Why do my “Business Associates” need to be HIPAA compliant? I have a Business Associate Agreement so I’m fine. Why do I need a HIPAA compliant IT Service Provider?
These are just some of the common question we get on a regular basis when speaking with clients and potential clients. So really, what is the big deal about Business Associates? The detailed answer to that question could take awhile so lets just look at the simple answers.
Gone with the wind… that about sums up two things. First, the fact that HIPAA has changed alot since the Final Rule came out in January 2013 and as of this writing the grace period is over. Gone are the days when a Covered Entity could just point the finger at a Business Associate as the cause or reason for a breach or non-compliance. “I didn’t know my IT guy was (or was not) doing that”, is no longer acceptable.
Second, the famous line of the movie is sometimes what I hear from doctors that just don’t like all the regulation and changes. I can empathize with Covered Entities. As a HIPAA compliant Healthcare IT Service & Support Provider, we have to abide by many of the same regulations as well as take on the liabilities.
So let’s take a look at the biggest reason to take this Business Associate stuff seriously… liability… and lots of it. Here is how HIPAA used to read regarding Covered Entities and Business Associates:
[CFR 160.402(c)]
that was then…
(c) Violation attributed to a covered entity. A covered entity is liable, in accordance with the federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member, acting within the scope of the agency, unless—
(1) The agent is a business associate of the covered entity;
(2) The covered entity has complied, with respect to such business associate, with the applicable requirements of §§ 164.308(b) and 164.502(e) of this subchapter; and
(3) The covered entity did not—
(i) Know of a pattern of activity or practice of the business associate, and
(ii) Fail to act as required by §§ 164.314(a)(1)(ii) and 164.504(e)(1)(ii) of this subchapter, as applicable.
THIS IS NOW…
(c) Violation attributed to a covered entity or business associate.
(1) A covered entity is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member or business associate, acting within the scope of the agency.
(2) A business associate is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency.
As you can see (in red), the changes to the law put the burden of the actions or inactions of Business Associates right back on the Covered Entity. No longer is their an “unless”. Sure, Business Associates are now liable but so are the Covered Entities liable, even if they did not know what the Business Associate was doing… or not doing.
That brings us to another myth… Having a Business Associate Agreement is all you need… WRONG! Covered Entities must do their due diligence in making sure their Business Associates are compliant, and not just saying they are. Any Business Associate can sign an Agreement and tell you they are compliant and you have no idea if that is truly the case. So what does a Covered Entity do? You do your homework… or in this case… your due diligence. If someone told you they could do something and you weren’t sure they weren’t lying, what would you likely say? Prove it! That is just what you want to say to your Business Associates in the form of documentation and a targeted questionnaire. A Business Associate needs to attest to their compliance, back it up with documentation and sign a Business Associate Agreement. Furthermore, the Business Associate should keep you very much in the loop on what services or support they are providing you… especially your IT provider.
A Covered Entity’s IT provider is arguably the most critical outsourced component within your practice. As technology increases more and more within your practice the reliance and trust in your IT provider will go up exponentially. Having the right IT provider in place is crucial to the health of your practice.
What do you do with your Business Associate that won’t comply? You find one that will. Unless you have exigent circumstances in that the vendor is the only one you can get (then you should document this decision to the teeth).
Contact us and ask for our Due Diligence Kit and we will send one out to you FREE of charge to get you started on dealing with your Business Associates the right way.
If you’re interested in more information or a FREE consultation to see if Carolina Computer Concepts is right for you, mention that when you email or call and we will show you how we can help. We have very strong partnerships with key healthcare, compliance and IT vendors which allows us to offer a strategic alliance directly to our clients.