Healthcare providers who work with outside business associates are required to have updated business associate agreements (BAAs) under the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule. A separate document is required for each entity that has any access to protected health information (PHI). When establishing BAAs, small practices should address the following issues in addition to the standard areas of compliance.
HIPAA Omnibus Rule
The final HIPAA ruling made a number of significant changes to the guidelines for BAAs. When writing or updating agreements with third-party contractors, practices should closely review the Omnibus Rule requirements. According to the Association of Corporate Counsel, some essential changes include an updated definition of PHI, the use of PHI in marketing, the necessary forms when PHI is requested, reporting obligations and compliance with the HIPAA Security Rule. Practices should also review any changes in state security and privacy laws before updating their BAAs.
Training and education
Business associates who handle PHI are required under HIPAA to educate and train their staff on privacy and security standards. According to the American Health Information Management Association, a BAA can request confirmation that the associate has completed this training. The healthcare provider can also request that employees of the business associate complete training at the hospital or practice.
Although business associates are responsible for the security practices of their subcontractors, healthcare practices need to ensure that the chain of responsibility is documented. A BAA should address what measures the associate must take with subcontractors who handle PHI. According to HealthITSecurity, each BAA in the chain must be as specific as the one above it regarding the use and handling of health and personal information. The same rules apply to any third-party companies that work with contractors.
Definition of low-risk breaches
Under HIPAA, healthcare providers and their subcontractors are required to report any data or information breaches to the U.S. Department of Health and Human Services within a set time period. Covered entities should address the proper protocol for handling all types of security breaches in their BAAs. There are a few circumstances when violations are exempt from notification requirements because there is a low probability that the PHI was compromised, and these should be addressed in the agreement, as well.