Wherefore Art Thou Business Associate? The Risk of Not Knowing.

One of our business associate clients asked this week, “Why aren’t our covered entities asking us to sign business associate agreements?” We think it’s because they don’t know they need to. They may not have even identified the full list of who their business associates are. This leaves covered entities (CEs) vulnerable to risk if their business associates (BAs) fail to follow HIPAA law. (Subcontractors of business associates must also comply with HIPAA if they handle PHI.) Our client sends them the BA agreement from The HIPAA E-Tool® Business Associate Edition, and uses another one provided from the BA Edition for its subcontractors. 

For other BAs without guidance, this is a critical issue and they may be targeted by the Office of Civil Rights (OCR) in 2017. BAs, like covered entities, are now liable for compliance with HIPAA rules, and are subject to federal investigation, enforcement penalties and random HIPAA compliance audits. Examples of business associates include:

  • A medical device maker that handles PHI
  • Revenue cycle managers that handle PHI
  • A collections agency providing debt collection services
  • An independent medical transcriptionist that provides transcription services
  • A subcontractor providing remote backup services of PHI data for an IT contractor-business associate
  • A law office or accounting firm that handles PHI

OCR is continuing enforcement of the issue because of the magnitude of data BAs handle and the resulting sizes of potential breaches. Breaches of PHI among business associates are caused in a variety of ways. The following graph shows that theft, hacking and loss account for about 77% of all BA breaches.

OCR is aware of the issue and wants to see improvements. The problem was highlighted by Iliana L. Peters, OCR’s Senior Advisor for HIPAA Compliance and Enforcement at HHS last month. Speaking at the Health Care Compliance Association’s annual compliance institute on March 27, Ms. Peters explained that covered entities who do not have business associate agreements with their BA’s are among the top 10 enforcement issues that OCR continues to encounter.

Why does the problem continue? The most likely reason is that there are so many covered entities, especially smaller providers, who don’t know that full HIPAA compliance requires that they have a BA agreement. And if so, they might not realize the danger of entrusting protected health information to business associates. HIPAA law requires covered entities to 1) identify who their BAs are, 2) perform due diligence to evaluate whether the BAs comply with HIPAA, and 3) enter into a HIPAA compliant BA agreement with each BA.

The HIPAA E-Tool® has answers for both covered entities and business associates. For covered entities, walk through how to identify business associates, see guidance and easy to use forms on how to perform due diligence, and use a HIPAA compliant business associate agreement tailored to your organization. For business associates, the Business Associate Edition of The HIPAA E-Tool® guides you through your responsibilities under HIPAA and provides HIPAA compliant agreements for your use.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Share on facebook
Share on twitter
Share on linkedin

Maggie Hales

Maggie Hales is a lawyer specializing in health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2019 The ET&C Group LLC.
The HIPAA E-Tool® is a registered trademark of The ET&C Group LLC
Terms of Service | Privacy Policy

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free