Business Associate Agreements: Being Judged by the Company You Keep

Practice Management

Hand ShakeThis article is written by Michael J. Sacopulos is the CEO of Medical Risk Institute.

The past several years have witnessed explosive growth in HIPAA and HITECH Act enforcement actions against medical providers. Many of these actions relate to misadventures by vendors and business associates of the providers. In 2012, the Minnesota Attorney General's office announced a $2.5 million fine levied against a medical collections firm for data breaches. This year may be the busiest yet for law firms that represent covered entities and business associates in HIPAA compliance matters. Fenton Nelson, a California firm that counsels healthcare providers on regulatory compliance, has seen innocent, inadvertent errors result in significant liability risks. In one example, in the course of upgrading a billing company's website, an IT programmer accidentally removed the login from a secure web portal. In a matter of hours, Google "spiders," no longer blocked by the password protection, started picking up the data on the website and listing it on search engine results. The billing company started receiving calls from its own medical facility clients, who had phones buzzing from irate patients who were stunned to have googled their names and had their health records pop up online in search engine results.

"We advised our client, you have an obligation to send out notifications to respond to this data breach," recalls firm managing partner Harry Nelson. "The client kept insisting, 'No, you mean that our medical facility clients have these obligations.' It was a real wakeup call when they finally got what it meant to be a business associate. They assumed they were going to have to tell their clients, and let them deal with those affected and the government. That was bad enough, but when they realized they were on the hook, too, it was not a pleasant realization," recalls Mr. Nelson.

It's not just a signature

The Health Information Technology for Economic and Clinical Health Act (the HITECH Act), signed into law in 2009, restructures the regulation of the privacy and security of patient health information. The HITECH Act does this by imposing new privacy and security requirements under, and significantly alerting key concepts and foundations of, the Health Information Portability and Accountability Act (HIPAA). As of September 23, 2013, Business Associates will have significant regulatory requirements imposed upon them directly by the Office of Civil Rights of Health and Human Services (HHS) because of the final HITECH regulations. The HITECH rules became effective March 26, 2013. Therefore, Covered Entities (healthcare providers, healthcare payors and healthcare clearinghouses) must be making changes to their Business Associate Agreements (BAA) and all BAAs will have to conform no later than September 22, 2014, or potentially earlier, as described below.

With the adoption of the HITECH rules, the definition of a Business Associate has been expanded to include entities that not only create or receive PHI (Protected Health Information) from a Covered Entity but also those that maintain or transmit it. Thus, data transmission service providers transmitting PHI, even if they do not look at the specific PHI, are deemed to be Business Associates. Also included in the definition of a Business Associate are subcontractors to a Business Associate that engage in similar activities with the PHI on behalf of the Business Associate.

Additionally, as of March 2013, all Business Associates are subject to compliance with all of the HIPAA security rules. In the event of noncompliance with the privacy and security regulations, Business Associates are now subject to direct criminal and civil penalties imposed by the federal government. Previously, a Business Associate was only liable for breach of contract to a Covered Entity for breaching the terms of a BAA.

"A few years ago people would just sign the BA agreement without thinking twice, but now we are seeing people having a conversation making sure the company they are doing business with understands what their responsibilities are," Mr. Nelson said. Today, they better think twice.

Individuals and others now can report a Business Associate to HHS for noncompliance with the privacy and security regulations.

BAAs in need of update

Business Associates must implement reasonable and appropriate policies and procedures to incorporate the following requirements:

1)    Implement policies and procedures to prevent, detect, contain and correct security violations
2)    Identify the security official who is responsible for the development and implementation of the policies and procedures
3)    Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic PHI, and to prevent those workforce members who do not have access from obtaining access to electronic protected health information
4)    Implement policies and procedures for authorizing access to electronic PHI that are consistent with the applicable requirements of the Privacy Rule
5)    Implement a security awareness and training program for all members of its workforce (including management)
6)    Implement policies and procedures to address security incidents
7)    Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example fire, vandalism, system failure and natural disaster) that damages systems that contain electronic PHI
8)    Perform a periodic technical and nontechnical evaluation

Penalties against Business Associates

There are serious potential consequences for Business Associate violations of HIPAA and HITECH requirements:

    If the BA did not know they were breaking the law and exercised reasonable diligence they could be fined $100 for each violation but may not exceed $25,000
    If the BA's violation was due to reasonable cause and not willful neglect they could be fined $1,000 for each violation but may not exceed $100,000
    If the BA's violation was due willful neglect but was corrected they could be fined $10,000 for each violation but may not exceed $250,000
    If the BA's violation was due to willful neglect and was not corrected they could be fined $50,000 for each violation but may not exceed $1,500,000

"Have a lawyer look at your Business Associate Agreement (BAA) and ascertain that you are using a BAA that takes into account of the 2009 changes that came into effect with HITECH. It is not just the promises to retain confidentiality but also that the agreement contains the statements that you as the business associate are accepting all of the responsibility as if you were in the shoes of a provider along with potential liability," Mr. Nelson said.

Lastly, be aware that if a new BAA is entered into or a BAA is amended on or after March 26, 2013, but prior to September 23, 2013, the BAA must then be compliant by September 23, 2013. If a business associate entered into an agreement prior to March 26, compliance will not be required until September 22, 2014.

Protection of the medical provider with additional requirements for the business associate

The BAA should be looked upon as an opportunity to gain protection from the BA in the event of a privacy breach. By including some of the ideas below, a medical practice will be in a better position in the event of a third party breach.

a)    Indemnification: Privacy breaches are expensive. Medical practice may want to require their BA's indemnity if a breach should occur.
b)    Proof of Financial Responsibility: The costs and penalties can be large. Make sure the BA can cover these costs.
c)    Degrees of Separation: BAs often need other to assist with providing services. (For example the billing firm that uses an outside IT firm.) Medical providers should require disclosure of all entities with access to PHI.
d)    Background Checks: Medical providers may require that BA guarantee that all people working with the provider's PHI have had a background check. The last thing a provider needs is to entrust private data to a convicted felon.

In this era of increased enforcement and high penalties for privacy breaches, medical providers need to protect themselves. It is easy to become collateral damage when a BA makes a mistake. With some forethought and proper contract drafting, a medical provider can reduce its exposure in the event of a third party data breach.

Michael J. Sacopulos is the CEO of Medical Risk Institute (MRI). Medical Risk Institute is a firm formed exclusively to provide proactive counsel to the healthcare community to help providers understand where liability risks originate, and reduce or remove these risks. He may be reached at

More Articles on Physicians:

6 Statistics on Physician Opinions of EHR

10 Honors & Leadership Positions for Sports Medicine Physicians

Orthopaedic Trauma Association Names Dr. Andrew Schmidt President

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Webinars

Featured Podcast

Featured Whitepapers