HIPAA Business Associate Agreements – Recipe for failure

MACRA, MIPS and the October 2 deadline has kept us busy conducting HIPAA Security Risk Assessments. This year, in response to the history of settlements and the amount of breaches related to Business Associates practices, we decided to change our tools appropriately to adjust for these trends. Our findings so far have been quite alarming and clearly displays a recipe for failure.

HIPAA Security has always directed specific actions as it relates to Business Associates. The HITECH Act modified some of the guidance and placed more strict measures. The Omnibus Rule used HIPAA Security and HITECH as a baseline and put them on steroids. At the end of the day we are faced with the following:

  • Covered Entities must obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity;
  • Chain of custody must be preserved, hence contracts between Business Associates and their subcontractors must include the same provisions as those between Covered Entity and Business Associate;
  • Business Associatesof covered entities are directly liable for compliance with HIPAA Security Rules’ requirements;
  • Covered Entities must terminate contract relationship with Business Associates if they fail to comply with the provisions of HIPAA Security.

In terms of our findings in the field what we found amounted to:

  • Covered Entities could not produce Business Associate Agreements and those who had them were not in compliance with the law;
  • We could not verify the existence of HIPAA Security Officers, Prior Risk Assessments, Policies or any type of confirmation that these Business Associates are in compliance with the law;
  • None of the Business Associates have any type of certification indicating that they are complying or that a third party has reviewed their systems and they are in compliance with the law.

Basically, our take is that these relationships are in fact a recipe for failure and that in case of an audit or a breach it will be extremely difficult to defend the Covered Entity or the Business Associates. In terms of fines we could be looking at $50,000 per violation up to $1.5 million dollars. Depending on the situation the Office for Civil Rights (OCR) may add an additional penalty that accumulates for each day that the violation took place.

What we recommend to all Covered Entities and Business Associates do is:

  • Update your Business Associate Agreement. If you do not have an updated copy go to https://www.epicompliance.com/;
  • Ensure your Business Associate and their Subcontractors (those that deal with ePHI) are in compliance with the rule;
  • Terminate your relationship with the Business Associate/Subcontractor if they refuse to comply with the rule and/or provide assurances that they are in compliance.

At the end of the day is your decision in terms of what to do but we strongly recommend to be proactive and don’t let your relationship with your Business Associate become a recipe for failure.