Business Associates and Business Associate Agreements are a good example of the inexorable march of technology in the face of almost-stationery regulatory law. However, the approach to Business Associates and the written contracts that govern how they use patient information has changed considerably over the past 20 years. Find out how you can protect your practice against Business Associate data breaches.
THE BUSINESS ASSOCIATES CONUNDRUM
HIPAA has long defined Business Associates as “persons who, on behalf of a Covered Entity (but other than as members of the Covered Entity’s workforce) perform or assist in performing a function or activity that involves the use or disclosure of individually identifiable health information, or that otherwise is regulated by HIPAA.”
However, the approach to Business Associates and the written contracts that govern how they use patient information has changed considerably over the past 20 years. Prior to enactment of the Health Information Technology for Economic and Clinical Health Act in 2009 – HITECH – the law merely required Business Associates to “use appropriate safeguards.” There was no standard relating to how data would be protected, and no way to validate whether the BA was actually following the standard. Suffice it to say most were not.
BEST INTENTIONS; WORST-CASE SCENARIOS
Fast-forward seven years, when fully 25% of all data breaches are caused by Business Associates, and you can see how much patient privacy law has evolved to fit the environment in which it is applied. While some will argue that these changes were inevitable given widespread EMR adoption, I believe the changes would have been required had everyone still been using paper charts! The size, pace and sheer number of Business Associate-caused data breaches would have mandated regulatory attention no matter what medium was involved.
Nowadays, HITECH and the Omnibus Rule require Business Associates to comply directly with Security Rule provisions directing implementation of administrative, physical and technical safeguards for ePHI and development and enforcement of related policies, procedures and documentation safeguards including designation of a Privacy Officer.
What’s more, Business Associates must require subcontractors and agents to provide reasonable written assurance that they will comply with the same restrictions and conditions that already apply to the Business Associate.
This all sounds pretty good, but it’s obviously not happening. The Office for Civil Rights estimates that more than a third of Covered Entities are still sharing PHI with Business Associates without any sort of written agreement in place. Despite the obvious lack of clear mutual understanding, the risk is far greater for the Covered Entity: If the Business Associate breaches the practice’s data, both are liable. If an up-to-date Business Associate Agreement is in place, on the other hand, only the party actually responsible for the data breach is likely to answer for it.
LARGEST ACHILLES’ HEEL
For many Covered Entities, going without a BAA in place is often the path of least resistance. Many labs and technology providers will flatly refuse to sign BAAs, even at the risk of losing the business of the Covered Entity. In most cases, lawyers have convinced stakeholders that it is better to lose the business than to assume any liability for a data breach. These companies often employ a ‘dodge’ of sorts: They claim to be Covered Entities themselves, rather than Business Associates, and thus exempt themselves from the BAA requirement altogether.
Even many of the Business Associates who do sign BAAs often behave questionably. The typical Business Associate doesn’t know where to turn for HIPAA training for employees, doesn’t understand the principles that govern proper data protection and disposal, hasn’t implemented automated virus checks and still terminates employees without upgraded security procedures. All are now required under the Omnibus Rule and under some State regulations.
For this reason, many Business Associates continue to offer Covered Entities a BAA that predates the Omnibus Rule (2013) and quite often, the CE happily signs on the line. The fact that the BAA has no real teeth is lost on the average practitioner until an unfortunate data breach brings home the fact that because of the ancient Agreement, both parties are liable.
Business Associate Agreements remain the single largest Achilles’ Heel for the typical small- and medium-sized practices. For more than a decade, HIPAA gave less concern to Business Associates than you and I might give to a favorite dog. Now the concern is very real, and the catastrophic consequences are real as well.
 45 CFR § 160.103 clearly states that “A Covered Entity may be a Business Associate of another Covered Entity.”
HIPAA @ 20: A FIVE-PART SERIES
In this five-part series, we’re taking a close look at HIPAA @ 20 … examining what’s changed, what remains the same, and why small practices remain at risk. We’ll also look ahead to the next decade and make some educated guesses about what the future holds for patient privacy regulation, data safeguards, and the threats practitioners and patients will face.
For the entire five-part series, HIPAA @ 20, register here.