COVID-19 RESPONSE: Recent developments are impacting our valued clients. Read these helpful resources for navigating this crisis in your business.
Business Associate Agreements: Are You Compliant?
Wednesday, May 1, 2019 9:00 AM
As industry training becomes increasingly available, practices are working to continually improve their compliance with HIPAA standards. These organizations, which have gained a more in-depth knowledge of HIPAA’s nuanced rules and regulations, have contributed to a rise in the number of incidents reported of protected health information (PHI) breaches and penalties.
In some of these cases, business associates (BAs) are putting practices at risk due to their level of security and HIPAA privacy compliance (or lack thereof). Like practices, BAs must be prepared to demonstrate compliance with applicable HIPAA Privacy and Security rules, as well as portions of the Breach Notification Rule.
Business Associate Agreements 101
Business Associate Agreements (BAAs), which were developed as part of the HIPAA Security Rule’s Administrative Safeguards, limit the use and disclosure of PHI or ePHI (electronic protected health information). To ensure your practice is compliant, it is crucial to gain a thorough understanding of the BAA process and how to make it work for your practice. Below we answer some common questions you may have.
- Who is a business associate?
The HIPAA Privacy Rule defines BAs as an outside person or entity that performs certain functions or activities involving the use or disclosure of PHI on behalf of, or provides certain services to, a covered entity. BA services provided to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.1
- Why are Business Associate Agreements important?
BAAs are executed to ensure appropriate safety measures are in place with third parties (i.e., vendors and consultants) that have access to protected patient information. BAAs limit the use and disclosure of PHI or ePHI. Under the HITECH Act, any HIPAA BA can be held accountable for a data breach and penalized for noncompliance.
- Who oversees BAAs for the practice?
BAA management is the responsibility of the covered entity issuing the agreement(s). Your practice’s compliance officer is the logical choice for this assignment; in smaller practices, this is often the administrator. The practice compliance officer should educate providers and staff on BAA policies, become the designated issuer of BAAs, and maintain records of all active BAAs with other covered entities.
- Is there a recommended process when creating a BAA?
When developing a BAA for a specific practice or provider, it is wise to reference available resources, such as online BAA samples or health care attorneys. While such resources are helpful, it is essential to customize the verbiage of each BAA to describe that particular provider/entity relationship, along with any additional pertinent information.
- How should vendors be screened for compliance?
When a practice has a vendor sign a BAA, it should ensure the vendor is performing Office of Inspector General (OIG) sanction screenings and can produce documentation that no excluded individual is working for the vendor. By law, an excluded individual cannot be paid with funds received from a federal health care program, such as Medicare, Medicaid, TRICARE, State Children’s Health Insurance Program (SCHIP), or other state health care programs. Since the vendor is a BA, it is incumbent upon the practice to ensure it is not in violation of an exclusion.
- What ongoing maintenance is needed?
Concerning BAAs, medical practices have the following HIPAA responsibilities:
- Maintaining compliant identification of BAs;
- Executing appropriate BAAs;
- Tracking, as well as terminating, BAAs (as appropriate); and
- Preparing for HIPAA documentation audits.
A practice’s BAAs should be organized, readily available in the event of an audit, and accessible for records retention management and staff reference. Records can be paper or electronic. HIPAA requires that BAs and covered entities retain related documents for at least six years from creation date or last effective date, whichever is later.2 If possible, keep BAAs indefinitely. Additionally, it is a good idea to keep a list of current and former BAs on file for quick reference. Like most agreements, should major changes occur during the relationship, it is advisable to update the BAA.
Knowledge is Power
HIPAA is a complex topic with many rules and regulations that must be followed. While the intricacies can feel overwhelming, gaining a thorough understanding of expectations will help you remain compliant and prepared in the case of an audit.
LET US HELP: At BSM Consulting, we strive to ensure our customers have the tools and resources necessary to meet compliance standards. One way we do this is through BSM Connection® for Ophthalmology, where we offer members access to distance learning courses such as “A Guide to HIPAA and Patient Confidentiality.” Visit the BSM Connection website to learn more.