Understanding Business Associate Agreements

A critical component of a dental office’s HIPAA compliance program is obtaining business associate agreements from their business associates. A business associate is a person or an entity that provides services for the covered entity (dental office) involving protected health information (PHI) and electronic protected health information (ePHI).

Examples of business associates include electronic claims vendors, information technicians (IT), practice management software companies, appointment confirmation companies, marketing companies, trainers, consultants, bookkeepers, accountants, lawyers and others.

A business associate may also be a subcontractor that creates, maintains, or transmits PHI on behalf of another business associate.
In order to be in compliance with HIPAA, the dental office and the business associate must enter into a contract known as a “business associate agreement” to ensure the business associate is properly safeguarding PHI and adhering to HIPAA regulations.

Business associates are now directly liable under HIPAA’s regulations. Non-compliance can result in civil and criminal penalties for improper uses and disclosures of PHI including improper safeguards of ePHI. According to the Ponemon Institute, business associates’ average cost from a data breach is $1 million.

It is not unreasonable to inquire of the business associate if they maintain HIPAA policies and procedures and whether they have recently conducted a thorough and detailed security risk assessment and training of their workforce.

As such, dental offices require business associates to implement appropriate physical, technical, and administrative safeguards. These safeguards are meant to prevent unauthorized access, use or disclosure of PHI, including implementing requirements of the HIPAA security rule with regard to electronic PHI. This applies to the business associate’s sub-contractors.

Carefully review existing relationships with independent contractors to determine if a current business associate agreement is in place or if the agreement must be revised. The agreements should reflect the most current HIPAA language. As of Sept. 22, 2014, dental offices qualifying as covered entities were required to have these contracts in place with all of their business associates. Matter of fact, if the dental office is audited randomly, the Office of Civil Rights will check whether or not these agreements are in place.

Additionally, business associates are responsible and liable to the dental office for the activities of their subcontractors who have entered into a business associate agreement with them.
In working with professional companies, the vendor may provide their own business associate agreement for the dental office. This raises concerns for dentists who are not familiar with reading such content. Is the agreement pro-business associate and not pro-dentist?

According to the Department of Health and Human Services, the business associate agreement must include the following:

• Establish the permitted and required uses and disclosures of protected health information by the business associate. This places limits on how the information is used and ensures the information accessed for the intended purpose.

• Clarify that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law.

• Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information.

• Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information. Such compliance may help avoid fines for non-compliance and prevent legal action.

• Require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings.

• To the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation.

• Require the business associate to make available to Department of Health and Human Services (HHS) its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule.

• At the termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity;

• Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and

• Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract. Contracts between business associates and business associates that are subcontractors are subject to these same requirements.”

Information regarding the business associate agreements is available at www.hhs.gov along with sample language for business associate agreement provisions.

The Department of Health and Human Services stresses that reliance on sample language may not be sufficient for compliance with State law, and does not replace consultation with a lawyer or negotiations between the parties to the contract.

In reviewing numerous corporate business associate agreements, we caution dentists when agreements minimize the corporate group’s damages to a mere monthly value of the service they are providing. Therefore, the question in these instances is what if there is a breach and resulting claims that costs thousands to millions of dollars, has the business associate disclaimed responsibility in a binding contract? Check with your attorney familiar with healthcare law. Additionally, inquire of your professional liability insurance carrier to determine if you need data breach protection. Additionally, review any indemnification clauses as well as the agreed jurisdiction.

It is highly important to set aside time to audit the business associate agreements currently in place and determine which agreements must be obtained or revised. Maintain copies of business associate agreements for six years.

Compliance is an ever evolving area of practice management and component of owning a business in the dental industry. Take the time to make sure your business associate agreements are on file.

————————————————————————————————————————————————

Olivia Wann founded Modern Practice Solutions, LLC in the year 2000 focusing on compliance issues. She started her law practice is 2012. Reading this article does not imply legal advice or constitute an attorney-client relationship. To contact Olivia, please email her at [email protected].