The closest interaction with the Health Insurance Portability and Accountability Act, and other patient privacy laws most people have, is the litany of forms they sign at their physician’s office.
With the growth of the health care industry, however, more entrepreneurs have sought new opportunities that provide access, sometimes inadvertently, to protected patient records and information. In this context, often they are required to sign a business associate agreement.
The refrain we hear from clients goes something like this:
“It’s a form.”
“The contents of that are set by law.”
“Those things are non-negotiable.”
The reality is that the business associate relationship is one which involves risk, and in order to avoid penalties, business associates ought to learn more about HIPAA.
• What is a business associate?
Like any other business, most health care providers and health plans do not operate as islands. Instead, to provide both patient and administrative services, they must engage various people or businesses. HIPAA allows disclosure of protected health information to these “business associates,” subject to restrictions.
Business associates can include not only direct health care providers, but also accounting firms, attorneys, consultants and companies involved in claims processing or collections and other administrative services (e.g. billing and collection companies).
• What is a business associate agreement?
HIPAA requires health care providers to obtain “satisfactory assurances” that the business associate will appropriately safeguard patient records and protected health information. These assurances typically take the form of a “business associate agreement” or contract.
While many of the provisions of these agreements are dictated by law, these agreements are by no means “one size fits all.”
The agreement can include provisions which educate the business associate of its specific obligations, while simultaneously containing provisions imposing auditing obligations and indemnification. Contrary to popular belief, many of these provisions are negotiable.
• What is the Omnibus Rule?
In January 2013, the U.S. Department of Health and Human Services published the long-awaited Omnibus Rule – the final regulations implementing the Health Information Technology for Economic and Clinical Health Act.
These regulations were designed to strengthen the privacy and security protections for health information, as established under HIPAA of 1996. These regulations were described by the head of the HHS Office for Civil Rights as “the most sweeping changes to the HIPAA privacy and security rules since they were first implemented.”
• What did the Omnibus Rule change for business associates?
In addition to making business associates directly liable for compliance with certain requirements under HIPAA, the Omnibus Rule changed the following:
(A) Business associates must comply, where applicable, with the security rule regarding electronic protected health information.
(B) Business associates must report breaches of unsecured protected health information to covered entities, regardless of the risk of potential harm.
(C) Business associates must ensure that any of their subcontractors that create or receive protected health information agree to the same restrictions and conditions that apply to the business associate itself.
These changes require changes to business associate agreements.
(D) Are existing business associate agreements grandfathered?
The “Omnibus Rule” grandfathers certain existing business associate agreements until Sept. 22, 2014. All entities were required to comply with the new standards regarding uses and disclosures by Sept. 23, 2013.
• What is the practical effect of these changes?
If you have not already done so on behalf of your company or practice, now is a good time to revisit and revise business associate agreements, compliance policies and procedures. This process may include retraining staff and employees, as well as auditing compliance.
Subcontractors will need to execute business associate agreements and be educated on their compliance obligations. Remember, you can be held responsible for your subcontractor.
While these actions require significant time and financial investment, it is a relatively small burden to bear in comparison to the potential penalties for noncompliance.
• What are the penalties for noncompliance?
The Omnibus Rule carries increased penalties for noncompliance based on the level of negligence or misconduct, including a maximum penalty of $1.5 million per violation.
Continued growth in the health care industry will provide increased opportunities in the new year. Businesses entering this arena should consult with experienced health law attorneys and other compliance professionals to ensure continued compliance.