Tony Mira, Chairman and Chief Executive Officer of MiraMed
A Refresher for Anesthesia Practices on Business Associate Agreements: Are Your Contracts in Order?
Covered entities, including anesthesia practices, are required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to execute a contract with business associates to safeguard the privacy and security of protected health information (PHI). As the holder of the PHI, anesthesia groups should make sure they understand and carry out their obligations with regard to business associate agreements and not leave it up to their business partners to take the initiative.
Under the HIPAA Omnibus Rule, failure to have written business associate agreements in place can lead to sizable fines and penalties for covered entities, including anesthesia practices. In 2015, for example, Raleigh Orthopaedic Clinic, PA, of North Carolina paid $750,000 to settle charges that it potentially violated the HIPAA Privacy Rule by sharing patient protected health information (PHI) with a potential business partner without executing a business associate agreement. The vendor had agreed to transfer x-ray images to electronic media in exchange for harvesting the silver from the films.
"HIPAA's obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise. It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected," the Office of Civil Rights (OCR) reminded covered entities in a statement.
Passed in 2013, the HIPAA Omnibus Rule overhauled HIPAA laws and implemented several provisions of the HITECH Act in order to strengthen the security and privacy of PHI by increasing the responsibility of second- and third-party businesses to also do their part to safeguard PHI. In this eAlert, Neda Ryan, Esq., compliance counsel for ABC, reviews some key aspects of what anesthesia groups should know about the role of these vital legal contracts in ensuring their practices are in compliance with the law.
Business Associates Defined
The first thing to understand about business associate agreements is who is and who is not a business associate. A business associate is any person or entity that performs functions or activities for you or your anesthesia group that involves access to PHI.
An obvious example is your billing and coding partner, with whom you routinely share PHI. Under the final rule, business associates also include individuals and entities that do work for you involving PHI for claims processing or administration, data analysis, quality assurance, patient safety, benefit management, practice management, repricing and other functions. A cloud services provider is a business associate. The OCR has issued special guidance on cloud computing. The guidance states that a HIPAA covered entity or business associate may use a cloud service to store or process PHI "provided the covered entity or business associate enters into a HIPAA-compliant business associate contract or agreement with the cloud services provider that will be creating, receiving, maintaining, or transmitting electronic protected health information (ePHI) on its behalf, and otherwise complies with the HIPAA Rules."
An attorney with whom you share PHI about a patient or patients is a business associate. So is a CPA firm whose accounting services involve access to PHI; a consultant who performs utilization reviews for your group; and a medical transcriptionist who transcribes dictated notes on patients for whom you've delivered anesthesia care. So is a cleaning company that could conceivably access PHI while cleaning your office, and a secretarial service that you might hire through an agency.
If you're ever in doubt about who is or isn't a business associate according to HIPAA, it doesn't hurt to have a business associate agreement in place. Doing so puts additional onus on the other party to ensure the privacy and security of the PHI. A shredding company is one borderline example.
A significant consideration is whether a party is a business associate with respect to the specific covered entity in question. For example, there are times that ABC must access a hospital system to obtain anesthesia records on behalf of a client. In this instance, ABC is a business associate of the anesthesia group, but not of the hospital because ABC is not providing services for or on behalf of the hospital. The fact that ABC has a written business associate agreement with the client means that we are in compliance with the HIPAA rule and allowed to access their PHI on the client's behalf.
Know Your Obligations
Anesthesia groups should make sure they understand their obligations with regard to business associate agreements and not leave it up to their business partners to take the initiative. Don't count on the other party to know about the rule. The reality is that your group is the holder of the PHI. The first disclosure you make without a business associate agreement in place is a violation.
While it could be argued that the other party is in violation for having the PHI without a signed agreement, regulators will look first to your practice as the party that disclosed the PHI. The business associate has exposure as well for having the PHI without a business associate agreement in place, but your group would most likely be the target of an investigation and the party that would be penalized.
In short, the onus is really on your group, as a covered entity under HIPAA, to put an effective contract in place with each of these business associates. These contracts help to ensure that your business partners are taking their own steps to ensure that the PHI will be used in a private and secure manner.
Be aware that, as a covered entity, your group can share PHI with your business associates only when that sharing of information is necessary to help them help you carry out your work as an anesthesia provider.
Also note: Situations in which a physician consults with another on the care of a patient—an internist who consults with a pain specialist, for example—are not considered business associate relationships, but rather, two covered entities communicating with each other. However, if a covered entity hires another physician to conduct an audit of their coding and billing practices, in that capacity, the consulting physician is considered a business associate. Even though the consulting physician is a covered entity, they are going to be accessing PHI that will not be used for treatment purposes and are conducting non-covered entity services. A business associate agreement must be in place in these instances.
Some mistakenly assume that because the person is a physician, they automatically fall under the category of covered entity. However, a physician is not necessarily a covered entity all of the time. It depends on the nature of the work the physician is doing for the covered entity. There is no hard and fast rule.
Data Breach Notifications
A typical business associate agreement will have a provision requiring the business associate to notify the covered entity in instances of inadvertent disclosures or breaches of PHI. With human beings handling PHI, errors occur. Our experience suggests that covered entities need to pay more careful attention to questioning their business associates when these inadvertent disclosures occur. What is the covered entity doing pursuant to the business associate agreement? Are they making the necessary notifications to HHS OCR? In addition, it is important to be aware that having a business associate agreement doesn't guarantee that a covered entity is protected from business associate-related breaches.
Covered entities and business associates are both required to have a compliance plan in place that dictates what they do in instances such as these. One of the things they must do is conduct a risk analysis that includes identifying to whom the information has been disclosed. If the information has been disclosed to another entity that has an existing obligation to maintain the privacy of the information, because they are considered to have a low probability of having compromised the information, the disclosure may not necessarily be considered a breach; however, under the business associate agreement, the partner is required to let you know that the disclosure has occurred.
Most breaches are the result of human error, such as someone leaving their computer on the subway or accidentally emailing information to the wrong person. HIPAA requires covered entities and business associates to conduct annual risk assessments to identify their vulnerabilities with regard to policies, practices and education, and to fill those gaps.
The winter issue of our quarterly newsletter, Communiqué, will feature an in-depth article on business associate agreements by Kathryn Hickner, Esq., of Ulmer & Berne, LLP.
More information on business associate agreements, including a sample contract, is available at the HHS website on Health Information Privacy here.
With best wishes,
President and CEO