Building a HIPAA Toolbox: Part 3
Update your business associate agreements.
By Reed Williams, JD
If your organization has a Business Associate Agreement (BAA) filed away that hasn’t been touched in the past five years, put down this article and call your attorney. He or she will likely explain that your dusty, old BAA does not comply with the omnibus HIPAA final rule, and must be amended to avoid costly fines and other liabilities.
To deprive you hours of enjoyment that reading the final rule in its entirety brings, let’s review the major changes enacted by the final rule with respect to business associates. In particular, you’ll learn:
- What changes were made to the definition of business associate;
- What new requirements are applicable to business associates; and
- What major hurdles and strategies relevant to business associate relationships are subject to the final rule.
Who Is a Business Associate?
The final rule expands the scope of persons considered to be business associates under HIPAA. The revised definition includes any person who creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity (CE), or who provides services to or for a CE involving the disclosure of PHI.
More specifically, health information exchanges, e-prescribing gateways, data transmissions services involving PHI, personal health record vendors, and contractors who receive, maintain, or transmit PHI on behalf of a CE are now business associates under the final rule. Note that this expanded definition includes companies that merely store data for a CE (such as cloud storage vendors).
A good rule of thumb: Any person or organization outside of your control who sees, touches, or stores PHI for your organization is likely a business associate, and must sign a BAA.
New Requirements for Business Associates
The final rule established numerous new requirements for CEs and business associates. BAAs are still required, but business associates now must comply with applicable HIPAA Privacy and Security regulations, and are directly liable for violations.
If a business associate is an “agent” of a CE (rather than an independent contractor), the CE is directly liable for the business associate’s violation of HIPAA. Unfortunately, there is no clear rule regarding when a business associate is an agent or independent contractor of a CE. The characterization depends on the unique facts and circumstances of the business associate relationship and the extent to which the CE can manage the business associate in the performance of its duties. Generally, the more control the CE exerts over the business associate, the more likely the business associate is an agent of the CE.
Prior to the final rule, business associates were only liable for breach of their BAA, not for violations of HIPAA itself. Now, a CE must cure a business associate’s violation of the BAA or applicable HIPAA regulations, or terminate the business associate relationship if resolution is not possible. In the event of a breach of unsecured PHI, a business associate must notify the CE “without unreasonable delay,” and in no case later than 60 days following the breach.
If a CE delegates one or more of its HIPAA-required responsibilities (such as the requirement to maintain and update PHI) to a business associate, the BAA must require the business associate to perform those duties in compliance with HIPAA as if it were the covered entity. In other words, the business associate cannot do anything the CE cannot do legally.
Under the final rule, subcontractors retained by a business associate may now be considered business associates. Each subcontractor is directly responsible for its own compliance (and liable for its noncompliance) with all relevant provisions of HIPAA. Business associates must enter into written BAAs with subcontractors who qualify as business associates. A BAA between a business associate and its subcontractor must also be at least as strict as the BAA between the business associate and its CE with respect to PHI the subcontractor handles.
Hurdles and Strategies for Compliance
To comply with the numerous changes enacted by the final rule, most existing BAAs will require updates. The deadline for amending BAAs that existed before January 25, 2013 (and that were not renewed or modified between March 26, 2014 and September 23, 2014) was September 22, 2014. All other BAAs were required to comply with the final rule by September 23, 2013.
It’s extremely important for your organization to review its current BAAs and to ensure they comply with all relevant provisions in the final rule. Because the definition of business associate is greatly expanded under the final rule, your organization may need to negotiate BAAs for relationships that previously did not require one. Whether you’re negotiating the amendment of a preexisting BAA or discussing a new agreement, there are several important issues to keep in mind.
Arguably the most important element is the characterization of the business associate as an independent contractor or agent of the CE. To limit potential liability, a CE likely will avoid creating agency relationships with business associates. For a business associate to be an independent contractor, the relationship must be structured to limit the CE’s authority over the business associate and, in particular, the manner in which the business associate performs its work for the CE. This can be accomplished, for instance, by drafting the BAA to describe only the general obligations of the business associate. By contrast, a BAA that requires the business associate to comply with the CE’s policies and procedures when performing its duties is likely to create an agency relationship.
Both CEs and business associates may find that negotiating BAAs is significantly more difficult following the enactment of the final rule. CEs may be wary of their responsibility to cure a business associate’s breach of applicable HIPAA regulations and may push for very short breach reporting periods or expansive indemnification provisions. Business associates, on the other hand, may resist assuming certain responsibilities now that they can be held liable for such breaches.
One of the most effective strategies for negotiation is to keep the BAA as simple and straightforward as possible. Include only those provisions necessary to comply with the law and adequately protect both parties. Many BAAs are far too lengthy because the parties try to provide every eventuality. Documents such as this are often unclear and significantly increase the likelihood that a party will unintentionally breach the agreement. Keep it simple.
Lastly, implement a procedure for updating your BAAs annually to reflect not only the current laws and regulations, but also any new relationships between the parties. If you entered into a BAA in 2012 with a web content vendor for your organization’s Web page, and then began using the company in 2014 to store cloud-based PHI, your original BAA may not be adequate for the changed relationship.
Reed Williams, JD, is an associate with Lathrop & Gage, LLP, in Overland Park, Kansas. His practice is primarily focused on healthcare and corporate law. Representing both individual and institutional providers, Williams advises clients on a variety of contractual, corporate governance, regulatory, and management issues.