BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Don't Neglect Business Associate Agreements

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 13 Jan 2015 20:10:15 -0700
http://www.renalandurologynews.com/business-associate-agreements-important-physicians-hipaa/article/392203/

A requirement of the Health Insurance Portability and Accountability Act
(HIPAA)that should not be ignored is the business associate agreement. “Say
a doctor has a security breach. If the government comes in to investigate,
they will ask to see the business associate agreement,” said Kirk Nahra, a
partner with Wiley Rein LLP. “If you don't have one, it makes it look like
you don't care about this stuff and that makes it worse.”

If an audit is done and health care providers have at least some kind of
agreement on file, the providers would likely have an easier time with
auditors because it shows some effort was put into following the rules,
according to Nahra. Fortunately, business associate agreements are among
the easiest requirements with which to comply, he said.

Who is an associate?

All vendors or subcontractors that create, receive, transmit, or maintain
patients' protected health information are subject to the agreements,
including technology vendors who have information stored on the cloud even
if they don't plan to access the information.

Large organizations may have a lot of vendors that may need coverage, but
small groups may only have 2 or 3 vendors, Nahra said. It is important to
consider groups like a billing service, an accounting firm that may be
dealing with outstanding claims, and technology companies that could have
remote access to your computers.

Ron Rawson, a privacy officer at Saint Louis University, recommends going
through contracts and weeding out people who don't have access to patient
information. Send agreements out to anyone who does have access.

Rawson said entities with access to information that would not need
agreements include: state or federal government agencies, which receive
data you report for registries; courier services that transport sealed
documents; medical laboratories; and other physicians.



Build a template

Business associate agreements can be built as part of a vendor contract,
but Rawson said it is more practical to offer them separately. This way, if
the service contract changes over time, the business associate agreement
will remain in effect.

The HIPAA Omnibus rule required that, as of September 2013, business
associates are legally liable for complying with HIPAA; it is no longer the
responsibility of the physician to ensure vendors comply. However, Nahra
said this change shouldn't lull physicians into a false sense of security.

“Now a consulting firm is regulated by these rules,” he said. “If you fail
to have a contract, they have to follow theirs, but you are still violating
the rules by not having one.”

Some vendors, like an accountant, may not know they need an agreement so
they may not have them on file. Their contracts also may not be complete or
hit all of the points a physician needs.

There are at least 2 topics not required to be in business associate
agreements that physicians should address. First is the disclosure of
information. Most physicians will want to limit the use of patient
information, and any restrictions on data disclosure need to be spelled out
in the agreement.

“If there is a consulting firm that wants to give advice to other people
and use your data, you have to make it clear that they can't use it,” Nahra
said. “A vendor's agreement may give more rights to that information than
what they [providers] want.”

The second area to note is breach reporting. This isn't required to be
spelled out, but should be in case data are ever released inappropriately.

Points to touch on include:

- when the vendor should notify you in case of a breach
- who is responsible for notifying patients
- Who will be responsible for the cost of a breach

Sample business associate agreements can be found online at the Department
of Health and Human Services website and through the American Medical
Association.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: