HHS Requires Changes to Your Business Associate Agreements
by David Briggs and Wayne Kinkade
Saafeld Griggs PC
This month, we will be continuing our review of new regulations issued by U.S. Department of Health and Human Services (HHS) related the HITECH Act. As we discussed last month, HHS instituted a litany of tighter privacy and security requirements, including new rules on when you have to alert patients about a breach of their privacy. That information is tied to the topic of this month’s article on HHS’s new regulations regarding business associate agreements.
HHS’s new rules force covered entities (such as health plans, health care providers, and health care clearinghouses) to focus on ensuring that their “business associates” are keeping PHI private.
Who are Business Associates?
The new rules increase the importance of understanding which of your contractors are “business associates”. Prior to these rules, most covered entities would state that most all contractors were “business associates” and enter into an agreement. However, because covered entities face liability for breaches caused by their business associates, entities need to be more careful in defining (and – if possible – limit) who is a business associate.
Under the HITECH Act, a business associate is any person (individual or entity) who helps a covered entity with a function or activity involving the use of PHI. A business associate can include an outside contractor doing processing or administration, data analysis, practice management, accounting, consulting, data aggregation management, and legal services. Employees of the covered entity are not considered business associates.
Requirements of Business Associates
In the past, business associate agreements commonly focused on liability issues, including agreements from the business associate to indemnify the covered entity from any liability in the event of a breach of a patient’s privacy.
The new regulations emphasize that contracts with business associates must discuss privacy obligations not only for the business associate, but any subcontractor. The regulations go so far as to require that business associates (and subcontractors) not only report when there has been an actual breach of privacy, but they must also report any unsuccessful attempt to gain access to PHI.
In updating your business associate agreements, covered entities should still include provisions about indemnification, but also you must pay careful attention to the privacy obligations called out in the new regulations. Among other elements, your contracts must now require your business associates to:
- Use appropriate precautions to prevent unauthorized use or disclosure of PHI;
- Report to the covered entity when PHI has been used outside the terms granted or where there has been a breach of unsecured PHI (see last month’s issue of ChartNotes for more information on what constitutes a breach);
- Conduct a risk assessment to determine whether a breach of a patient’s privacy has occurred;
- Comply with individual requests for copies of PHI;
- Destroy or return all PHI received from or created on behalf of a covered entity when feasible;
- Ensure that any subcontractors that will receive access to PHI will agree to the same restrictions that apply to the business associate regarding PHI;
- Restrict their ability to sell and use PHI for marketing purposes; and
- Authorize the covered entity to terminate the contract if the business associate violates the material terms of it.
Liability
Until January of this year, a covered entity was not liable for the breaches of a business associate if the entity had a compliant business associate contract in place and complied with HIPAA’s requirements concerning acting on known contract breaches by the business associate. The new regulations eliminate that safe harbor. Now, once a business associate is determined to be an agent of the covered entity, the entity will be liable for all HIPAA violations, not only of the business associate, but any of the business associates’ subcontractors.
Consequence of a Breach by a Business Associate
While covered entities are not required to monitor a business associate’s HIPAA compliance, covered entities are required to take action if it has substantial and credible evidence of a violation of HIPAA privacy requirements. Once a covered entity has that knowledge, it must take reasonable steps to cure the breach or end the violation. If those steps are not successful, the covered entity must terminate the contract with the business associate.
Deadline for Compliance
The updated rules generally go into effect on September 23, 2013. That means that all of your business associate agreements must be updated by that date, with one exception. If a covered entity has a long-term relationship with a business associate, it has up to one year to enter into a new and compliant agreement if the covered entity had entered into the agreement before January 25, 2013. For those long-term relationships, covered entities must have their agreements updated by September 22, 2014 or the date the contract is renewed or modified, whichever date comes first.
If you are currently going to enter into a new business associate agreement, covered entities are well advised to update those agreements now, rather than having to revisit those agreements in September. Contact Wayne Kinkade or David Briggs at Saalfeld Griggs for more information about the new HHS requirements, updating your privacy practices, or updating your business associate agreements.