Third-Party Protections

Nov 23rd, 2019
Allyson Avila
HIPAA-Compliant Business Associate Agreements

It’s common for healthcare facilities, including private practices, to contract out services such as bill collection, accounting, legal, lab work or transcription services. But farming out this work, though integral to the management of your business, can pose a risk to patient privacy.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires that a covered entity—healthcare provider, healthcare facility and/or healthcare plan—obtain satisfactory assurances from its business associates that they will appropriately safeguard the protected health information (PHI) they receive or create on behalf of the covered entity. And these assurances must be in writing.

Common examples of PHI include: name, date of birth, address, phone number, insurance ID number, Social Security number and full facial photographs—when they can be associated with the health information listed above. To better protect your patients’ privacy and avoid costly breaches, your practice must create—and enter into—a business associate agreement with any third-party service provider or vendor that has access to your patients’ PHI.

These agreements establish specifically that the business associate will:

  • Use the information only for the purposes for which it was engaged by the covered entity.
  • Safeguard the information from misuse.
  • Help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.

Key Clauses

The business associate agreement should spell out the business associate’s duties and obligations through the following clauses:

Security Rule Compliance. It should be the business associate’s duty to establish, implement and maintain appropriate administrative, physical and technical safeguards in accordance with the HIPAA Security Rule.

Mitigation. The business associate must agree to mitigate, to the maximum extent practicable, any harmful effect that is known to the business associate of a use or disclosure of PHI by business associate or a subcontractor of business associate in violation of the requirements of this agreement.

Encryption of Electronic PHI (EPHI). In the event that business associate transmits EPHI on behalf of the covered entity via electronic mail over the Internet or stores EPHI in the cloud, business associate agrees that such EPHI shall be secured by an encryption technology that renders EPHI unusable, unreadable or indecipherable to unauthorized individuals in accordance with the guidance of a standards developing organization that is accredited by the American National Standards Institute, unless otherwise required by the Secretary of the U.S. Department of Health and Human Services (HHS) to meet an alternative standard.

Reporting Impermissible Use and Disclosure of PHI; Security Incidents and Breach Reporting. Business associate shall report to the covered entity as soon as practicable and without unreasonable delay, but not more than ten (10) working days after discovery of any incident that involves unauthorized acquisition, access, use or disclosure of PHI not permitted under this agreement, even if business associate believes the incident will not rise to the level of a breach. (This clause should include a clear definition of what constitutes a breach).

Remuneration. There should be an express provision that the business associate will not directly or indirectly receive remuneration in exchange for any PHI.

Term and Termination. This clause should cover the term of the agreement as well as causes for early termination and obligations of the business associate to return or destroy all PHI upon termination of the agreement.
A sample business associate agreement is available at www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-ass...

Breach Reporting – Who Is Responsible?

Following a breach of unsecured PHI, covered entities must provide notification to: affected individuals; the Secretary of the HHS; and, in certain circumstances, the media. Business associates must notify the covered entities with which they work if a breach occurs at or by the business associate.

Breach notification requirements are very specific and must be followed completely. They are available online at: www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.

The covered entity is ultimately responsible for ensuring individuals are notified of a breach, whether by the covered entity or a business associate. Through your business associate agreement, you may delegate to the business associate the responsibility of providing individual notifications if the business associate committed the breach. Which entity provides the notice is usually determined by who is in the best position to provide the notice as well as the written business arrangement.

Covered entities and business associates both have the burden of demonstrating that all required notifications have been provided or that the use or disclosure of unsecured PHI did not constitute a breach. Therefore, it is essential that the covered entity or business associate maintain all documentation relating to how the required notifications were made.

Business associate agreements are not only the law, they are key to protecting your practice and your patients by reiterating the importance of protecting private health information and clarifying the responsibilities of each entity involved in the agreement.

Allyson Avila is assistant managing partner of the Harrison, New York, office of Gordon, Rees, Scully Mansukhani. Contact her at [email protected].

Image: Unsplash/Lianhao Qu

More in Business
A girl applies a healing cream to acne on her face
Valisure Files Citizen Petition for Market Withdrawl of Benzoyl Peroxide Products
Valisure has suggested that its tests on dozens of prescription and over-the-counter benzoyl peroxide products indicate that currently formulated BPO medications are unstable and can generate unacceptably high levels of benzene when mishandled.
Mar 25th, 2024
85% of readers want to learn about private label skin care for their medspa or aesthetic practice! Here are six ways to take advantage of private label skin care in your medspa or practice.
6 Ways to Take Advantage of Private Label Skin Care [Survey Results]
85% of readers want to learn about private label skin care for their medspa or aesthetic practice! Here are six ways to take advantage of private label skin care in your medspa or practice.
Mar 25th, 2024
Prioritize patients' mental health by paying attention to red flags and taking care to set proper expectations.
Approaching Aesthetics Through the Lens of Mental Health
Prioritize patients' mental health by paying attention to red flags and taking care to set proper expectations.
Mar 21st, 2024
Enhancing Confidence: Reverse by Aerolase for Scar Revision in Breast Augmentation & Reduction
Sponsored
Enhancing Confidence: Reverse by Aerolase for Scar Revision in Breast Augmentation & Reduction
The Reverse by Aerolase protocol harnesses the power of two state-of-the-art lasers, the Neo Elite and the Era Elite, to significantly enhance the appearance of scar tissue, redness, texture, and underlying pigment.
Feb 19th, 2024
A practitioner's guide to federal and state tax laws, deductions and tax planning strategies.
Top Tax Deduction Tips for Medical Aesthetics Doctors
A practitioner's guide to federal and state tax laws, deductions and tax planning strategies for doctors/physicians in medical aesthetics.
Mar 20th, 2024
Young African American female consumer choosing beautycare
4 Consumer Trends Driving the Retail Industry
Square's Future of Commerce report predicts that consumers want new perks, personalization and integrated automation in their retail experience.
Mar 11th, 2024
In our March 2024 profile feature, Jennifer Levine, M.D., dives into rewriting female beauty standards and the spread of misinformation with social media.
Social Media Savvy: Jennifer Levine, M.D.
In our March 2024 profile feature, Jennifer Levine, M.D., dives into rewriting female beauty standards and the spread of misinformation with social media.
Mar 11th, 2024
semaglutide ozempic injections for blood sugar/weight loss
FDA Cracks Down on Ozempic Knockoffs
The FDA issued warning letters to two companies selling "highly purified peptides," accusing the companies of misleading consumers through their sales of highly purified peptides.
Mar 6th, 2024
Photo of beautiful woman getting mesotherapy treatment in face
5 Insights into Patient Spending Habits during Holiday Seasons
Qsight Aesthetics Tracker reports there is a peak demand for neurotoxins, light wave therapy and professional skin care during Q4, with consistent spending across generational gaps.
Feb 29th, 2024
What aesthetic practices and medspas need to know about promoting noninvasive body contouring treatments.
Instant Abs?: Legalities of Promoting Noninvasive Body Contouring Treatments
What aesthetic practice and medspa owners need to know about promoting noninvasive body contouring treatments.
Feb 28th, 2024
Novaestiq Corp., is set to disrupt the U.S. aesthetics market with a platform of innovative new products, after announcing it's agreement with Croma-Pharma GmbH and negotiations with Coronado Aesthetics, LLC.
Novaestiq's Platform of Innovations Set to Shake Up Aesthetics Market
Novaestiq Corp., is set to disrupt the U.S. aesthetics market with a platform of innovative new products, after announcing it's agreement with Croma-Pharma GmbH and negotiations with Coronado Aesthetics, LLC.
Feb 28th, 2024
Creating a welcoming and LGBTQIA-friendly practice helps you not only attract a diverse clientele, but also provide a positive and affirming experience for all individuals. This article will delve into strategies and practices that can be implemented to ensure an LGBTQIA-friendly environment in your medspa.
Creating an LGBTQIA-Friendly Medical Spa/Practice Environment
How to create a welcoming and LGBTQIA-friendly environment in your medical spa/practice.
Feb 27th, 2024