HIPAA Compliance, Part 2: monitoring your 'Business Associates'; now that you know who your "business associates" are, how do you make sure that they stay HIPAA-compliant? - Feature Article

Nursing Homes, Jan, 2003 by Sandra K. Battaglia

October's article "HIPAA Compliance, Part 1: Who Are Your 'Business Associates?'" (NursingHomes/Long Term Care Management, p. 66) discussed how to identify business associates, as required by the Health Insurance Portability and Accountability Act's (HIPAA) privacy standards. This month's article will focus on the duties and responsibilities of organizations and their business associates.

To recapitulate, the privacy rules apply to the actions of "covered entities." In order for covered entities to operate, there are times when individually identifiable health information needs to be passed on to another entity. HIPAA defines these entities as "business associates," or entities that, on behalf of a covered entity, perform, or assist in the performance of, a function or activity involving the use or disclosure of individually identifiable health information. To provide guidance to covered entities and their business associates, the final modifications to the Privacy Rule issued on August 14, 2002, by the Department of Health and Human Services (HHS) included an appendix with sample business associate contract provisions.

In the business associate agreement, the obligations and activities of the business associate need to be set forth, and should include:

* the uses and disclosures of the protected health information that might be made by the business associate;

* a requirement that the business associate employ appropriate safeguards to prevent use or disclosure of the information, other than as provided for in the agreement;

* an agreement by the business associate that any agent, including any subcontractor, to whom it provides protected health information will agree to the same restrictions and conditions imposed on the business associate by the covered entity;

* a requirement that the business associate report to the covered entity any use or disclosure of the information not provided for by its agreement, once aware of such an event occurring;

* an agreement that the business associate will make internal practices, books, and records relating to the use and disclosure of protected health information available to the covered entity upon request; and

* a requirement that upon termination of the business associate agreement, the business associate will return or destroy all protected health information received from the covered entity or, if such return or destruction is not feasible, promise to limit the further uses and disclosures of the protected health information.

In addition, the covered entity and business associate must agree that the business associate cannot disclose or use the protected health information in any manner that would not be permissible to the covered entity.

Having entered into an appropriate agreement, the covered entity has an ongoing obligation to monitor the business associate agreement. If the covered entity becomes aware of a violation by the business associate, then the covered entity has an obligation to take reasonable steps to end the violation. If the business associate continues to violate the regulations, the covered entity must terminate the agreement, if such termination is feasible. If it is not, the covered entity must report the business associate to HHS.

Discovering that a business associate disclosed or misused protected health information might not be easy. Should the covered entity become aware of credible evidence of a privacy violation, the covered entity has a duty to conduct a thorough investigation.

The business associate is not directly accountable for any violation of the privacy rules. The only entity to which the business associate is accountable is the covered entity, which is, of course, accountable to the relevant government agencies. Because covered entities are held accountable, they must attempt to cure any privacy violations by business associates.

Monitoring of business associates for compliance with HIPAA privacy rules might appear to be a complex undertaking, but it can be made easier by drafting--and carefully monitoring--comprehensive and well thought out business associate agreements.

At the time of this writing, Sandra K. Battaglia, Esq., was special counsel to the Health Law Department of Cozen O'Connor, practicing in the firm's Wilmington, Delaware, office. Battaglia concentrates her practice in the area of transactional issues for long-term care and other healthcare providers, including regulatory and compliance matters. To comment on this article, e-mail to battaglia0103@nursinghomesmagazine.com.