Guidelines for a Compliant Business Associate Agreement
AHIMA has published a new Practice Brief detailing guidelines for a compliant business associate agreement. An excerpt is available below. For the full Practice Brief, click here or visit AHIMA’s HIM Body of Knowledge.
On January 25, 2013, the US Department of Health and Human Services (HHS) published the final Omnibus Rule which expands the provisions of HIPAA brought forth in the Health Information Technology for Economic and Clinical Health Act (HITECH). The sections affected by these changes include privacy, security, enforcement, and breach
The final Omnibus Rule expanded the definition of a business associate to include subcontractors that create, receive, maintain, or transmit PHI on behalf of another BA.The definition of the term BA was also expanded to include:
- Health information organizations
- E-prescribing gateways
- A person that provides data transmission services for PHI exchange on behalf of a CE and requires access to such information on a routine basis
- Personal health record (PHR) vendors
In order to be compliant, covered entities and their BAs should review their BA agreements with the new requirements imposed by the Omnibus Rule provisions as follows:
- Security Standards (45 C.F.R. § 164.306)
- Administrative Safeguards (45 C.F.R. § 164. 308)
- Physical Safeguards (45 C.F.R. § 164.310)
- Technical Safeguards (45 C.F.R. § 164.312)
- Organizational Requirements (45 C.F.R. § 164.314)
- Policies and Procedures (45 C.F.R. § 164.316)
- Notification to the Secretary (45 C.F.R. § 164.410)
- General Rules; Uses and Disclosures of PHI (45 C.F.R. § 164.502)
- Organizational Requirements; Uses and Disclosures (45 C.F.R. § 164.504)
The rule now allows a BA to disclose PHI to their subcontractors when they enter into a BA agreement with them. The BAs are responsible and liable to the CE for the activities of their subcontractors who have entered into a BA agreement with them. If a BA’s contractor becomes aware of a violation of its contractual BA agreement, it must take steps to cure the breach or terminate the agreement if resolution is unsuccessful.
The Privacy Rule’s BA contract provision sets the requirements that should be addressed by the BAs. The Office for Civil Rights (OCR) also provided a model BAs agreement on its website for or use by covered entities.The modifications to the HIPAA Privacy and Security Rules exempt covered entities from enforcing contractual violations of its BAs agreements. Instead the HHS may now directly enforce privacy and security rule violations by BAs in the same manner as CE violations. This makes HIPAA’s criminal and civil penalties applicable to BAs.