The first step for a physician, known under the language of HIPAA as a “covered entity,” is to determine the need for a BAA with a vendor. A vendor is considered a “business associate” under HIPAA if the vendor creates, receives, maintains, or transmits patient health information (PHI) on the provider’s behalf.
Common services performed by a business associate (BA) include claims processing, data analysis, quality assurance, billing and collection, practice management, legal, accounting, and consulting.
Entities that only serve as conduits, such as the post office or Internet service providers, are not considered BAs even though they handle patient information.
What BAs must include
If a business associate is providing services to a covered entity, the parties must enter into a written BAA that:
establishes the permitted uses/disclosures of PHI,
stipulates that the BA must use appropriate safeguards to prevent unauthorized PHI uses and disclosures,
spells out that the BA reports to the covered entity any unauthorized uses and disclosures,
extends the terms of the BAA to its subcontracts, and
establishes that upon termination of the BAA, the vendor must either return or destroy all PHI.
The consequences of not having a written BAA can be severe. The Office of Civil Rights (OCR) could request a copy of a covered entity’s BAA if there is a complaint registered over a covered entity or if a breach occurs.
Violations under HIPAA can be penalized at anywhere between $100 to $50,000 per violation, up to a calendar year maximum penalty of $1,500,000 for a single violation. The OCR could take the position that every day that the BA and covered entity did not have a business associate agreement is a violation, and multiply the fine by the number of days no BAA penalty was in place, so the penalties can be steep.
Liability of agents
Under HIPAA, a covered entity is liable for the acts of its agents, which can include a BA.
Whether an agency relationship exists is determined case by case, with the essential factor being whether the provider has the right or authority to control the BA’s conduct. The authority of a provider to give instructions or directions is the control that can result in an agency relationship.
The language in the BAA will be considered in determining whether an agency relationship is present. If a covered entity is controlling the performance of its BA, the covered entity should closely monitor the BA’s performance since the covered entity will be held accountable for its performance.
Zachary B. Cohen, JD, is an associate at Garfunkel Wild, P.C., in Great Neck, New York. Send your medical legal questions to [email protected].