Did you know that business associate agreements are mandatory under the HIPAA privacy rule? If you don’t have these agreements in place, you’ll fail a HIPAA audit. The good news is that you can avoid the consequences that come with violating this rule and it isn’t as complicated as it may seem. In this part of our HIPAA compliance series, we’ll discuss creating and reviewing agreements.

Covered entities + business associates

Before we jump into reviewing agreements, let’s first look at the parties this applies to. Both covered entities and business associates fall under the privacy rule.

Covered entities

The definition for a covered entity applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA.

If you’re unsure if a source is a covered entity you can use this decision tool from the HHS.

Business associates

The HHS defines a business associate as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to, a covered entity.

Examples of business associates include:

  • A third-party administrator that assists a health plan with claims processing.
  • A CPA firm whose accounting services to a health care provider involves access to protected health information.
  • An attorney whose legal services to a health plan involve access to protected health information.
  • A consultant that performs utilization reviews for a hospital.
  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
  • An independent medical transcriptionist that provides transcription services to a physician.
  • A pharmacy benefits manager that manages a health plan’s pharmacist network.

To pass a HIPAA audit, both covered entities and business associates must show that they have an agreement and layout PHI safekeeping procedures.

How the privacy rule applies to covered entities

Covered entities must know who their business associates are and have agreements in place with each of them. They’re responsible for drafting these agreements to stay in line with HIPAA requirements. Once the agreements are in place, covered entities must continue to monitor their business associates’ compliance with those agreements. In the event of a breach, covered entities must be able to show that they took measures in an attempt to prevent it.

How the privacy rule applies to business associates

The privacy rule requires covered entities to obtain agreements from their business associates that assure associates will safeguard protected health information (PHI). These agreements must be in writing and they also must specify the parties’ responsibilities when handling PHI.

Beyond the permitted and required uses of PHI, this agreement must also state that the business associate will not use or disclose PHI for any reason other than what is permitted by the contract or by law.

Why having these agreements benefits your organization

Having these agreements in place is in your best interest. In the event that a data breach happens and it’s caused by your business associates, you can be confident that the consequences won’t fall on you. This is increasingly important as cybersecurity threats grow and breaches become more common for organizations that don’t have security measures in place. Don’t let your HIPAA compliance efforts go to waste. Hold your associates accountable to and keep an eye on their compliance.

Reviewing your agreements

The final step, once you have these agreements in place is to set up requirements for monitoring them on a regular basis. There are several ways that you can ensure the compliance of your partners. During the review process, you should also request a copy of their internal HIPPA policies and risk assessments. Then, you can make sure that they’re violating HIPAA rules themselves. (To learn more about risk assessments, see this post in our HIPAA compliance series).

What are the consequences of not updating and reviewing agreements?

A word of caution before we close this article: entities and business associates must ensure they lay the proper foundation to survive an audit of their own. When this doesn’t happen, your organization can face severe consequences. Fees for HIPAA violations cost organizations anywhere between $100 and $50,000 per incident. If serval entities or business associates you’re connected to aren’t compliant, it can cost your organization thousands of dollars.

In 2016, the HHS used an example of a violation from the Care New England Health System (CNE) to illustrate this point.

This is the statement the HHS posted in connection with this violation:

CNE, on behalf of each of the covered entities under its common ownership or control, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement includes a monetary payment of $400,000 and a comprehensive corrective action plan.

You can read more about this settlement here.

What if I don’t have these agreements in place?

If you don’t have these agreements yet, this is something that you should immediately address. It’s actually a common issue and here’s a lack of business associate agreements between covered entities and their subcontractors in many organizations. However, the consequences you could face without these agreements in place could put your entire organization in jeopardy.

If upon reviewing your documentation, you find that this applies to you, you should get these agreements in place as soon as possible. Not sure where to start? You can find a sample agreement on the HHS website here.

The bottom line is that if you don’t have these agreements in place, your organization is not HIPAA compliant. Don’t skip this step. Ensure that you have and monitor your written agreements to avoid failing a HIPAA audit. Want to stay up to date on our HIPAA audit content series? Check out all our content, including the final part of the series by visiting our blog