Execute Business Associate Agreements under HIPAA

In a memo released last month, the U.S. Office for Civil Rights (OCR) raised this question: Is Your Business Associate Prepared for a Security Incident?

Well, how would you answer?

The issue is critical, as OCR audits are in progress under the federal Health Insurance Portability and Accountability Act (HIPAA). The audits extend to business associates, and according to OCR, business associates will need to demonstrate security risk analysis, risk management, and breach reporting procedures.

In its memo, OCR refers to a widespread perception that it is difficult for healthcare providers to know whether their business associates are adequately protecting patient information.

First, let’s make sure you know who your business associates are.  In sum, a business associate is any outside person or company with whom you share protected health or personally identifiable information about the people you serve. 

They — through you — are obligated to meet all federal privacy and security laws to protect that information.  This includes billing companies, technology vendors, temporary staffing companies and anyone else with potential assess to patient information.  With all of your business associates, you need an agreement that legally binds you (the HIPAA covered entity) and the business associate with very clear terms for managing and protecting health information emanating from you.

In its new memo, OCR also says you should plan in advance for how you will confront a breach by a business associate, including subcontractors. OCR’s memo recommends the following:

1. Business associate agreements should define how and for what purposes patient information may be used or disclosed. Be clear about what constitutes unauthorized disclosures and incidents that need to be reported back to the HIPAA-covered healthcare provider.

HIPAA defines “security incidents” as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations in an information system. This could include:

  • Attempts (either failed or successful) to gain unauthorized access to electronic Patient Health Information (ePHI), or a system that contains ePHI;
  • Unwanted disruption to systems that contain ePHI;
  • Changes to system hardware or software characteristics without the owner’s knowledge or consent.

2. Business associate agreements should specify the time frame for business associates or subcontractors to report a breach, security incident, or cyber-attack. Keep in mind: Reporting should be prompt, and covered entities are liable for untimely HIPAA breach reporting to affected individuals, OCR and, in some cases, the media.

The federal government’s website says that HIPAA-covered providers should file a breach notification by filling out and electronically submitting a breach report form to the U.S. Department of Health and Human Services.

If a breach affects 500 or more individuals, covered entities must file a report promptly, and in no case later than 60 days following a breach. If a breach affects fewer than 500 individuals, the covered entity must submit notification no later than 60 days after the end of the calendar year in which breach is discovered. The government’s website also describes circumstances that require reporting to the media.

3. Business associate agreements should identify the type of information a business associate or subcontractor will need to provide in a breach or security incident report. Such reports should include the business associate’s name and point of contact information, and descriptions of:

  • What happened, including the date of the incident and the date of the discovery of the incident, if known.
  • The types of protected health information potentially compromised due to the incident.
  • How the business associate is investigating the incident, and what measures are being taken to protect against further incidents.

4. Finally, covered entities and business associates should train workforce members on incident reporting. OCR says covered entities may want to conduct security to make sure their business agreements are being enforced.

Questions? Contact Diane Evans, Publisher of MyHIPAA Guide, at 330-990-1470, or by email at [email protected].   This article is for informational purposes and does not constitute legal advice for individual circumstances.

Upcoming Webinars

[add_eventon_list hide_month_headers="no" hide_empty_months="yes" event_order="ASC" number_of_months="3" ]

New Social Media Course

November 10, 2023 No Comments

MyHIPAA Guide is offering a new social media course that will help you protect your organization from potential privacy violations that result from social media

Read More »

Upcoming Events

10 Steps to Compliance

MyHIPAA Guide helps HIPAA-covered organizations understand what they need to do on a daily basis. Subscribers gain access to a comprehensive, human-centered HIPAA program.

CALL US TODAY:  (234) 281-4310

MyHIPAA Guide

Product

Discover

DISCLAIMER: MyHIPAA Guide content, including newsletters, is for informational purposes only. MyHIPAA Guide is not intended as legal advice or as a recommendation for a provider’s specific circumstances, and it is not intended as an exhaustive or definitive source on protecting health information from privacy and security risks. Providers and professionals seeking expert advice should consult an attorney and/or a risk assessment professional.

NOTICE TO READERS: We will do our best to report updates on HIPAA rules as quickly as possible following public notifications. In submitting questions or comments to MyHIPAAGuide.com, NEVER SEND THE PROTECTED HEALTH INFORMATION OF A PATIENT.

Copyright © by M.E.D. Media Mart LLC - Published by M.E.D. Media Mart LLC.