Don't let "business associates" create a HIPAA mess
■ A column examining the ins and outs of contract issues
The Health Insurance Portability and Accountability Act introduced the term "business associate agreements" to the physician vernacular.
Those are contracts that physicians present to their business associates -- outside entities, vendors and individuals -- who have access to protected health information. Physicians have had to make sure that their agreements specifically provide that these associates agree not to release any protected health information to a third party without authorization or in violation of the HIPAA privacy rule.
The question we are most often asked regarding these agreements is: What is my exposure in relation to the actions or omissions of my business associates? Physicians want to know if they are liable once they give their business associates their patients' protected health information, and then the business associates fail to safeguard it.
Your exposure as the covered entity has been difficult to assess due to the lack of regulatory guidelines or clarification. As you know, the HIPAA regulations impose civil and criminal penalties for violations. The Office for Civil Rights has indicated that civil money penalties will be sought against only covered entities, while the Dept. of Justice has indicated that both covered entities and non-covered entities are subject to the HIPAA criminal sanctions.
But some clarification has come. The Dept. of Health and Human Services recently published long-awaited proposed regulations to complete the HIPAA enforcement rule. The regulations include a covered entity's liability -- meaning a physician's liability -- in relation to the actions or inactions of their business associates.
Released on April 18, the proposed new rule indicates that shared liability between a physician (or other covered entity) and his or her business associate is unlikely if the physician followed all of the requirements of the HIPAA privacy rule. Those requirements mean executed agreements with business associates to safeguard protected health information and due diligence to oversee and ensure that protections are carried out.
Physicians in compliance with the business associate provisions of the HIPAA security and privacy rules would not be liable for any violation by the outside entities, even though the business associate is the covered entity's agent and was acting within the scope of its agency when it violated the rule.
The proposed rule would make enforcement provisions that already apply to the privacy regulations applicable to other rules under HIPAA, including security, transactions and code sets, and the standard unique health identifiers for health care professionals.
You should know that the proposed rule does not distinguish between an action or an inaction -- meaning that failure to protect data is viewed the same way as intentionally releasing it.
You probably have signed business associate agreements with technology vendors, practice management consultants, accountants and others who need to have access to your patients' protected health information to provide you with the services you and your practice require.
You should revisit those business associate agreements to ensure that you and your practice are in full compliance with the HIPAA privacy and security regulations. Make sure that all of your business associate agreements contain the requisite safeguards for protected health information.
Physicians also have been revisiting their business associate agreements in light of the April 2005 compliance date for the HIPAA security regulations. HIPAA security rules apply to physicians who transmit patient information electronically. They require physicians to conduct a risk assessment to identify system vulnerabilities and implement security policies and procedures.
The following are some liability pitfalls that you should avoid when contracting with business associates:
Limitation of liability. Often, business associate agreements are attached as addendums to underlying agreements that pre-date the HIPAA privacy rule. But make sure that your main service contract and business associate addendums do not contain conflicting provisions. You should specifically look at the terms related to the limitation of liability and indemnification.
Your business associates should not be able to limit their liability under the terms of the main contract or any subsequent addendum.
Lack of safeguards. Make sure that your business associates agree not to use or disclose your patients' protected health information or electronic protected health information in any way other than as permitted by the agreement or required by law. Your business associates should provide you with evidence of its safeguards and written notice if they plan to discontinue any safeguards.
Failure to monitor activities of business associate. You must take steps to oversee and monitor the services being provided by your business associates. In your agreement, you should have the right to request and receive information and documents from your business associate to monitor ongoing HIPAA compliance.