When HIPAA was originally enacted and the first set of regulations published, the statutory language specified that only certain “Covered Entities” would be required to abide by the law: health care providers, health insurance plans, and specialty health data entities known as health care clearinghouses. That left many entities with regular access to medical information, such as billing companies, accountants, lawyers, pharmacy benefit management companies, and other healthcare entities and vendors, outside the scope of the law. The original HIPAA regulations offered a fix for this conundrum: “Covered Entities” are required to enter into agreements with the “Business Associates” to whom they provide medical information; these “Business Associate Agreements” or “BAAs” impose by contract the same HIPAA obligations that are imposed on the Covered Entities by statute and regulation.
When the HITECH Act provisions were published as part of the Stimulus Bill, HIPAA was amended so that Business Associates are now directly liable for most HIPAA requirements. So, no more BAAs, right? Wrong; because the HITECH Act only imposed some obligations on Business Associates, and because a Business Associate’s obligations need to be closely tailored to the covered entity for which it works, BAAs are still necessary. Additionally, the HITECH Act (and the recently published “Omnibus Rule” regulations implementing it) add some specific provisions that should be included in a Covered Entity’s BAAs.
The US Department of Health and Human Services provided a form of BAA back when the original regulations was published, and has developed a new set of “Sample BAA Provisions” which are available here: [http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html] . Every BAA must impose ten primary criteria on Business Associates:
- What uses and disclosures are permitted;
- No other uses or disclosures unless specifically allowed;
- Implement appropriate safeguards;
- Report breaches and problems;
- Assist Covered Entity with granting individuals’ access, amendment, and accounting of disclosures;
- Comply with other requirements applicable to Covered Entity;
- Make available books and records to HHS;
- At termination, return or destroy all information;
- Ensure that subcontractors meet the same standards; and
- Authorize termination if the Business Associate breaches the BAA.
Of course, if you are a covered entity, you probably already have a BAA that you’ve used regularly since the early days of HIPAA, and you’d like to keep as much of your current contract as possible. If so, all you need to do is amend your existing BAA to include all of the new requirements of HITECH and the Omnibus Rule. Specifically, you need to amend your BAA to add the following provisions:
- Add a definition of HITECH and the Omnibus Rule, and consider whether to include them in the definition of HIPAA.
- Where the BAA describes the Business Associate as an entity receiving data from the Covered Entity or producing it for the Covered Entity, include the words “creates, receives, maintains or transmits.” That is the new language defining the roles that a third party vendor can play to become a Business Associate, and it is useful to include the same language.
- Specifically note that the Business Associate must notify you of any “breach” as defined in HIPAA. This can be included in the “reporting of disclosures” section or some similar location. Remember to include a relatively short reporting period (3-5 days, usually), so that you will be able to meet your own timing requirements if the breach must be reported. A Covered Entity has up to 60 days to report a breach, but that is an outside limit; the obligation is to report “without unreasonable delay,” and if your Business Associate delays in reporting to you, you may not be able to meet your own timing constraints. You may be treated as knowing of the breach at the same time the Business Associate discovers it, not when they report it to you.
- Add to the “accounting of disclosures” section a statement specifying that, if the Business Associate maintains records in electronic form, it will account for ALL disclosures for at least a 3-year period. This is different from the original accounting requirement, which excludes many disclosures but lasts for 6 years.
- Specifically note that the Business Associate has obligations under the HITECH Act, and require the Business Associate to acknowledge and agree to abide by those requirements.
- Add a provision noting that the Business Associate will abide by requirements not to disclose data to insurers and other health plans if the patient pays for the service in full and requests confidentiality. The Covered Entity will likely have to notify the Business Associate that a patient has requested such secrecy.
- The BAA should already give the Covered Entity right to terminate if the Business Associate violates the BAA. However, you should add a provision allowing the Business Associate to terminate the BAA if the Covered Entity fails to meet its HIPAA obligations. This is not mentioned in the Omnibus Rule, but was specifically noted in the HITECH Act.
- The Omnibus Rule added some language to the BAA regulations that was not otherwise mentioned in the HITECH Act. If the Business Associate carries out one of the Covered Entity’s obligations under the Privacy Rule, the BAA must require that the Business Associate agree to abide by that Privacy Rule provision. While this is covered conceptually in almost every BAA already, it can’t hurt to include specific language to this effect.
The HITECH Act and the Omnibus Rule also require Covered Entities to review their Notices of Privacy Practices and in most cases make some revisions. But I’ll save that for my next article.
— Jeff Drummond is a partner in the health law section of Jackson Walker. Contact him at firstname.lastname@example.org.