The U.S. Department of Health & Human Services (HHS) has not said definitely that Health Insurance Portability
and Accountability Act (HIPAA) business associate agreements (BAAs) must be updated immediately. Nevertheless, there's no time like the present to take action as part of due diligence in preventing data breaches, according to David Mack, a health law attorney with Shipman & Goodwin LLP in Hartford, Conn.
HHS should be posting its final HIPAA enforcement rule in the Federal Register any day now, said Lou Ann Wiedemann, director of practice resources for the American Health Information Management Association (AHIMA), during a March 7 webinar. It will take 60 days for the rule to go into effect after it's published; covered entities, such as hospitals and physicians' offices, will have 180 days after that to get into compliance.
That might sound like an eternity in calendar days, but health care providers should consider reviewing and updating their HIPAA business associate agreements (BAAs) right now. This will ensure that business associates have patient-data protections in place and aren't a HIPAA compliance liability for a hospital.
The Office of Civil Rights "has anecdotally said that it may be okay to wait until the final rule is promulgated before deciding how to proceed if your business associate agreement is otherwise compliant and you've determined that it's a low risk to keep [it] in place," Mack said during a prerecorded segment of the webinar. "However, there are very mixed strategies on how to approach this issue. Some covered entities are amending their BAAs, some are not. Most are doing updated BAAs for new business associates. At a minimum, one needs to review [them]."
HITECH Act necessitates new HIPAA business associate agreements
The Health Information Technology for Economic and Clinical Health (HITECH) Act expanded HIPAA compliance and set in motion a process for drafting additional regulations, the result of which will be the HIPAA enforcement rule. Cumulatively, these regulations put many of hospitals' business associates on an equal HIPAA footing with the hospitals themselves.
Technically, business associates have been subject to the new HIPAA regulations -- and liable for civil financial penalties -- since Feb. 17, the two-year anniversary of the HITECH Act. The HIPAA enforcement rule will shed a lot more light on what exactly happens when a business associate causes a patient data breach, however.
Even if a hospital legal department opts to wait to update existing HIPAA business associate agreements and sign new ones until HHS issues that final rule, it's a good idea to at least renew acquaintances with business associates, Intermountain Healthcare Security Consultant Mary Thomason said.
Even if a hospital legal department opts to wait to update existing HIPAA business associate agreements and sign new ones, it's a good idea to at least renew acquaintances with business associates.
"We have more than 600 business associates, and we have a prescribed standard [HIPAA] business associate agreement," said Thomason, who was co-presenter with Mack during the AHIMA webinar. Fortunately, Intermountain has notified its business associates about changes to HIPAA, as well as new breach notification procedures and new chains of communication, "so we're one of those sitting pat right now," she added.
Refreshing contact information was an essential piece, Thomason said. "We've had some of these agreements for years, and we've kind of lost track of each other, to be frank."
Agreeing in advance about what will happen if a data breach occurs can save a lot of time and confusion if there is one.
For example, one part of the new HIPAA enforcement rule requires hospitals to report breaches affecting 500 or more patients to HHS within 60 days of when they're discovered. Another part requires business associates to report breaches to the covered entity, who in turn will report it to HHS with a plan to address the issue and notify patients and local press.
What if the business associate reports a data breach 59 days after it's discovered? In theory, that would give a covered entity one day to put a plan together. Whether the OCR would blame a covered entity or business associate is anybody's guess -- but a health care organization and its partners can prevent such headaches by addressing them now.
How to write strong HIPAA business associate agreements
Along with Mack, Thomason and Wiedemann, Diana Warner, AHIMA professional practice resource manager, and Gwen Hughes, privacy officer for CARE, a health information management temporary staffing company, spoke during the webinar. Participants said hospitals can head off these and other potential HIPAA problem spots by writing well-thought-out HIPAA business associate agreements whose terms reflect compliance strategies tailored to the updated rules.
Other suggestions include the following.
- Require business associates to be aware of -- and comply with -- evolving state privacy laws that may add more stringent requirements than HIPAA's. Some states might require reporting sooner than 60 days or notifying additional authorities about data breaches; or they might pin responsibility on the business associate instead of the covered entity. Getting everyone on the same legal page before a breach will make for a faster, more compliant response in the event one occurs.
- Require business associates to develop internal processes to discover and report data breaches. Agreements should outline such matters as how the business associate will determine a data breach happened, who at the business associate will notify the covered entity and who will be the covered entity's contact. In addition, the agreement should specify that breach notifications will occur in a timely fashion -- on the day of the breach, if necessary.
- Require business associates to implement processes for dealing with OCR investigations. Under the strengthened HIPAA enforcement rule, business associates are likely to be on the receiving end of more patient complaints and subsequent OCR actions, such as information requests for audits.
- Make subcontractors aware of HIPAA requirements. When business associates subcontract work, covered entities are not required to sign agreements with the subcontractor. However, that subcontractor still must safeguard protected health information.
- Make business associates take action when subcontractors allow data breaches.HIPAA business associate agreements should require assurances that subcontractors understand HIPAA privacy mandates and have instituted processes to fulfill those mandates. Just like business associates, subcontractors also should be aware that they must report data breaches.
- Require business associates to repair or correct the HIPAA violations committed by subcontractors. When that isn't possible, require them to terminate the subcontracting agreements immediately.
- Consider confidentiality agreements for other partners. An IT vendor with whom a hospital does business might not fit HIPAA's technical definition of a business associate, but the vendor still might inadvertently run into patient data during the course of its work. Safeguard patient data by requiring vendors who might come into contact with patient data to sign a confidentiality agreement. This should include many of the things covered in the HIPAA business associate agreement, such as mandatory reporting of a patient data disclosure when they see it (or receive it).
- Consider a "modification by notification" clause. Are you tired of updating HIPAA business associate agreements and collecting signatures every time the legal department issues an update? Add a clause to the agreement stating that it can be modified merely by sending update notifications. (These would mimic the missives that credit card companies periodically send that they say contain "important customer information about your account.")
Let us know what you think about the story; email Don Fluckinger, Features Writer.
Briefing: How to avoid a health care data breach
New data breach laws highlight importance of planning, preparation