What are a Business Associates’ Responsibilities Under HIPAA?
Consider two people sharing an umbrella in the rain. They both have the same goal—to reach the car dry, without dropping any of the food they purchased and intend to share—but they each have different responsibilities on the mission: one is holding the umbrella and one has to hold the food.
HIPAA compliance is much higher stakes, but there are two different types of organizations carrying the load: covered entities and business associates. And just like the two people carrying the umbrella with different obligations, while both covered entities and business associates want to stay compliant, each is subject to different requirements under the HIPAA rules.
As a HIPAA compliance auditor, Schellman understands the separation well, since we perform assessments for both. To help clarify the different responsibilities for those who may still be unsure where they land, this article will focus on business associates, their obligations under HIPAA, and how they can be liable for violations, as well as tips on how to avoid said violations.
You’ll be clearer whether you fall into this category, and if you do, you’ll understand a baseline of important facets that will help you avoid liability.
What is a HIPAA Business Associate?
HIPAA defines a business associate as follows:
A person or entity that “creates, receives, maintains, or transmits protected health information (PHI)” on behalf of a covered entity or business associate; or provides services that involve the use or disclosure of PHI to a covered entity.
Covered entities—the healthcare providers and health plans of the world—use business associates to help them carry out those healthcare functions. Despite the implication of the terminology, members of a covered entity’s workforce are not considered its business associates. Rather, these are third-party organizations a covered entity may work with and who are entrusted with PHI. Examples of business associates include:
- Software providers whose solutions interact with systems that contain ePHI
- Cloud service providers and cloud platforms
- Document storage companies (physical and electronic storage),
- Collection agencies
- Medical billing companies
- Asset and document recycling companies
- Answering services, attorneys, actuaries, consultants, medical device manufacturers, transcription companies, CPA firms, third-party administrators, medical couriers, and marketing firms.
NOTE: If you’re one of said healthcare providers or health plans, you define yourself as a covered entity—however, it’s important to consider if you’re also a business associate of another covered entity.
How Do the HIPAA Rules Apply to Business Associates?
So then, if you are a business associate as defined by HIPAA, what does that mean for your obligations to its rules? Covered entities are different, but here’s how each rule breaks down for business associates:
HIPAA Rules for Business Associates
Same obligations for both business associates and covered entities, including the implementation of administrative, physical, and technical safeguards to protect the confidentiality, integrity, and accessibility of PHI.
Under the regulation, notification of a breach must be made within 60 days of when you became aware or knew or should have known about the breach.
Business associates must comply with a BAA, as well as several privacy provisions:
What is Business Associate Agreement (BAA) and What is its Role Under HIPAA?
You’ll note BAAs were mentioned, but what exactly are they?
When covered entities disclose PHI to their business associates, they can only do so if they obtain “satisfactory assurances” that:
- The information will only be used for the purposes the business associate has been contracted to perform.
- PHI will not be disclosed to other entities.
- The business associate will implement safeguards to prevent the misuse of the information and ensure the confidentiality, integrity, and availability of PHI.
- The business associate will help the covered entity comply with some of the covered entity’s duties under the HIPAA Privacy Rule.
This must all be in writing, whether in the form of a contract or other agreement between the two parties, otherwise known as the BAA.
How are Business Associates Liable Under HIPAA?
BAAs will help ensure your HIPAA compliance and prove that you took the necessary steps to keep data secure. That’s important since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act made business associates of covered entities directly liable for compliance with certain requirements of HIPAA.
The Office of Civil Rights (OCR) has since issued guidance regarding proper HIPAA compliance practices, safeguards, and documentation. Business associates will want to avoid the following if you don’t want a visit from the OCR:
- Failure to comply with the requirements of the HIPAA Security Rule, e.g., not performing a risk assessment or implementing the required administrative, physical, and technical safeguards.
- Failure to enter into BAAs with subcontractors that create or receive PHI, and failure to comply with the implementation specifications for such agreements.
- Failure to take reasonable steps to address a material breach or violation of a subcontractor’s BAA.
- Impermissible use or disclosure of PHI, including use or disclosure that is not permitted under the BAA.
- Failure to make reasonable efforts to limit the request, use, or disclosure of PHI to the minimum necessary to accomplish the intended purpose.
- Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the BAA) as necessary to enable the covered entity to comply with the patient’s right of access.
- Failure to provide an accounting of disclosures as necessary to enable the covered entity to comply with its obligations to provide such an accounting when requested.
- Failure to notify the covered entity or another business associate of a breach of PHI as required by the breach notification rule.
- Retaliating against others for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
- Failure to provide the Department of Health and Human Services (HHS) with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by HHS to information, including PHI, pertinent to determining compliance.
The OCR has been particularly active in enforcing items 1 and 8 above, as they regularly find instances of noncompliance with the Security Rule and the breach notification provision—both are low-hanging fruit.
Don’t overlook your BAAs with subcontractors (items 2 and 3 above) either. Any subcontractor performing services that involve PHI received, created, or maintained on behalf of a business associate must sign a BAA with terms at least as stringent as your own with the covered entity.
It’s important to take your HIPAA compliance seriously. Not only will violations incur penalties but you may also be sued by your covered entity if you breach the terms of your BAA, which often contain extra indemnification or penalty provisions to go with additional requirements.
How to Avoid HIPAA Liability
If you’ve now determined you’re a business associate under HIPAA, here are 6 tips to get you started in avoiding the severe consequences of non-compliance:
- Develop and implement HIPAA policies and procedures that comply with all of the HIPAA Rules, and distribute them to your workforce.
- At the time of distribution, require a signed written or electronic compliance certification from your people stating that they have read, understand, and shall abide by such policies and procedures.
- Restrict access to those people that have signed the compliance certification and received HIPAA training (which should also be documented.)
- Conduct an accurate and thorough risk analysis/assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic PHI in your charge.
- Document your implemented security measures to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level.
- Conduct this risk analysis annually—or at a minimum of once every two years—as well as every time a significant change is made to operations.
- Enter into BAAs with any covered entities that will send your organization PHI, as well as with any subcontractors to which your organization will send PHI.
- Appoint a HIPAA Privacy and Security Official to serve as the steward of the PHI that your organization receives and maintains.
- Consult your BAA when any PHI you have is impermissibly used or disclosed to see what your obligations are for reporting the disclosure to the covered entity.
- Remember, any PHI impermissibly used or disclosed is presumed to be a breach under HIPAA unless a breach risk assessment shows otherwise. Your BAA may outline who is responsible for conducting said breach risk assessment.
Next Steps for Your HIPAA Compliance
HIPAA regulations can be overwhelming, but ignorance of the rules is not an excuse to the OCR or HHS, whether you’re a covered entity, business associate, or subcontractor. HIPAA compliance is an ongoing commitment, and business associates now understand a little bit more regarding their role and what they need to do.
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.