OCR and Business Associates

OCR’s interest in Business Associates is not new but they are much more active in this area lately. For example, Business Associates:

Are directly responsible for their own security incidents and all HIPAA breaches per the HITECH Act;
Will be audited by OCR per the HITECH Act;
Are the subject of the OCR’s April 2016 Cyber-Security Monthly Update;
Have OCR guidance beginning in 2002;
Have a set of OCR FAQs beginning in 2002, and constantly being updated; and
Were responsible for a Covered Entity’s March 2016 $1.55 M OCR fine.

It is very important to know who is a business associate and who is not a business associate. With a business associate a covered entity needs to have a signed business associate agreement. But a covered entity does not need a business associate agreement with an individual or business that works for the covered entity if it does not use, review, or disclose protected health information in its work tasks.

What is a Business Associate?

A HIPAA business associate is an individual or a business that helps a covered entity do its work using, reviewing, updating, and transmitting the covered entity’s protected health information.

For example, a business associate may be:

A third party administrator that assists a health plan with claims processing;
A CPA firm whose accounting services to a health care provider involves access to protected health information;
An attorney whose legal services to a health plan involve access to protected health information;
A consultant that performs utilization reviews for a hospital;
A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer;
An independent medical transcriptionist that provides transcription services to a physician; and
A pharmacy benefits manager that manages a health plan’s pharmacist network.

In today’s world, a business associate can look very different than a business associate anticipated by the HIPAA regulations when they were first published in 2002. Your reporter knows of one business associate that has no physical business offices. This entity is totally run by and worked by remote managers and workers.

A business associate may do things that you, as a covered entity, may not want them to do without giving your organization notice, such as outsourcing work that uses your organizations protected health information, even security work, or of-shoring your organization’s work including protected health information to India, Ireland and other places.

What or who is not a Business Associate?

A business associate agreement is not necessary for:

Janitorial service;
The UPS delivery person;
The cafeteria staff;
The electrician or other repair staff;
Disclosure for treatment, or payment; and
Enrollment or provision of public benefits, such as Medicare.

What does OCR say a Covered Entity needs to do?

The OCR April 2016 Cyber-Security Update: Is Your Business Associate Prepare for a Security Incident? states that a covered entity should include in its service level agreement or directly in the business associate agreement:

How and for what purposes PHI shall be used or disclosed in order to report to the covered entity any use of disclosure of PHI not provided for by its contract, including breaches of unsecured PHI, as well as any security incidents;
The time frame they expect business associates or subcontractors to report a breach, security incident, or cyberattack to the covered entity or business associate, respectively; and
The type of information that would be required by the business associate or subcontractor to provide in a breach or security incident report.

Plus, it suggests that covered entities and business associates train their staff on how and when to do incident reporting.

One important question about what a covered entity needs to do is found in an OCR frequently asked question: is a covered entity liable for, or required to monitor, the actions of its business associates?[1]

No. The HIPAA Privacy Rule requires covered entities to enter into written contracts or other arrangements with business associates which protect the privacy of protected health information; but covered entities are not required to monitor or oversee the means by which their business associates carry out privacy safeguards or the extent to which the business associate abides by the privacy requirements of the contract. Nor is the covered entity responsible or liable for the actions of its business associates. However, if a covered entity finds out about a material breach or violation of the contract by the business associate, it must take reasonable steps to cure the breach or end the violation, and, if unsuccessful, terminate the contract with the business associate. If termination is not feasible (e.g., where there are no other viable business alternatives for the covered entity), the covered entity must report the problem to the Department of Health and Human Services Office for Civil Rights. See 45 CFR 164.504(e)(1).

March 2016 $1.55 M fine

$1.55 million settlement underscores the importance of executing HIPAA business associate agreements[2]

North Memorial Health Care of Minnesota agreed to pay $1,550,000 to settle charges that it potentially violated the HIPAA Privacy and Security Rules by failing to enter into a business associate agreement with a major contractor.

OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s staff member’s locked vehicle, that held the electronic protected health information (ePHI) of 9,497 individuals.

OCR’s investigation indicated that:

North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules;
Its business associate performed certain payment and health care operations activities on its behalf;
Its business associate, Accretive Health, Inc., had access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients;
Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.

The Resolution Agreement and Corrective Action Plan can be found at: http://www.hhs.gov/sites/default/files/North%20Memorial%20RA%20and%20CAP%20March%202016%20%28508%29.pdf.

Practical Steps?

All covered entities and business associate should review and update:

Business Associate Agreements, plus service level agreement;
Security policies and procedures;
Staff training on reporting of security incidents, and breaches, and the mitigation of any security incidents or breaches; and
Consider Cybersecurity Insurance.

The North Memorial Health Care of Minnesota corrective action plan offers good advice when it mandates:

Develop policies and procedures related to business associate relationships;
Modify the existing risk analysis process to include both business associates and mobile tools;
Develop and implement a risk management plan; and
Training.

Remember using business associates, and follow-on subcontractor business associates, creates new business relationships that need to be managed, even if not monitored. If your organization uses business associates they must be part of your risk analysis, risk management, and your training, to name three important areas.

Resources