The HIPAA privacy and security regulations allow health care providers to disclose protected health information to their business associates without the patient’s authorization if the provider has a written agreement with the business associate that requires the business associate to comply with certain aspects of HIPAA. (See 45 C.F.R. 164.314 and 164.502). Disclosures to business associates without a valid business associate agreement violates HIPAA, requires the provider to account for the improper disclosure, and may result in civil or criminal penalties ranging from $100 to $250,000. (See 45 C.F.R. 164.502(e)(1)(iii)).
Business Associates. A “business associate” is a person who uses protected health information to perform certain business functions for the provider, including claims processing, billing, collections, data analysis, financial, legal, accounting, consulting, data aggregation, management, administration, accreditation, or other payment or health care operations. (45 C.F.R. 164.103). It includes independent managers, consultants, attorneys, accountants, transcriptionists, billing companies, accreditation entities, medical directors, IT specialists, risk managers, liability insurers, etc. However, the following are not business associates: members of the covered entity’s “workforce” (including employees, volunteers, trainees, and others who are under the direct control of the provider) (45 C.F.R. 164.103); other health care providers when disclosure is for treatment purposes (45 C.F.R. 164.502(e)(1)(ii)(A)); members of a medical staff or organized health care arrangement (45 C.F.R. 164.103); and persons such as a janitor, plumber, or copy machine repairman who may see or have access to protected health information, but who does not use the information to perform functions for the provider.
Valid Business Associate Agreements. To be valid, the business associate agreement must:
- Be in writing or preserved in electronic format.
- Describe the permitted and required uses of protected health information by the business associate.
- Prohibit the business associate from using or disclosing information in a manner that would violate HIPAA if done by the covered entity, except that the agreement may allow the business associate to use or disclose the protected health information for the proper management and administration of the business associate, or to carry out its legal responsibilities.
- Prohibit the business associate from using or further disclosing the protected health information except as provided by the agreement or required by law.
- Require the business associate to implement administrative, physical, technical, and other safeguards that reasonably and appropriately protect the confidentiality of the protected health information, and protect the confidentiality, integrity and availability of any electronic health information.
- Require the business associate to report to the provider any security incident or any other use or disclosure of the protected information in violation of the contract of which the business associate becomes aware.
- Require the business associate to make protected health information available to individuals who are entitled to access the information under the privacy regulations.
- Require the business associate to amend protected health information consistent with the privacy regulations.
- Require the business associate to make information available to the provider as necessary to allow the provider to account for disclosures as required by the privacy rules.
- Require the business associate to make its practices, books, and records relating to the use or disclosure of the protected health information available to HHS for determining the provider’s compliance.
- Upon termination of the agreement, return or destroy all the protected health information, or if return or destruction is not feasible, maintain the confidentiality of the protected health information.
- If the business associate discloses the protected health information to an agent or subcontractor, require the agent or subcontractor to implement reasonable and appropriate safeguards to protect it and otherwise comply with the same requirements imposed on the business associate.
- Authorize the provider to terminate the agreement if the provider determines that the business associate has violated a material term of the contract.
(45 C.F.R. 164.314(a) and 164.504(e)). Although not required by the privacy or security rules, providers may consider adding additional terms or conditions, e.g., “hold harmless” or indemnity provision that requires the business associate to defend and indemnify the provider for violations.
Providers may use the foregoing checklist to draft or evaluate its own business associate agreements, or to measure agreements received from third parties. The Office of Civil Rights (“OCR”) published a sample business associate agreement on its website, however, the sample was prepared before the security rules were implemented and does not contain the additional terms required by the HIPAA security rule effective April 2005. (See 45 C.F.R. 164.314). Providers who have not updated their business associate agreements since April 2005 need to do so to add the security rule requirements. Providers must retain copies of business associate agreements for six years from their last effective date. (See 45 C.F.R. 164.316(2)(i)).
Liability for Business Associates’ Actions. Providers are generally not responsible for confidentiality or security violations by the business associate unless the provider (1) knew of a pattern or practice of material violations by the business associate; and (2) failed to take reasonable steps to cure the business associate’s violations, terminate the contract, or report the matter to the OCR. (45 C.F.R. 164.314(a)(1) and 164.504(e)(1)(ii)). However, upon learning of a violation, the provider may still have an obligation to take appropriate steps to mitigate the effects of an improper disclosure or security incident. (See 45 C.F.R. 164.530(f)).
Non-Business Associates. Although business associate agreements are not required for the provider’s workforce or others who may have incidental access to such information (e.g., janitors, repairmen, etc.), it is still a good idea to require such persons to sign a confidentiality agreement. Such an agreement may constitute appropriate safeguards generally required by the HIPAA privacy and security regulations. (See, e.g., 45 C.F.R. 164.530(c)).
If you have questions about these or other legal issues, please contact a member of our Health Law group call 208.344.6000.