- Revenue Cycle Management
- COVID-19
- Reimbursement
- Diabetes Awareness Month
- Risk Management
- Patient Retention
- Staffing
- Medical Economics® 100th Anniversary
- Coding and documentation
- Business of Endocrinology
- Telehealth
- Physicians Financial News
- Cybersecurity
- Cardiovascular Clinical Consult
- Locum Tenens, brought to you by LocumLife®
- Weight Management
- Business of Women's Health
- Practice Efficiency
- Finance and Wealth
- EHRs
- Remote Patient Monitoring
- Sponsored Webinars
- Medical Technology
- Billing and collections
- Acute Pain Management
- Exclusive Content
- Value-based Care
- Business of Pediatrics
- Concierge Medicine 2.0 by Castle Connolly Private Health Partners
- Practice Growth
- Concierge Medicine
- Business of Cardiology
- Implementing the Topcon Ocular Telehealth Platform
- Malpractice
- Influenza
- Sexual Health
- Chronic Conditions
- Technology
- Legal and Policy
- Money
- Opinion
- Vaccines
- Practice Management
- Patient Relations
- Careers
HIPAA liability protections: business associate agreements are must for effective risk management
The first step for a physician, known under the language of HIPAA as a “covered entity,” is to determine the need for a BAA with a vendor. A vendor is considered a “business associate” under HIPAA if the vendor creates, receives, maintains, or transmits patient health information (PHI) on the provider’s behalf.
Common services performed by a business associate (BA) include claims processing, data analysis, quality assurance, billing and collection, practice management, legal, accounting, and consulting.
Entities that only serve as conduits, such as the post office or Internet service providers, are not considered BAs even though they handle patient information.
What BAs must include
If a business associate is providing services to a covered entity, the parties must enter into a written BAA that:
- establishes the permitted uses/disclosures of PHI,
- stipulates that the BA must use appropriate safeguards to prevent unauthorized PHI uses and disclosures,
- spells out that the BA reports to the covered entity any unauthorized uses and disclosures,
- extends the terms of the BAA to its subcontracts, and
- establishes that upon termination of the BAA, the vendor must either return or destroy all PHI.
The consequences of not having a written BAA can be severe. The Office of Civil Rights (OCR) could request a copy of a covered entity’s BAA if there is a complaint registered over a covered entity or if a breach occurs.
Violations under HIPAA can be penalized at anywhere between $100 to $50,000 per violation, up to a calendar year maximum penalty of $1,500,000 for a single violation. The OCR could take the position that every day that the BA and covered entity did not have a business associate agreement is a violation, and multiply the fine by the number of days no BAA penalty was in place, so the penalties can be steep.
Liability of agents
Under HIPAA, a covered entity is liable for the acts of its agents, which can include a BA.
Whether an agency relationship exists is determined case by case, with the essential factor being whether the provider has the right or authority to control the BA’s conduct. The authority of a provider to give instructions or directions is the control that can result in an agency relationship.
The language in the BAA will be considered in determining whether an agency relationship is present. If a covered entity is controlling the performance of its BA, the covered entity should closely monitor the BA’s performance since the covered entity will be held accountable for its performance.
Zachary B. Cohen, JD, is an associate at Garfunkel Wild, P.C., in Great Neck, New York. Send your medical legal questions to medec@advanstar.com.
MORE COVERAGE: How to protect yourself and your practice
