Many covered entities work with vendors, consultants, lawyers, data managers and more for subcontracted services that require the use of PHI. In order to release PHI to a subcontractor, covered entities are required to obtain a signed Business Associate Agreement that describes their HIPAA responsibility.
But is a signed contract enough to protect you from liability in the case of a breach?
Things to Consider: The Business Associate Agreement and HIPAA
The HIPAA Omnibus Rule defines vendors and subcontractors or any entity that handles protected health information (PHI) on behalf of Covered Entities as Business Associates (BAs). Business Associates are required to be compliant with the HIPAA Security Rule, general HIPAA compliance, and any contractual requirements arising from Business Associate Agreements with Covered Entities.
As a covered entity, you are required to obtain “reasonable assurance” of your Business Associate’s compliance with the BAA and HIPAA regulations. This leaves a lot of room for you to do what you think is right.
But consider that if one of these BAs causes a breach of the data you provide to them, you may be held liable. You’re putting your own business on the line by accepting this as “evidence” that they understand the terms of the agreement, are taking it seriously, and implementing the actions required by it.
Do you feel that your organization is protected with this level of assurance?
Developing Confidence In Your Business Associate Agreement
You might consider sending your BAs a brief compliance questionnaire in addition to a Business Associate Contract to make sure that they have at least some sort of compliance program in place.
But then again, if they show on their questionnaire that they are not strongly compliant, that could impact your ability to do business with them or demonstrate that you knew they were not compliant and did business with them anyway.
Many businesses accept a contract signage as “reasonable assurance” of compliance from their BA’s. But other businesses, for whom the risk of a BA breach or the costs of a BA breach are too high to accept, require more assurance of compliance. It’s up to your organization to determine what is acceptable.
Takeaways
A good way to determine what is acceptable is to do a risk analysis and assessment regarding the data your business associates will be dealing with.
BA’s using huge data sets with low expectation of compliance? May need stronger assurance.
BA’s who are likely to be compliant and only using a very small amount of data? Maybe contract signage is enough.
Do you want an extra layer of confidence in your business associate agreement? Give Gazelle Consulting a call at (503) 389-5666! We’ll help you ensure that your business is wholly compliant, quickly and painlessly.
