(Reading time: 3 Minutes)
Practices are hearing more and more about large fines and data breaches surrounding HIPAA (Health Insurance Portability and Accountability Act of 1996). Many are fearful that significant fines could affect their practice, their patients, and their livelihood. Is this a real threat? We, at PCIHIPAA, believe it is. HIPAA law is confusing and protecting the security and privacy of your patient information is critical. And with the enactment of the Omnibus Rule back in 2013, HIPAA compliance now extends to your Business Associates.
The Ponemon Institute states that 39% of all Business Associates have experienced a data breach, and in one case a practice was fined $31,000 for not having a Business Associate Agreement on file. That’s an expensive document!
As HIPAA Compliance Specialists, a day rarely goes by that we don’t receive questions about Business Associates. “Who’s a Business Associate?” “Do I have risks if I don’t have execute the proper agreements?“ What does my practice need to do?” In fact, we even created a HIPAA Webinar Series for our clients to help answer these questions. Let me help clarify some of these questions.
1 ) “Do I need to have a Business Associate Agreements on file?”
Yes. If you are a Covered Entity under HIPAA, you are required to execute Business Associate Agreements. The Health and Human Services website (HHS.gov) defines a Covered Entity as health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Bottom line: Examples of Covered Entities under HIPAA are: Doctors, Clinics, Psychologists, Dentists, Chiropractors, Oral Surgeons, Podiatrists, Opthamologists, Nursing Homes, Pharmacies, Health Insurance Companies, HOMs, Company Health Plans, and Labs are all considered to be Covered Entities.
2) “Then, who is a Business Associate?
A Business Associate as any organization or person working in association with, or providing services to, a Covered Entity who handles or discloses Protected Health Information (PHI) or Personal Health Records (PHR.) A business associate may also be a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate. Think of it this way, if you contract with a person or an entity that needs access to your PHI to do their job, they are most likely a Business Associate.
Bottom line: Examples of Business Associates are Lawyers, Accountants, IT Programmers and Representatives, Shredding Companies, Marketing Software Companies, Practice Management Software Providers, Data Backup and Storage Companies, and Billing Companies.
“Are there exceptions?”
Yes. HIPAA excludes conduits of information (UPS, FedEx), governmental agencies (Medicare and Medicaid), and anyone else this is not required to handle your PHI to do their jobs (Janitors, Landlords, Water Delivery Services). Also your employees are not considered Business Associates. They need to be trained on HIPAA, but you don’t need to execute Business Associate Agreements with your employees.
3) “What exactly is a Business Associate Agreement, and why is it important?”
A Business Associate Agreement is a binding legal document that is now required under HIPAA for you to execute with all of your Business Associates. It is imperative that your practice has Business Associate Agreements in place, with a log kept for reference. Because your practice (as a Covered Entity) is sharing PHI with your Business Associate, this document ensures that the HIPAA mandates are in place and that your patients are protected. If you use the right Business Associate Agreement, it also includes an “Indemnity Clause.” The Indemnity Clause protects you financially, if PHI is compromised under your Business Associate’s watch. This is a crucial clause that should be included in any Business Associate Agreement you execute.
Bottom line: PCIHIPAA created OfficeSafe to help our clients take the guesswork out of HIPAA and protect them from HIPAA non-compliance risks and patient data breaches. In addition, our Business Associate Agreement tool helps practices quickly create, send, execute and store all of their Business Associate Agreements. OfficeSafe includes tools for the implementation of multiple HIPAA safeguards and requirements. At PCIHIPAA, we want you to have the peace of mind that your practice will remain both fine-free and compliant.