questions and answers for HIPAA

Managing Business Associates Under HIPAA

For years they relied on a vendor to do their billing and collections. It all worked smoothly until it didn’t and the vendor’s server was hacked, blowing up the relationship and landing everyone in court. The two largest labs in the world, Quest and LabCorp, had millions of patients between them and the American Medical Collection Agency (AMCA) was a business associate to both. When a massive breach at AMCA failed those millions of patients, Quest and LabCorp were sued, along with AMCA and Optum 360, another Quest business associate that hired AMCA as its subcontractor.

What responsibility did the labs, as covered entities, have? Will they end up paying damages for mistakes at AMCA and Optum 360? The federal class action lawsuits are digging into the business associate compliance of all the parties to answer that question. Whether they are responsible depends on how the covered entities managed their business associates.

Business Associates are Essential

Healthcare organizations are complex and nearly every covered entity hires one or more contractors to help manage all the tasks. From answering services to billing and coding, to IT consulting or server backup, these specialized services are needed to run efficiently. There are far more business associates than covered entities since they cover so many specialities required by the healthcare industry.

Business Associates Due Diligence

When a contractor “creates, receives, maintains or transmits” protected health information, they are a HIPAA business associate and must comply with HIPAA, on their own. If you are a covered entity, or a business associate who hires a subcontractor business associate, you must evaluate them, and have a business associate agreement (or subcontractor business associate agreement) in place. Your HIPAA Risk Analysis is incomplete if you don’t evaluate your business associates.

Here are the steps for due diligence:

  • Identify – list your vendors and decide who is a “business associate”
  • Inquire – Ask whether they comply with HIPAA business associate rules – do they have policies and procedures and have they done a HIPAA Risk Analysis?
  • Document your questions and their answers – you need to prove your due diligence
  • Enter a written business associate agreement that gives “satisfactory assurances” that they comply with HIPAA and safeguard protected health information
  • Reconfirm – periodically revisit with each of them to ensure they still comply

All of these steps are part of your own required HIPAA Risk Analysis.

Do Not Let Business Associates Become Your Agent by Mistake

Managing business associates requires balance. You want to make sure they have their own HIPAA policies and that they understand and follow HIPAA, but if you exert too much control over their actions, you may inadvertently make them your “agent”. If that happens, you then become directly responsible for their actions, and liable for their negligence.

Your due diligence includes asking questions, receiving assurances, and documenting what you do. It does not include controlling or directing their decisions and actions. Make sure your business associate agreement accurately describes your relationship. Most covered entities would prefer to be separate and let the business associates stand alone, but there are exceptions.

Exception to the Warning about Agency

Quality assurance and risk management are among the good reasons a covered entity in specific circumstances may find it appropriate and even essential to have the ability to control work by a business associate and knowingly make the business associate its agent. The key is to know what you need and have the right agreement that accurately describes what you need.

The HIPAA E-Tool® Understands Business Associates

The HIPAA E-Tool® has answers about the business associate relationship – for both covered entities and business associates. For covered entities, use easy to follow steps to identify business associates, ask the right questions to evaluate them, and use a HIPAA compliant business associate agreement tailored to your organization.

For business associates, the Business Associate Edition of The HIPAA E-Tool® guides you through your responsibilities under HIPAA and provides HIPAA compliant agreements for your use.

Answers to complicated questions are easy for us. Let The HIPAA E-Tool® help you.


Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2024 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU