Due to their legal necessity, and resultant ubiquity, nearly all medical practitioners and practices have at least a general familiarity with the Business Associate Agreement (“BAA”). However, like with most ubiquitous things, sometimes it is worth taking a step back to remind ourselves of the what, when, and why. That is particularly true when the thing in question is a contract subject to numerous regulatory requirements. This article aims to provide just such a refresher.
Many may think of BAAs as nothing more than a standard form, like any other, to be quickly signed before getting on with the business of collaborating with a third party. The truth is that they represent a crucial tool defining the rights and obligations of the parties involved. They also represent an important line of defense in the protection of patients’ protected health information (“PHI”).
To determine more clearly what a BAA is, we turn to the regulations promulgated in connection with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The regulations at 45 C.F.R. § 164.502(e)(1) discuss how and when a covered entity may disclose PHI to a business associate. To understand this requires the definition of both “covered entity” and “business associate.” As to the former, “covered entity” is defined at 45 C.F.R. §160.103 as a health plan, a health care clearinghouse or “a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” As most of you will know, a common example of a “transaction covered by this subchapter” is electronic billing for services rendered.
As to the latter, the definition of “business associate” at 45 C.F.R. § 160.103 essentially describes an individual or organization outside the workforce of the covered entity that “creates, receives, maintains, or transmits” PHI for purposes including “claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, . . . billing, benefit management, practice management, and repricing.” The purposes also include the eight categories of patient safety activities listed at 42 C.F.R. § 3.20. The regulations at 45 C.F.R. § 160.103(4) describe what a business associate is not, which helps to more clearly define the limits of the definition. Note, also, that a covered entity may be a business associate of another covered entity. 45 C.F.R. § 160.103(2).
With the parties to a BAA defined, it is time to address the definition and requirements of the BAA itself. In the simplest sense, the BAA is a contract between a covered entity and a business associate (or between a business associate and its subcontractor) aimed at documenting assurances related to the business associate’s handling of PHI. The HIPAA regulations at 45 C.F.R. § 314 set forth the various requirements of a BAA. Included among them are requirements related to reporting security incidents, complying with the HIPAA regulations applicable to covered entities, and implementing administrative, physical, and technical safeguards.
While these requirements may seem overwhelming upon first glance at the regulations, covered entities and business associates need not start from scratch when preparing a BAA. The U.S. Department of Health & Human Services (“HHS”) very helpfully published form BAA provisions on January 25, 2013. The date is worth mentioning because it means that the proposed provisions reflect the additional BAA requirements at 45 C.F.R. § 164.504(e) arising from the 2013 HITECH HIPAA Omnibus Rule (e.g., related to complying with the HIPAA Privacy and Security Rules, reporting breaches, and ensuring that business associates’ subcontractors are subject to the same conditions and restrictions as are the business associates themselves). These form provisions are available on HHS’s website. Simply type “Sample Business Associate Agreement Provisions” into the search box on www.HHS.gov and the link to the form provisions will be among the first three links listed.
A BAA is required when a covered entity wishes to “permit a business associate to create, receive, maintain, or transmit” electronic PHI. Under applicable law, covered entities are held to a higher standard than business associates with regard to PHI protection (e.g., the Privacy Rule under HIPAA applies to covered entities). But the different standards do not change the fact that covered entities do not and cannot work alone. Covered entities often require the assistance of business associates and such assistance often involves the creation, receipt, maintenance, and/or transmission of PHI.
Recognizing this, 45 C.F.R. §164.308(b)(1) allows a covered entity to grant permission to a non-covered entity (i.e., a business associate) to “create, receive, maintain, or transmit” PHI on the covered entity’s behalf. The next subsection, 45 C.F.R. §164.308(b)(2), grants that same right to business associates working with subcontracted business associates. Short of unreasonably and unnecessarily expanding the definition of covered entities to ensure all who handle PHI are held to the same standard, the BAA is a document that pulls the non-covered entity up nearer to the standard that the covered entity must meet. As discussed in the previous section, the BAA formalizes the administrative safeguards that address concerns about PHI. So, before engaging a business associate in connection with any work that involves creating, receiving, maintaining, or transmitting PHI, the covered entity and its business associate must sign a BAA.
Apart from the fact, mentioned above, that a BAA represents a useful way to define the rights and obligations of the covered entity and its business associate with regard to protecting patients’ PHI, there are also the financial implications to consider. By way of a recent example, in December of 2018 a group in Florida called Advanced Care Hospitalists (“ACH”) agreed to pay the Office of Civil Rights (“OCR”) $500,000 and to adopt a corrective action plan to settle potential claims that it violated HIPAA’s Privacy and Security Rules by releasing PHI without a BAA in place.
ACH’s business was contracting internal medicine physicians to hospitals and nursing homes in western central Florida. From November 2011 to June 2012, ACH utilized the services of an individual who held himself out to be a representative of a Florida company called Doctor’s First Choice Billings, Inc. (“First Choice”). Though that individual provided ACH with medical billing services ostensibly through First Choice and its website, the individual allegedly did so without either the knowledge or the permission of First Choice’s owner. On February 11, 2014 a local hospital informed ACH that PHI (including names, dates of birth, and social security numbers) were viewable on First Choice’s website. After ACH was able to identify at least 400 affected individuals, it asked First Choice to remove the information from First Choice’s website.
Two months after learning of the issue, ACH filed a breach notification report with the OCR indicating that at least 400 individuals were affected. ACH raised that number by 8,855 in a supplemental breach report. OCR Director Roger Severino said of the incident, “[t]his case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the internet after it failed to follow basic security requirements under HIPAA.” While one may quibble with how basic the requirements are, the consequences of such a failure can be devastating to both patient privacy and practice solvency. It is for these reasons that we prepared this refresher. We hope that it proves useful to you.
Vasilios (“Bill”) J. Kalogredis, Esquire is Chairman of Lamb McErlane’s Health Law Department. Bill has been practicing health law for over 40 years, representing exclusively physicians, dentists, group practices, other health care professionals and health care-related entities. firstname.lastname@example.org. 610.701.4402
Andrew Stein, Esquire is an associate in Lamb McErlane’s Health Law Practice. He represents practitioners and practices with services at the intersection of health and business, from entity formation and employment through licensure issues and practice sales. email@example.com. 610.701.4433
Chester County Medicine Winter 2019 VJK_AS