Doctors and health plans are not the only ones impacted by HIPAA regulations. Lawyers, Certified Public Accountants, billing companies, and other third-party vendors working with PHI are also required to comply with HIPAA privacy requirements, and beyond that can be held independently liable for noncompliance. With the recent six-figure settlements that have come about as a result of HIPAA violations, entities that are covered by HIPAA need to make an effort to be proactive in ensuring compliance.
Health plans, healthcare clearinghouses, and healthcare providers are considered covered entities under HIPAA due to the broad standards that exist for certain transactions. However, the business associates of these covered entities are also required to comply with HIPAA regulations.
A “business associate” (BA) is a person or entity that performs activities that involve the disclosure of PHI on behalf of a covered entity or provides services to a covered entity. Legal services, financial consultation services, and companies that handle billing information are only a few examples of organizations that could be BAs.
After the HIPAA Omnibus Rule was established in 2013, BAs are directly responsible for ensuring that PHI is handled properly and performing risk assessments. One of the most important steps towards HIPAA compliance is establishing a written Business Associate Agreement (BAA). Settlements for HIPAA violations come at a large price. North Memorial Health Care of Minnesota paid $1.55 million in March 2016 after a laptop containing the unencrypted PHI of was stolen. Raleigh Orthopaedic Clinic, P.A. reached a settlement for $750,000 in April 2016 after releasing the x-rays of over 17,000 patients to a company that was recycling the films for the silver content. In July of 2016, the Oregon Health and Science University signed an agreement with OCR as a result of data breaches in 2013 that totalled $2.7 million.
OCR recommended in May 2016, that covered entities have BAAs that detail how PHI is to be used and a provide a time frame for BAs to report data breaches or potential security incidents. The OCR website provides an example of a BAA. Guidelines for what must be included in a BAA are also included.
In the event of a HIPAA violation, reports may lead to Resolution Agreements, a settlement that includes obligations of the covered entity or BA involved, including reporting to HHS, and submitting to HHS monioring.
With Phase 2 of OCR’s HIPAA privacy and security audits under way, it has become clear that OCR is cracking down on BAs. Taking steps towards HIPAA compliance should be a concern for any organization associated with a covered entity and establishing a BAA is a step in the right direction.