In 1996, the government introduced the Health Insurance Portability and Accountability Act (HIPAA) to protect sensitive patient information. HIPAA includes standards that prevent protected health information (PHI) from being disclosed without the patient’s consent. “Covered entities,” such as providers, health plans, and health clearinghouses, are required to adhere to strict privacy standards.
However, HIPAA regulations also extend to vendors and partners who work with covered entities. Therefore, if your organization is a covered entity and you work with partners who have access to patients’ PHI, you need to implement Business Associate Agreements.
What is a Business Associate Agreement?
A Business Associate Agreement is a contract between a covered entity and its vendors that stipulates the types of patient data the vendor can receive and how they can use it. These agreements ensure that patient data stays private and protected.
What does a Business Associate Agreement include?
Business Associate Agreements cover how partner organizations must treat PHI. An agreement establishes PHI’s permitted uses and disclosures, confirming that the vendor will not use or disclose the PHI other than those explicitly stated.
A Business Associate Agreement also requires the vendor to implement appropriate safeguards to prevent unauthorized use or disclosure of private patient information. The agreement also requires the business associate to report any use of PHI not included in the contract, including data breaches.
Business associates must also make internal practices, books, and records regarding the use and disclosure of PHI to HHS to ensure HIPAA compliance. Additionally, the agreement stipulates that all PHI information must be destroyed, if feasible, at the end of the contract.
Business associates must also ensure that any subcontractors with access to PHI agree to the same regulations and restrictions regarding its use and disclosure.
What qualifies as a business associate?
According to HHS, a business associate is any person or entity — outside of a member of the covered entity — who performs functions on behalf of a covered entity that involves access to PHI. Additionally, any subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate must adhere to the same regulations outlined in a Business Associate Agreement.
What are some common Business Associate Agreement mistakes?
One of the most significant errors covered entities, and their business associates make is not having an agreement in place or having an incomplete agreement. Many covered entities don’t know which partners qualify as business associates. Additionally, a business associate’s status may change if the scope of the partnership changes over time.
Other common errors include:
Making all contractors sign a Business Associate Agreement
While it might feel safer to have all contractors sign Business Associate Agreements, an agreement isn’t necessary if a contractor or service provider doesn’t access, use, or disclose PHI.
Assuming having an agreement in place means compliance
Additionally, a Business Associate Agreement doesn’t necessarily mean compliance. The agreement must be complete, and the associate must adhere to the regulations and restrictions in the agreement. For example, if a contractor or service provider doesn’t implement the appropriate safeguards, they’re non-compliant, and so are you. Similarly, if your business associate uses subcontractors but doesn’t make them follow the same security protocols, they’re non-compliant.
Not having companies that touch PHI sign an agreement
With modern electronic communications and data transmission, PHI passes through more organizations than you might realize. Any software solution that handles PHI is a business associate and requires a Business Associate Agreement.
Using an incomplete Business Associate Agreement template
While a template can help you cover all of the necessary aspects of a Business Associate Agreement, you should carefully review a template before using it. Templates should be relevant, and you should be able to personalize them to cover all requirements stimulated by a covered entity.
Why is HIPAA compliance important?
Noncompliance with HIPAA can result in hefty fines and a loss of patient trust. Your patients rely on you to protect their private information. When data breaches occur, your patients may question whether they can trust your organization.
Additionally, the financial penalties for HIPAA violations can reach $1.5 million in a single year. There are four tiers of violations. Tier one includes accidental violation while exercising reasonable due diligence that the covered entity isn’t aware of. Tier two violations are also accidental, but the covered entitled either knew or should have known about the violation. Tier three violations include willful neglect that is corrected within 30 days of discovery. Finally, tier four includes violations caused by willful neglect that is not corrected within 30 days of discovery.
Maintaining HIPAA compliance is critical to your organization’s success. Choose the right business partners who also take HIPAA and your patients’ privacy seriously. Curogram is a HIPAA compliant patient engagement platform featuring double encryption, ensuring that PHI is secure from appointment scheduling through telemedicine appointments. Contact Curogram to learn more.