 |
| courtesy of backstage.com |
The Health Insurance Portability and Accountability Act of 1996 and its subsequent amendments ("HIPAA") includes the contractual arrangements between Covered Entities and Business Associates, and now downstream Business Associates, or subcontractors (under the Health Information Technology for Economic and Clinical Health Act "HITECH").
This entry presumes the reader has a basic knowledge of HIPAA, but if not, please see the above link for HIPAA.
Today, we look at the evolving and complicated nature of Business Associate Agreements ("BAAs"). These are the agreements mandated by HIPAA, and now HITECH, although the recent amendments and the preamble make clear that the requirements of HIPAA and the HITECH Act apply to a Subcontractor regardless of whether the Business Associate fails to enter into a contract with the Subcontractor. This is very important below when we cover some of the complications.
First:
HIPAA requires certain provisions to be covered in BAAs. Often, the Covered Entity will put in additional provisions, usually around indemnity, audits, breach notification timelines, and data protection minimums not required by HIPAA, such as encryption. These provisions are unduly burdensome, especially given the characteristics of most Business Associates - small operations. It is understandable why an entity would want to put these protections in place, but it may may stifle the ability to outsource and place a strain on relationships.
Second:
It is understandable why the government wants to reach further than Covered Entities and have direct oversight of Business Associates. Think about it, Dr. Jones on the neighborhood corner may not have the wherewithal to properly secure data or to respond to breaches. Or given that the new provisions provide for the State Attorneys General to bring civil actions on behalf of state residents for HIPAA violations, for damages or to enjoin further violations. I once had a privacy attorney argue with me via email (which cc'd numerous colleagues) that HIPAA as amended by HITECH absolutely did not provide for a private right of action. Well, duh - but given that the states can now do so on behalf of its citizens...it is practically the same thing. But I understand, in the law, one must be precise.
Third:
Large organizations that are now clearly defined as Business Associates, according to the guidance issued with the final rules, at first stated they would not sign BAAs. Remember above, where the new rules provide for liability whether a BAA is signed or not...? Well, their refusal did not last long. See a discussion about Amazon Web Services here. What large providers who do not wish to be rolled under HIPAA have done, is placed administrative requirements on the Covered Entities or Business Associates which use their services, such as list all accounts for which they have patient data. Many organizations are unable to fulfill these requirements. So what is the solution - sign something they cannot fulfill or don't sign and HIPAA applies anyway. This is yet to be tested, but it is a popular conundrum.
Organizations should be careful about signing any old BAA placed in front of them. Watch your salespeople, too. They are likely presented individual BAAs when they show - either the BAA does not apply or the employees are committing the company to a BAA without proper review. And this can be costly given the additional items that are in a BAA as discussed above. And how can an organization signing tens or hundreds of BAAs possibly manage to push all the same provisions to downstream vendors? They conflict with each other - and Covered Entities need to understand that with the additions of clauses that are not required by HIPAA, they are setting their Business Associates up for failure.
Last, many small business owners that are Covered Entities do not understand HIPAA completely. Heck, neither do I. After a professional conference, Business Associates or potential Business Associates will be deluged with requests to sign BAAs. Sometimes, the exact same template is used, including with various clauses that include internal directions such as [choose one of the two clauses below]. It can be frustrating on all sides. Most individuals, however, are just trying to do the right thing. If a Covered Entity wants an organization to sign a BAA and the relationship does not exist, the organization can easily respond with a tight explanation. If still pushed, adding a line such as "This agreement only applies where the organization acts in the capacity of a Business Associate under HIPAA" will generally satisfy the needs of both sides. This is another untested, yet relatively popular strategy.
The conclusion here is that you should not sign everything put in front of you - or your employees. Educate all individuals to send the BAAs to a central office. Push back, or scale back, non-HIPAA provisions. It will be interesting to see how these natural conflicts play out in the next few years.
