April 20, 2021
We’ve all heard the saying ‘sharing is caring’ but sometimes doing a good deed could actually steer you into some consequences later down the road. Let’s say, for example, you just loaned your car to your best bud whose “quick trip to the store” actually consisted of running red lights and racking up parking tickets. Though you might not have been the one in the driver’s seat – your name will be the one on all of the lovely fines that wind up in your mailbox, not your BFF’s.
Now you’re probably wondering where we’re going with all of this. And while cars and protected health information (PHI) might not have a whole lot in common, it goes to show how certain situations in life require additional precautions to minimize the risk of being responsible for another’s wrongful actions. This idea rings especially true when it comes to working with and sharing something as valuable as sensitive health information.
HIPAA law provides a pretty specific roadmap for how your practice should be safeguarding PHI and outlines certain standards that if not met – could result in a hefty fine. But with all the government requirements, advancements in technology, and changing patient needs – it’s impossible today to run a practice without the help of third-party vendors. So whether it be an outside medical billing company, IT support, or document shredding company – any vendor that comes into contact with PHI is a business associate (BA) of your practice and requires their own set of directions for proper handling.
Just as covered entities have obligations under HIPAA law, so do business associates – with one of the most important being a documented and signed Business Associate Agreement (BAA). A BAA is essentially a written agreement between your organization and the business associate, specifying each party’s responsibilities when accessing and maintaining PHI and it offsets the liability so that your practice can take a backseat if any incidents were to occur.
As you probably wouldn’t hand over your keys to just anyone without laying down some ground rules first, the same goes for providing access to patients’ sensitive health information. Like most contracts, the terms and conditions in a proper BAA can be pretty lengthy and may vary based on the type of vendor you’re working with – but here are some of the basic HIPAA requirements that should be outlined:
Permitted uses and disclosures of PHI
- Whether you’re a healthcare provider or a business associate – you can’t just go around sharing PHI with whoever you feel like. All of the do’s and don’ts should be clearly identified within the agreement to ensure that everyone is on the same page when it comes to PHI use and disclosure.
Specific safeguards that the BA is expected to establish
- The BAA should highlight all of the technical, physical, and administrative safeguards that the vendor should have in place to best protect PHI. It should also provide additional safeguards based on the type of PHI they work with – for example if they access and share electronic protected health information (ePHI) you should document that proper encryption is required.
Breach Notification requirements
- In an effort to prepare for the worst-case scenario, the agreement should include specific requirements for reporting a data breach. These guidelines should cover the breach notification process and timeframe that the BA must notify your practice which is currently no later than 60 days upon discovery of a breach according to federal HIPAA law. The window they have for reporting could also be shorter based on the laws specific to the state where your practice is located. For example, California state law gives a much shorter timeframe of up to 15 days to report.
Policies and procedures for providing PHI access at your practice’s or patient’s request
- Patient right of access has continued to be a huge government enforcement focus so outlining the proper policies and procedures for responding to patient record requests is a key element in the agreement. It is also important to identify the requirements for the BA to respond to your practice’s PHI requests including the timeframe and procedures for sharing.
Business Associate Training requirements
- In order to best protect PHI, you need to have the know-how which is why all staff members within your organization need proper HIPAA training and so do all BA employees.
Guidelines for how PHI should be returned or destroyed upon termination of the BAA
- You might’ve reached the expiration date on the agreement, maybe you’ve found another vendor to work with, or just want to go your separate ways. Whatever the case may be, there should be guidelines in place for how PHI is handled upon termination of the BAA, ensuring that that it’s either returned to your practice or properly disposed of.
Meeting all the requirements for what should be included in a BAA is just the first stretch of the drive, and something we’re often asked is, “What if one of my vendors refuses to sign?” Given the fact that having a signed BAA with all vendors you work with is a HIPAA requirement, it’s probably a good idea to put the brakes on any working relationship with a vendor who can’t agree to your terms and conditions. Just last year a medical practice found itself a victim of a HIPAA hit and run after filing a breach report stating that their EHR company was blocking access to the practices’ ePHI in exchange for $50,000 to be paid by the practice. While it might seem pretty obvious that the business associate was the driving force of the incident, because there was no BAA in place – the $100,000 in damage fell solely on the provider.
A Business Associate Agreement not only lays out the rules of the road for how PHI should be handled but holds the BA directly liable for any non-compliance that happens when they’re behind the wheel. Having a proper agreement in place with each and every vendor you work with ensures that they’re best protecting your patients’ PHI and means that your practice can steer clear of the hefty HIPAA fines if they don’t.