April 25, 2013

In case you viewed the title of today's newsletter and your first reaction was to scratch your head and ask yourself "what is a business associate agreement" and why would I need that in general, lets start at the beginning.  A business associate agreement is a document you are required to enter into with any third party (non-practice member or employee) that has access to patient protected health information and is utilized same pursuant to its purpose, as defined by HIPAA (45 CFR Parts 160, 164).  Meaning, your IP provider or bank that may have ancillary access would not necessarily apply, but, your billing company or consultant most certainly would. 

Now, a business associate agreement is typically an ancillary document to your services agreement setting for the actual arrangement with a third party.  To go with the billing company example, you should have signed a document with your billing company that addresses the services to be performed, obligations of the parties (payment, etc), term, legal protections and more. In addition to your services agreement, because this third party will have access to protected health information, you are also required to enter into a contract detailing allowed uses and disclosures by the business associate of your patient's protected health information.  Business associate agreements are required to have certain elements including addressed authorized uses and disclosures. what happens if there is a breach, return of information and more.  Important to note, you are also explicitly authorized under the Omnibus rule to set forth by contract legal responsibility for non-compliance through indemnification or other risk shifting provision. 

The new Final Omnibus Rule promulgated in January 2013 made significant changes to HIPAA, including potential fines for noncompliance.  These changes are effective as of September 2013 and in addition to increased scrutiny by the Office for Civil Rights, parties will have additional obligations to each other, including limiting your Business Associate to the Minimum Necessary standard, pushing liability on the Business Associate for breaches of a subcontractor, addressing breach requirements, as well as generally applying the business associate to the new HIPAA requirements. 
Typically parties have pushed the onus of procuring a business associate agreement on the business associate, but that standard does not mean the practitioner will be held unaccountable should the Business Associate Agreement not comply as required.  So, my suggestion is, hold any Business Associate accountable, and request they produce for your signature a compliant updated business associate agreement well before the applicable required date - September 2013. 

For assistance with a business associate agreement or to purchase a new one visit our order form at: https://www.kirschenbaumesq.com/page/practice-compliance

Also, check out the Breach Notification Policy, which every practice should have to ensure compliance. 

Have a question or comment for Jennifer?
Contact Jennifer at Jennifer@Kirschenbaumesq.com or  at (516) 747-6700 x. 302.