Wherefore Art Thou Business Associate? The Risk of Not Knowing.

One of our business associate clients asked this week, “Why aren’t our covered entities asking us to sign business associate agreements?” We think it’s because they don’t know they need to. They may not have even identified the full list of who their business associates are. This leaves covered entities (CEs) vulnerable to risk if their business associates (BAs) fail to follow HIPAA law. (Subcontractors of business associates must also comply with HIPAA if they handle PHI.) Our client sends them the BA agreement from The HIPAA E-Tool® Business Associate Edition, and uses another one provided from the BA Edition for its subcontractors. 

For other BAs without guidance, this is a critical issue and they may be targeted by the Office of Civil Rights (OCR) in 2017. BAs, like covered entities, are now liable for compliance with HIPAA rules, and are subject to federal investigation, enforcement penalties and random HIPAA compliance audits. Examples of business associates include:

  • A medical device maker that handles PHI
  • Revenue cycle managers that handle PHI
  • A collections agency providing debt collection services
  • An independent medical transcriptionist that provides transcription services
  • A subcontractor providing remote backup services of PHI data for an IT contractor-business associate
  • A law office or accounting firm that handles PHI

OCR is continuing enforcement of the issue because of the magnitude of data BAs handle and the resulting sizes of potential breaches. Breaches of PHI among business associates are caused in a variety of ways. The following graph shows that theft, hacking and loss account for about 77% of all BA breaches.

OCR is aware of the issue and wants to see improvements. The problem was highlighted by Iliana L. Peters, OCR’s Senior Advisor for HIPAA Compliance and Enforcement at HHS last month. Speaking at the Health Care Compliance Association’s annual compliance institute on March 27, Ms. Peters explained that covered entities who do not have business associate agreements with their BA’s are among the top 10 enforcement issues that OCR continues to encounter.

Why does the problem continue? The most likely reason is that there are so many covered entities, especially smaller providers, who don’t know that full HIPAA compliance requires that they have a BA agreement. And if so, they might not realize the danger of entrusting protected health information to business associates. HIPAA law requires covered entities to 1) identify who their BAs are, 2) perform due diligence to evaluate whether the BAs comply with HIPAA, and 3) enter into a HIPAA compliant BA agreement with each BA.

The HIPAA E-Tool® has answers for both covered entities and business associates. For covered entities, walk through how to identify business associates, see guidance and easy to use forms on how to perform due diligence, and use a HIPAA compliant business associate agreement tailored to your organization. For business associates, the Business Associate Edition of The HIPAA E-Tool® guides you through your responsibilities under HIPAA and provides HIPAA compliant agreements for your use.