Practice Management Alert

HIPAA:

Assess Your BAA Terminology to Lessen Liability

Published on Thu Jun 19, 2014

September holds a key deadline.

Last month, in “Let This Example Show You What Not to Do With Your BAs” you read a case study that stressed the importance of thoroughly evaluating your business associates (BAs) to ensure your practice isn’t at risk for “guilt by association” charges.

To help keep your practice on top of things, you should review your business associate agreements (BAAs) regularly. Follow these expert tips so you don’t miss any critical details.

Update Before September

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires you to update and revise your BAAs to ensure they’re in compliance with the HIPAA Omnibus Final Rule by September.

The HITECH Act mandates that you negotiate and implement amendments to all pre-existing BAAs — those entered into prior to Jan. 25, 2013, said attorney Casey Moriarty in a blog posting for the Seattle-based law firm Ogden Murphy Wallace.

Reduce Your Liability

You should “also be mindful of the important terms in BAAs that can lead to increased liability,” Moriarty noted. Specifically, pay attention to these three terms:

Indemnification: Although not required under the HITECH Act, you should push for strong indemnification language that requires the BA to indemnify your organization for its breach of PHI and HIPAA violations, Moriarty said. “Acceptable indemnification language for each party depends on the nature of the PHI involved in the transaction and the amount of PHI that is transmitted between the parties.”
Limitation of Liability: Many BAs push for BAA language that limits their liability to certain amounts. But accepting a BA’s “limitation of liability” terms can pose significant risks if the BA violates HIPAA after the BAA is signed, Moriarty warned.
Breach Notification Time Period: The HITECH Act requires BAs to notify CEs of a breach within 60 days of discovery. But to protect your relationships with patients affected by a breach, your proposed BAAs should require the BA to provide notification within 10 days or less, Moriarty recommended. A BA’s “acceptance to a shorter notification period can put tremendous pressure on it to investigate and disclose accurate information after a breach occurs.”

Lesson learned: Although you must complete the BAA amendments by the Sept. 23 deadline, you still need to take the time to think critically about the language in your BAAs prior to signing them, Moriarty stressed.

Practice Management Alert

Marketing:
Weigh the Pros and Cons of Having a Social Media Presence
Setting clear expectations is crucial. Social networking is a huge part of today’s culture, and [...]

HIPAA:
Assess Your BAA Terminology to Lessen Liability
September holds a key deadline. Last month, in “Let This Example Show You What Not [...]

News You Can Use:
Proposed CMS Rule May Ease Your Stage 1 and 2 MU Deadline Stress
Analyze your three compliance options carefully. If your practice is anticipating a struggle to meet [...]

Clip and Save:
Focus on 10 Key Points to Perfect Your MU Attestation
Leave your practice enough time to prepare. Like many practices, you may have implemented an [...]

Reader Question:
Watch for Payer Differences With Claim Forms
Question: I need some help concerning the rules for billing on the new CMS-1500 form. We [...]

Reader Question:
Use Caution With Write Offs
Question: At what point can we write off a patient balance as bad debt? Are [...]

Reader Question:
Learn COB Rules For Correct Reimbursement
Question: What is the best way to ensure proper billing when a patient is covered by [...]

Reader Question:
Base POS Choice on RVU Assessment
Question: One of the ASCs we bill for has a “suite” the providers use for [...]

What Would You Do? Get to the Bottom of Record Release Refusal
Question: We’re treating a new patient and need to obtain the patient’s prior treatment records. The [...]

View All