Recently a notification was released by the OCR (Office of Civil Rights) reminding entities of their regulatory obligations and responsibilities include ensuring that Business Associate Agreements are in place. A recent OCR investigation identified that a pharmacy chain (A Covered Entity) and a law firm (Business Associate) had not entered into a Business Associate Agreement. “Without a properly executed agreement, a covered entity may not disclose PHI to its law firm. To resolve the matter, OCR required the pharmacy chain and the law firm to enter into a business associate agreement.”
A Business Associate Agreement (BAA) is required under HIPAA, but what does this document mean for your office?
Any PHI (Protected Health Information) that your office shares with a Business Associate is still the responsibility of your office. While the PHI is under the control of your office, you have the capability to protect the information and its disclosures. Once the information is shared with your Business Associate, you no longer have that ability.
The BAA must state that the Business Associate complies with the same security requirements that your office is held to under HIPAA Security Standards for the Protection of Electronic Protected Health Information. This includes restricting the Business Associate from disclosing patient information other than as provided for in the BAA.
Business Associates may use their own subcontractors in order to provide your office with their services. This may include sharing PHI with their subcontractors. The BAA must ensure that that their subcontractors agree to the same restrictions and conditions in respect to the PHI.
These measures help to protect your office and the PHI that you entrust with your Business Associate.
Many Business Associates have experienced breaches. If your Business Associate experiences a breach that includes your PHI, that breach is your responsibility. The BAA requires your Business Associate report any improper disclosures within 60 days of it becoming aware the event.
Once you become aware of the breach, you must remediate that breach. If a breach is remediated within 30 days of discovery and your office has an up-to-date HIPAA manual in place, your office cannot be fined for the breach. The 60-day allowance for a Business Associate to notify your office may negatively impact your office’s opportunity to avoid a fine. The TLD Systems Business Associate Agreement requires notification within 5 days of discovery to allow offices sufficient time to remediate the breach in that 30-day period.
Patients have rights under HIPAA. Under the Privacy Rule, patients have a right to an accounting of all PHI disclosures over the last 6 years. Under the Right of Access Rule, patients have a right to their patient records within 30 days. The BAA must require the Business Associate to make this information available in a time and manner consistent with the current regulations.
In the case that a BAA needed to be terminated, the BAA must require the Business Associate to return or destroy all PHI that was provided by or created for your office if feasible. If not feasible, the Business Associate will be required to continue to maintain the protections of the PHI and limit further uses and disclosures.
Key Considerations:
- • PHI that you share with your Business Associate are still your office’s responsibility
- • BAAs require that your Business Associate follow security guidelines under HIPAA
- • Make sure your BAA requires your Business Associate to notify you in the case of a breach within 5 days of discovery
- • BAAs require the Business Associate to provide you with records that enable you to comply with the Right of Access Rule and Privacy Rule
Disclaimer - I am not an attorney and this should not be considered legal advice. If you need specific legal advice please seek a qualified healthcare attorney who is knowledgeable in HIPAA.
TLD Systems clients can access Business Associate Agreement templates through their portal. If you have questions or are interested in how TLD Systems can help you with your HIPAA compliance journey, email info@tldsystems.com or schedule a FREE 30-minute meeting.
Read Comments