Third-Party Protections

Key clauses of a HIPAA-compliant business associate agreement.
MedEsthetics October 2019

It’s common for healthcare facilities, including private practices, to contract out services such as bill collection, accounting, legal, lab work or transcription services. But farming out this work, though integral to the management of your business, can pose a risk to patient privacy.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires that a covered entity—healthcare provider, healthcare facility and/or healthcare plan—obtain satisfactory assurances from its business associates that they will appropriately safeguard the protected health information (PHI) they receive or create on behalf of the covered entity. And these assurances must be in writing.

Common examples of PHI include: name, date of birth, address, phone number, insurance ID number, Social Security number and full facial photographs—when they can be associated with the health information listed above. To better protect your patients’ privacy and avoid costly breaches, your practice must create—and enter into—a business associate agreement with any third-party service provider or vendor that has access to your patients’ PHI.

These agreements establish specifically that the business associate will:

  • Use the information only for the purposes for which it was engaged by the covered entity.
  • Safeguard the information from misuse.
  • Help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.

Key Clauses

The business associate agreement should spell out the business associate’s duties and obligations through the following clauses:

Security Rule Compliance. It should be the business associate’s duty to establish, implement and maintain appropriate administrative, physical and technical safeguards in accordance with the HIPAA Security Rule.

Mitigation. The business associate must agree to mitigate, to the maximum extent practicable, any harmful effect that is known to the business associate of a use or disclosure of PHI by business associate or a subcontractor of business associate in violation of the requirements of this agreement.

Encryption of Electronic PHI (EPHI). In the event that business associate transmits EPHI on behalf of the covered entity via electronic mail over the Internet or stores EPHI in the cloud, business associate agrees that such EPHI shall be secured by an encryption technology that renders EPHI unusable, unreadable or indecipherable to unauthorized individuals in accordance with the guidance of a standards developing organization that is accredited by the American National Standards Institute, unless otherwise required by the Secretary of the U.S. Department of Health and Human Services (HHS) to meet an alternative standard.

Reporting Impermissible Use and Disclosure of PHI; Security Incidents and Breach Reporting. Business associate shall report to the covered entity as soon as practicable and without unreasonable delay, but not more than ten (10) working days after discovery of any incident that involves unauthorized acquisition, access, use or disclosure of PHI not permitted under this agreement, even if business associate believes the incident will not rise to the level of a breach. (This clause should include a clear definition of what constitutes a breach).

Remuneration. There should be an express provision that the business associate will not directly or indirectly receive remuneration in exchange for any PHI.

Term and Termination. This clause should cover the term of the agreement as well as causes for early termination and obligations of the business associate to return or destroy all PHI upon termination of the agreement.
A sample business associate agreement is available at www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-ass...

Breach Reporting – Who Is Responsible?

Following a breach of unsecured PHI, covered entities must provide notification to: affected individuals; the Secretary of the HHS; and, in certain circumstances, the media. Business associates must notify the covered entities with which they work if a breach occurs at or by the business associate.

Breach notification requirements are very specific and must be followed completely. They are available online at: www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.

The covered entity is ultimately responsible for ensuring individuals are notified of a breach, whether by the covered entity or a business associate. Through your business associate agreement, you may delegate to the business associate the responsibility of providing individual notifications if the business associate committed the breach. Which entity provides the notice is usually determined by who is in the best position to provide the notice as well as the written business arrangement.

Covered entities and business associates both have the burden of demonstrating that all required notifications have been provided or that the use or disclosure of unsecured PHI did not constitute a breach. Therefore, it is essential that the covered entity or business associate maintain all documentation relating to how the required notifications were made.

Business associate agreements are not only the law, they are key to protecting your practice and your patients by reiterating the importance of protecting private health information and clarifying the responsibilities of each entity involved in the agreement.

Allyson Avila is assistant managing partner of the Harrison, New York, office of Gordon, Rees, Scully Mansukhani. Contact her at aavila@grsm.com.

Image: Unsplash/Lianhao Qu