Three Things to Know About New HIPAA Business Associate Rules

As if healthcare providers didn’t have enough new regulation to worry about; back in January 2013 the Department of Health and Human Services (HHS) published a final set of regulations entitled the “HIPAA Omnibus Rule,” modifying the existing Health Insurance Portability and Accountability Act (HIPAA). These rules went into effect starting March 2013, but gave “covered entities” (providers that transmit any health information electronically) until September 2013 to comply.

These revised rules brought about several changes to HIPAA, mostly revisions and modifications to existing regulations. The most significant change, however, includes rules involving “business associates” or BAs and how their relationships with covered entities (CE) are managed and governed.

Reading these regulations can sometimes be like translating a foreign language. But with thousands or even millions of dollars in fines at stake, it’s extremely important – practices understand and comply with these new rules.

Here are three important things to know about the new rule involving BAs:

Practices are Responsible for Their BAs

Yes, the revised rules now state that a BA can be held directly liable for (civilly or criminally) for violating HIPAA, but that doesn’t mean practices are off the hook.  Practices are responsible for ensuring (to the best of their ability) that the BAs they work with are HIPAA compliant. A few ways to do this are to review the BAs policies and procedures for HIPAA compliance as well as any training programs they offer their employees. Specifically, practices should pay close attention to a BAs plan for cybersecurity and breach notification. The best way for a practice to avoid taking on the liability of a neglectful BA is to do their due diligence in developing partnerships with associates that have a sound working knowledge of HIPAA and its implications if violated.

Use the BA Agreement for Added Protection

Many practices use BA agreements just because they are required by law to enter into one with any BA in which PHI (personal health information) is shared. What they don’t realize is that these agreements can make all the difference in terms of liability protection for the CE as well as act as a guideline to ensure BAs are doing their part in protecting patient information. These agreements can clearly identify the roles and responsibilities of the BA to maintain HIPAA compliance, but to also follow proper reporting requirements in the case of a breach.

A BA is Not What It Used to Be

The definition of a BA has been completely changed under the new revisions. Here is the new “expanded” definition: (source https://www.aaos.org)

• A health information organization, e-prescribing gateway, or any other entity that provides data transmission services to a covered entity and requires access on a routine basis to PHI.
• An entity that offers a personal health record on behalf of a covered entity. However, if the personal health record is not offered on behalf of a covered entity, then the personal health record vendor is not a business associate.
• A subcontractor of a covered entity as well as any subcontractor of a business associate, if the subcontractor accesses PHI of the covered entity.
• An individual who creates, receives, maintains, or transmits PHI on behalf of a covered entity

If your practice is currently in partnership with any entities that may fall into any of these categories and you don’t have a BA agreement, it’s time to get one. It would be wise for practice managers to review all contracts with vendors and partners for BA clauses that may exempt BAs or subcontractors from HIPAA liability.

The HIPAA Omnibus Final Rule includes many other revisions including increased civil money penalties for breaches, modification of the definition of what constitutes a privacy breach, strengthening of the limitations on the use and disclosure of personal health information (PHI), the expanding of an individual’s rights to receive electronic copies of his/her own health information and more.

These rules and their revisions can be complex and difficult to apply; the American Academy of Orthopedic Surgeons has created a great, comprehensive FAQ page for the Omnibus Final Rule.

Are you confused about any portion of the new revisions to HIPAA? Contact us today, we can help!