Last fall, the provisions governing Business Associate Agreements under the HITECH law went into effect. Many covered entities used templates and models offered by professional societies and the Department of Health and Human Services, but it’s becoming increasingly clear that the “model” agreements were simply a stopgap measure, and that organizations that use BAAs need to conduct ongoing reviews of the documents and customize the language to meet the individual needs of their company.
The need for ongoing reviews to business associate agreements stems from an increased focus on compliance, and audits from the Office of Civil Rights (OCR) in DHHS. In the past, HIPAA compliance audits were limited to specifically covered entities, such as doctors’ offices and hospitals. Using HIPPA-compliant providers like healthcare fax companies to transmit protected data on their encrypted servers has been the best way for health care professionals to avoid audit issues.
However, the provisions of HITECH allow for audits of subcontractors as well, ensuring that they too are complying with the privacy and security policies of the act. Essentially, then, a business associate agreement serves as an agreement by the subcontractor that it will adhere to the rules and standards of HIPAA — and they understand the consequences of noncompliance.
Some argue that the notion of business associate agreements is outdated, given that HITECH holds all subcontractors who have access to HIPAA-protected data to the same privacy and security standards as the covered entity itself, even without the written agreement. The law still states, though, that covered entities must negotiate and maintain compliant BAAs with the companies that have access to their data — even those that may not directly have access to the data.
The simple fact that the OCR is conducting audits of business associate agreements and the companies covered by the agreements, highlights the importance of maintaining up-to-date and comprehensive agreements — meaning that the “boilerplate” agreement that you signed to meet the basic compliance standards may not be enough at this point.
Considerations for Review
Since it’s been a year since the new provisions went into effect, it’s very likely that your BAAs are reasonably up-to-date, and in compliance with the laws. That being said, if you used a template, or you only made minor changes to existing agreements, it’s best to review the agreements you have on file to ensure they comply with current law.
Many experts agree that BAAs should be reviewed at least once a year or more often if they expire, or if there are significant changes to the business relationship.
When reviewing your business associate agreements, there are a few key points to pay close attention to:
- Expiration date. An expired BAA is the same as not having one at all.
- Business associate agreements are drafted to meet three purposes: Education, compliance, and contract enforceability. You have to make sure that your agreements meet all of those purposes. For that reason, a simple statement that an associate “agrees to follow all applicable laws” may not be enough to meet compliance rules. Do not assume that your business associate knows what to do in the event of a breach, or the security rules that need to be followed. Your BAAs should specifically outline the expectations of the associate, in terms of responding to a breach, protecting data, and liability for breaches.
- Breach notifications. Speaking of breach notifications, even though the new rules now independently apply to business associates, you can have problems if there is a breach. The BAA needs to specifically cover breach notification procedures, including who conducts investigations and when, and who bears the cost. Because each state has its own rules regarding the timing and procedures related to reporting breaches, BAAs must be customized to adhere to both the federal and state standards, and updated as necessary when state legislatures pass new laws.
- Use of client data. While the laws specifically prohibit any language that would allow for the sale of protected health information (PHI) many BAAs are now being drafted to include provisions for the business associate’s use of de-identified data. For example, a cloud-based medical records provider might be interested in collecting such data to use in research related to predicting patient outcomes or usage statistics. Covered entities need to determine whether they want to allow data to be used this way, and if so, what provisions will be in place to protect individual privacy.
Keep in mind, if your business associate agreements are up-to-date, you may not need to execute an entirely new agreement in order to ensure compliance or make changes to existing provisions. Creating addenda that addresses new requirements is acceptable, and can keep you in compliance. The most important point is that all of your business associate agreements are up-to-date, contain the vital provisions, and adhere to the standards of all applicable federal laws. By regularly reviewing the agreements, you’ll avoid misunderstandings that could lead to major sanctions and other consequences.
This is a sponsored post.