Recently, an orthopedic clinic learned just how expensive a Business Associate Agreement – or the lack thereof – is. The Raleigh Orthopaedic Clinic agreed to pay $750,000 pursuant to a resolution agreement with the Office for Civil Rights (OCR), the enforcement agency for HIPAA, to resolve a potential HIPAA violation arising from a breach report that the clinic did not have a Business Associate Agreement (BAA) with a vendor it hired to handle disposal of X-ray films, impacting approximately 17,300 patient records. Not only did OCR require a $750,000 payment to resolve the potential violation, it also placed the clinic under a Corrective Action Plan for two years requiring the development and implementation of a HIPAA-compliant plan to identify and manage Business Associate (BA) relationships. The resolution agreement can be found on HHS.gov.
Why are BAAs Important?
The BAA is the mechanism by which a healthcare provider - or covered entity (CE) - is authorized under HIPAA to release or disclose protected health information (PHI), without the patient’s authorization, to its BAs. BAs are those agents and subcontractors, not part of the CE’s workforce, that provide a wide range of services necessary for the operation of a medical practice, including but not limited to billing, claims processing or administration, utilization review, quality assurance or risk management, data storage and management, legal, actuarial, accounting, data aggregation, administrative, accreditation, and financial services. The Omnibus Rule issued in 2013 clarified that a vendor’s ability to access PHI is all that is necessary to define a BA relationship. The ability to access is key, regardless of whether there is ever actual access.
Without a BAA, a CE cannot disclose PHI to its BAs. Any disclosure to a BA without a BAA, and in the absence of another exclusion, is unauthorized under HIPAA and may constitute a “breach,” requiring notification to the individual, the Secretary, and even the media under certain circumstances. In short, a BAA is required any time a healthcare provider contracts with a third party vendor to provide services that require disclosure of PHI. On an ongoing basis, any time a service agreement or contract is entered, the HIPAA Privacy or Security Officer (a HIPAA-required job in any business with PHI) should be notified in order to determine if a BAA is required.
BAA Structural Requirements
The format of the BAA is not specified, and can be in a letter agreement, an amendment, an exhibit or addendum to a Master Agreement, or included within the Master Agreement. HIPAA does require that the BAA be in writing and that it include basic core requirements, including the defined permitted uses and disclosures of PHI. In addition, a BAA must include provisions that expand to the BA the obligation to comply with certain of the CE’s obligations under HIPAA to comply with an individual’s request to exercise rights under HIPAA, such as the right of access, amendment, restrictions or limitations and disclosure accounting. Finally, the BAA specifies when and how to handle PHI at the termination of the relationship, to ensure that PHI is properly accounted for and returned or destroyed in a HIPAA compliant manner. Other requirements include basic adherence to the Privacy and Security Rule, notification requirements in the event of unauthorized uses and disclosures, breach or security incidents, termination for material breach and compliance with requests from the Secretary of DHHS to ensure HIPAA compliance. Under the Omnibus Rule, BAs can only allow their subcontractors and agents to access PHI if the BA obtains a written agreement that extend these same conditions and obligations to the subcontractor or agent.
Including Supplemental Provisions for Added Protection
Additional important considerations for BAAs include liability and cost allocation associated with HIPAA violations by the BA or its subcontractor. Many CEs include indemnity provisions as well as liability for breach notification including investigation, response, and mitigation for breaches caused by the BA or its subcontractors. BAs typically seek to limit their exposure for breaches by limiting the BAA to the most basic terms required by HIPAA.
Many BAs are reluctant to enter into BAAs that contain indemnity or cost allocation provisions. The CE’s decision to include some or all of these additional provisions depends largely on the risk to PHI, and the potential for a breach. However, noncompliance with the BAA requirement is not an option. The Raleigh Orthopaedic Clinic resolution agreement teaches that OCR has little tolerance for HIPAA violations and will not hesitate to apply a significant penalty for noncompliance; one that far outweighs the CE’s administrative burden of obtaining a basic BAA.
Examples of Business Associates
- Third-party administrator that assists with claims processing
- CPA firm whose accounting services to a healthcare provider with access to PHI
- Attorney whose legal services involve access to PHI
- Consultant that performs utilization reviews for a hospital
- Healthcare clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a healthcare provider and forwards the processed transaction to a payer
- Independent medical transcriptionist
- Pharmacy benefits manager of a health plan’s pharmacist network
- PHI or billing data storage contractor, including cloud storage such as Dropbox or Google Docs
- A hospital is not required to have a BAA with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes, or
- when a healthcare provider discloses PHI to a health plan for payment purposes
- with persons or organizations (e.g., janitorial service or electrician) whose functions or services do not involve the use or disclosure of PHI, and where any access to PHI by such persons would be incidental, if at all
- with a person or organization that acts merely as a conduit for PHI, for example, the U.S. Postal Service, certain private couriers, and their electronic equivalents
- among covered entities who participate in an organized healthcare arrangement (OHCA) to make disclosures that relate to the joint healthcare activities of the OHCA
- to disclose PHI to a researcher for research purposes, because the researcher is not conducting a regulated service, function or activity
- financial institution providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity
- A physician is not required to have a BAA with a laboratory as a condition of disclosing PHI for the treatment of an individual
- A hospital laboratory is not required to have a business associate contract to disclose protected health information to a reference laboratory for treatment of the individual
Click here for access to the U.S. Department of Health & Human Services and Centers for Medicare & Medicaid Services sample Business Associate Agreement.