What is a Business Associate Agreement?
Business Associate Agreements – What Are They and When Are They Needed?
Subcontractors
When a subcontractor is being hired, either to provide services or handle data, a Business Associates Agreement (BAA) is needed. In these situations, the subcontractor is acting on behalf of the contractor and is considered a business associate under privacy regulations. As such, Business Associate Agreements must spell out what that subcontractor is allowed to do, when and how. This type of agreement must comply with the HIPAA Privacy Rule, the Privacy Regulations and the HITECH Act.
A BAA is needed to pass along the responsibility for the handling of certain types of data from a contractor or another business associate that the organization has hired. That way, the contractor is able to ensure compliance with federal HIPAA regulations . These types of contractors are often thought of as "subcontractors" or "trading partners" and they may perform such tasks as:
• Data processing
• Information analysis
• Telemedicine
• Billing and collections
• Interpretation services
• Fraud and abuse tracking
• Service as a 3rd party administrator
• Legal counsel
• Advertising
• Claims auditing
• Precertification
• Claims administration
• Any other administrative, financial, legal, actuarial, billing, benefit consulting or claims processing functions
Essentially, a person or organization that is helping another organization in its administrative role, using electronic protected health information, is usually considered a business associate. In some cases, the only time that protected health information is exchanged between the two parties is when health care claims are sent. A good example of this might include a third party administrator for health insurance claims.
A BAA must be executed before an individual or entity can begin to work as a subcontractor for the contractor. If a subcontractor is hired and that subcontractor plans to use a third party to perform any function for which that subcontractor is now responsible, it must first sign a Business Associate Agreement with the contractor and then have its own subcontractor enter a contract with it.
Essential Components of a BAA
The basic premise of a business associate agreement is that it is an agreement between a covered entity and a business associate requiring the business associate to follow the privacy and security rules with respect to protected health information and to otherwise protect the privacy of the individuals the covered entity has records on. While the rules are fairly simple, the terms of the agreement must be clear and unambiguous as to how the business associate is expected to perform its duties under the rules. The following are general components of a business associate agreement:
Permitted uses of data. While the privacy rule permits the use of protected health information in furtherance of necessary business functions, the business associate agreement should specify how the data will be used or disclosed. The agreement should attempt to be specific. For example, will the business associate cache information locally for review, search or other purposes? Will the business associate be permitted to de-identify the information for its own internal needs? Will the business associate also be permitted to use the information in support of its business long after the covered entity has terminated the contract?
Safeguards on PHI. Comparison of what safeguards are necessary and appropriate will be necessary to determine how the business associate should be protecting the data. Most business associate agreements do not specify exactly how the data will be protected, except to say that the safeguards will at a minimum meet all applicable state and federal laws. Nonetheless, these safeguards must be in place to ensure the security of the information.
Reportable incidents. Again, the privacy rule requires that covered entities apply a risk assessment process to determine the materiality of a reportable incident and, if there’s a significant risk, notify the individual promptly. The business associate agreement should similarly specify how the business associate will report to the covered entity discovered breaches that require reporting under the privacy rule.
Termination clause. The covered entity has the right to terminate a contract if the business associate violates the material terms of the business associate agreement. It is unclear from the regulations exactly what happens to the information after the agreement has been terminated. However, logically, confiscating the information would be an obvious response to the violation. The covered entity needs to specifically find out from OCR whether they will be held liable if the business associate refuses to turn over de-identified and re-identified data after the breach.
When Subcontractors Require a BAA
If a subcontractor of a business associate has access to PHI, then a BAA is required between the business associate and its subcontractor. Examples: • A billing company uses its own employees to conduct billing, but may also subcontract some of its functions, for example, calls for collection or appointment setting. Those subcontracted services would require a BAA between the billing company and the subcontractor, if PHI is being accessed in the course of that relationship. • A shredding company has employees who shred documents on customers’ premises. If the shredding company’s employees are covered entities’ workforce members, no BAA is needed. Otherwise, if the employees are subcontractors of the shredding company, then a business associate contract is required (between the business associate and the subcontractor).
Obligations of Subcontractors
The Office for Civil Rights of the Department of Health and Human Services (HHS) has at least twice found subcontractors for a business associate to be directly liable for violations of HIPAA. It appears that some business associates (particularly small business associates) are unaware of their responsibility to have BAAs with subcontractors, perhaps due to the failure of covered entities to inform their business associates of this requirement. While the interim final rule has numerous references to the legal obligations of "business associates," it does not define "subcontractor." On the other hand, HIPAA, and HITECH, do define "subcontractor" and require that there be a "written agreement or other arrangement" with a subcontractor. Furthermore, the Director of HHS’ Office of Civil Rights (OCR) has recently stated "it has never been the case that business associates of business associates do not have to comply with HIPAA" and confirmed that a subcontractor of a business associate can be held directly liable for violations of HIPAA.
The "Business Associate Contract" provisions of the interim final rule merely clarify contractual terms that are supposed to be in place as a matter of contract law among the parties. Whether such contractual terms are legally sufficient will be tested when enforcement actions are brought by OCR. By complying with the contractual obligations imposed on them, subcontractors will best be able to protect themselves from those enforcement actions. Some of the more critical contractual obligations are:
•If a subcontractor is to create, receive, maintain, or transmit protected health information (PHI), the first step is obtaining from the contractor a written determination that the subcontractor has the ability to safeguard PHI and guarantee compliance with its obligations under HIPAA.
•Subcontractors must not use or disclose PHI other than as permitted by contract.
•Subcontractors must implement appropriate safeguards to protect the confidentiality and integrity of PHI. A subcontractor’s safeguards program should include the necessary policies and procedures to assure compliance with HIPAA’s security standards and implementation specifications. For example, the safeguards program should include administrative, physical and technical safeguards.
Depending on the types of services the subcontractor provides or the types of information the subcontractor has access to, there may be additional contractual obligations.
Penalties for Non-Compliant Subcontractors
Most often, a business associate is dealing with the Covered Entity and not the subcontractor. The subcontractor may believe that it need not be concerned with the terms of the Business Associate Agreement ("BAA"). This is an incorrect assumption. The HITECH regulations specifically spell out the need for a BAA between a business associate and a subcontractor, as do the NAIC Model Laws. There are financial and legal risks and penalties for non-compliance.
There are a couple of recent enforcement actions related to privacy and security standards, for example, involving out-of-date antivirus software and installing a "key logger" on a worker’s computer. More such cases will follow.
The liability for non-compliance can be very high. The actual costs of a breach are likely to be high, including costs such as notification, credit monitoring and even fines for patients’ or consumers’ losses. Depending on the particular circumstances, these will be costs paid by the Covered Entity or possibly by the subcontractor. Defending against an enforcement action is extremely costly, especially where the case is tried on the merits. Even more expensive is the settlement of a class action. In addition to these costs, there are the defense costs associated with the breach investigation itself, incident management, the development of the mandated submission to HHS, public relations assistance, addressing the fallout which may come from the breach , and other costs.
The penalties for noncompliance are increasing. Previously, the maximum fine was $1,500,000 per violation of the HIPAA Rule. Now the legislation has indexed the penalty structure to the nature and timing of a covered entity’s culpability. Although there are no criminal proceedings under HIPAA for the improper disclosure of information by a subcontractor, there is no indication that pierce the corporate veil provisions do not extend to a subcontractor. This means that the subcontractor’s executives can also be held liable if the subcontractor fails to comply with its BAA, the HIPAA Security Rule and other requirements such as risk assessment and authentication.
Specifically, for certain violations of the HIPAA Rules, the amount of the fine could be up to $1.5 million per year per violation. As the law is worded, the fine could be levied annually, meaning that the penalty is applied to each of the years in which a Privacy or Security Rule violation occurred. For example, if a breach of protected health information occurs in December of 2011, the entity will have until September of 2013 to notify affected patients, making it subject to a $1.5 million penalty. The fine, however, lacks treble damages.
The law is still developing around enforcement and contract disputes, but there is no doubt that there is a strong emphasis on adhering to the BAA. A vendor’s liability is certainly increasing.
Best Practices for Subcontractors
Staff education and training is crucial in ensuring compliance with your Business Associate Agreement (BAA.) The process should start with the training of key staff members, such as compliance officers, security officers, and information systems security officers. Training should include procedures and policies that facilitate compliance with any BAA, as well as tracking compliance with the BAA provisions and the maintenance and production of required documentation. Since all staff members must comply with your BAA, training all staff on the basic terms of the BAA is highly recommended. In addition, informing staff when changes are made to the BAA is crucial as compliance is an ongoing process.
Generally, Conduent recommends the following best practices for their subcontractors:
- Develop an inventory of electronic equipment that contains individually identifiable health information.
- Identify devices at risk of loss or theft.
- Develop appropriate policies and procedures regarding protection from theft and loss.
- Implement appropriate security technologies, such as:
Firewall protection,
Access control,
Encryption,
Auditing, and
Remote access monitoring
5. Conduct regular (i.e., including after an incident or breach) and ongoing risk assessments.
6. Develop contingency plans for data breaches.
How to Create a BAA for Subcontractors
When a subcontractor produces, receives, maintains or transmits protected health information (PHI) for another subcontractor who is a business associate of a covered entity, a business associate agreement (BAA) must be in place between the business associate and the subcontractor. HIPAA recognizes that it is common for business associates to subcontract with other third parties in order to perform their tasks as business associates and imposes the same restrictions on written agreements with subcontractors that would apply to agreements between a covered entity and its business associates. As a result , subcontracts with business associates now require the level of care and concern that are required in legal agreements anywhere else in the industry that involve healthcare information.
Drafting a BAA for a subcontractor should involve the input of legal counsel for both the business associate and the subcontractor. The approach to drafting a BAA for a subcontractor includes: