Healthcare practices should have business associate agreements (BAAs) in place and review them regularly to remain HIPAA compliant.
A business associate agreement, or BAA, is a contract between a healthcare provider and any other business that may have access to patient records. For example, billing companies, IT professionals and attorneys, among others, are usually business associates. The important part of deciding whether or not a BAA is necessary is understanding if the service provider will have access to patient records or not. If so, a BAA must be in place in order for medical practices to remain compliant with the Health Insurance Portability and Accountability Act (HIPAA).
For a physician who wants to practice medicine, or an overburdened office manager trying to make sure the office runs smoothly, the details of HIPAA can be overwhelming. It is not surprising that in small-to-medium sized practices staff members struggle to give some parts of HIPAA, such as BAAs, the full attention required.
The policies and implementation practices surrounding BAAs are an area that many medical offices may need to review. Kate Stewart, JD, an attorney with Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, in Boston, Massachusetts, says one of the first problems smaller practices encounter regarding BAAs is in finding an appropriate template or form to use.
Seeking legal counsel, particularly in practices without legal counsel on staff, makes sense. However, Stewart suggests having the person who is responsible for contracts sit down with counsel, rather than simply asking if a form is good or not. She says it is critical for the person who handles BAAs to understand what is necessary and what is not.
Some items are required in a BAA, others are negotiable. Stewart says that indemnity is a good example because it isn’t required, but is often included. A medical practice may want to include indemnification so that the business associate would share the costs of notifying patients in the event of a breach; however, the business associate would likely oppose such a clause. “It’s important, she says, “to understand fully what can and cannot be deleted.”
There are plenty of blank forms available, but Stewart says, “Make sure you understand who that form was drafted for.” If a form was drafted by someone representing a third-party service provider and not a healthcare provider, the terms are likely to favor the business associate rather than the practice, as in the case of indemnity. Similarly, a form drafted for a large organization may not be the best one for use in a smaller practice.
Oral agreements may seem adequate, but Stewart advises careful consideration any time an outside party provides a service to a healthcare provider. Whether the issue is related to computer networks, billing, security or some other function, the third party may need access to patient records in order to identify and solve the problem.
Since the patient records contain personal health information (PHI), business associate must sign a BAA. “An oral contract is not enough,” says Stewart, adding that any time PHI is shared, even if it is a one-time transaction, a BAA must be in place.
Some due diligence before entering a contract could be helpful. Stewart suggests asking prospective business associates whether or not they work with other healthcare providers, especially smaller ones, as well as what sorts of security practices and safeguards are in place. “If there is a reason that person needs to access PHI, they need to understand their responsibility,” she says, adding that if they have worked with healthcare providers before, it’s more likely they are aware of their HIPAA-related obligations.
In addition to following careful procedures in entering BAAs, practices should be conducting regular, internal audits. Reviewing practices and policies related to BAAs is a two-step process, according to Stewart. First, there is the process of reviewing the existing BAAs, the contracts themselves, the terms and how they are implemented and stored. Look for contracts that have been terminated, or those that were for a one-time service.
The second step, Stewart says, is auditing what does not exist, adding, “It’s a harder exercise because you are looking for what’s not in the folder, but should be.” Are there business associates who have access to PHI who have not completed agreements? Are there clearly defined steps for determining whether or not a BAA should be on file? Performing a regular review of BAAs is a crucial part of HIPAA compliance.
Although there is no specific guidance in HIPAA on how often internal audits of BAAs should take place, Stewart says “OCR [Office of the National Coordinator] would not likely look kindly on auditing every five years.” She says it may come down to the size of the practice and the resources available, but stresses the importance of regular reviews.
“HIPAA is flexible and scalable for small practices but they do still have obligations,” she says.