are not successful, the covered entity must terminate the contract with the business associate.
Deadline For Compliance
The updated rules generally go into effect on September 23, 2013. That means that all of your business associate agreements must be updated by that date, with one exception. If a covered entity has a long-term relationship with a business associate, it has up to one year to enter into a new and compliant agreement if the covered entity had entered into the agreement before January 25, 2013. For those long-term relationships, covered entities must have their agreements updated by September 22, 2014 or the date the contract is renewed or modified, whichever date comes first. If you are currently going to enter into a new business associate agreement, covered entities are well advised to update those agreements now, rather than having to revisit those agreements in September.
Contact David Briggs at Saalfeld Griggs for more information about the new HHS requirements, updating your privacy practices, or updating your business associate agreements.