- In the healthcare industry, there is often so much that needs to be accomplished that one single hospital or clinic cannot do it alone, which is why they often enlist the help of business associates. As a way to protect any sensitive health information business associates may come in contact with, covered entities often craft what are known as business associate agreements.
Acting as third-party contractors performing a task on a healthcare organization’s behalf, business associates often work with sensitive health information, including patients’ PHI. As a result, covered entities create business associate agreements as a means to establish security expectations between themselves and the business associate.
Below, HealthITSecurity.com breaks down what a business associate agreement entails, the consequences of not obtaining one, and how the industry is handling the influx of third-party contractors.
How does HIPAA define business associate agreements?
Business associates are any third-party contractor that works for or on behalf of a healthcare organization or covered entity. Business associates may include lawyers working on a healthcare organization’s case, or a company that assists with claims processing.
According to the Department of Health and Human Services, business associates may have access to PHI, but only to assist a healthcare organization in performing critical tasks, not for its own personal use.
“Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate,” HHS explains.
In order to fully protect patient privacy and covered entities under HIPAA, covered entities must enter business associate agreements. Business associate agreements address the security provisions business associates must make in order to fully protect PHI.
According to HHS, HIPAA requires business associate agreements to address the following:
- Describe the permitted and required PHI uses by the business associate
- Provide that the business associate will not use or further disclose PHI other than as permitted or required by the contract or as required by law;
- Require the business associate to use appropriate safeguards to prevent inappropriate PHI use or disclosure
HIPAA also addresses the consequences business associates face should they improperly disclose PHI or fail to adequately safeguard PHI.
A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.
Undefined business associate agreements lead to HIPAA violations
Properly defining a business associate agreement is critical for all covered entities enlisting the help of a third-party contractor. Those covered entities that have failed to define a business associate agreement have faced trouble with HHS following healthcare data breaches.
Earlier this year, North Memorial Health Care of Minnesota settled to pay $1.5 million in HIPAA fines for failing to identify its business associate agreement.
The hospital failed to identify Accretive Health, Inc. as a business associate, despite the fact that the nature of Accretive’s work required it to access PHI.
When an Accretive employee had its laptop stolen, nearly 6,000 North Memorial patients’ PHI was disclosed.
Upon investigation, HHS found that North Memorial began sending North Memorial PHI in March of 2011, but had not entered into a business associate agreement until October of 2014.
This is not a unique situation, according to recent research.
A recent Ponemon Institute study found that 73 percent of healthcare organization have seen an increase in cybersecurity incidents involving business associates. Another 65 percent of healthcare organizations said they find it difficult to manage cybersecurity issues related to business associates.
A total of 60 percent of healthcare organizations do not check the privacy and security measures of third-party contractors despite the exchange of PHI.
To mitigate this issue, the Health Information Trust Alliance (HITRUST) has created the HITRUST Business Associate Council, which is geared toward helping healthcare vendors and covered entities discuss the process of creating a business associate agreement.
The Business Associate Council will provide a forum in which the vendors and covered entities may discuss various approaches to not only creating a business associate agreement, but how to monitor the agreement in order to adequately protect PHI. Ultimately, this forum will inform HITRUST on how to approach business associate agreements for the whole industry.
“I expect the BA Council to provide HITRUST significant input and insights around our approach to third-party assurance and other programs affecting business associates and vendors,” said HITRUST CEO Daniel Nutkis. “Their input is crucial, and they are an equal partner as we drive better effectiveness and efficiencies in the third-party assurance process.”