A “business associate” is a person or entity that acts on behalf of or provides services to a health care provider (a “covered entity”) who, by doing so, obtains access to PHI. The purpose of a business associate agreement is to ensure business associates will appropriately safeguard PHI and limit permissible uses and disclosures of PHI, to protect patient privacy and related purposes advanced by HIPAA. A business associate is directly liable under HIPAA and subject to civil (and potentially criminal) penalties for data breaches and other violations of HIPAA.
The Final Rule is published in the Federal Register (78 FR 5565) and is 523 pages. Under the Final Rule, a “business associate” includes a broader scope of entities. “Business associate” now includes subcontractors and entities that create, receive, maintain, or transmit PHI. How this change will impact particular situations may require determinations on an ad hoc basis. All physicians, physician groups, other health care providers, and health care businesses, should promptly marshal their existing business associate agreements for review and analysis to determine which agreements must be changed to comply with the Final Rule. Additionally, all business arrangements need to be inventoried and reviewed for a determination as to whether the relationship necessitates a business associate agreement under the Final Rule. For every business arrangement that will require a new business associate agreement, the business associate should be contacted now regarding the requirement of a business associate agreement.
Sample business associate agreements are readily available on HHS’ website. Unfortunately, there is no one-size-fits-all template for business associate agreements. Although a standard form agreement will work properly for many business relationships, that is not always the case. As HHS advises on its website concerning its own template business associate agreement, “[t]he language may be changed to more accurately reflect business arrangements between a covered entity and a business associate or business associate and subcontractor. . . . Reliance on this sample may not be sufficient for compliance with State law, and does not replace consultation with a lawyer or negotiations between the parties to the contract.” Although a form business associate agreement can be useful, it is a mistake to blindly rely on form provisions and assume they adequately address every unique business associate relationship. Providers should consider, for example, whether a particular relationship calls for indemnification provisions to protect the provider in the event of a HIPAA violation by a business associate. Fines and penalties for HIPAA violations can be very significant.
The Law Offices of Kevin S. Little PC is a business law firm focused on representing physicians and health care businesses with regard to many unique legal issues they confront in today’s health care business environment, such as regulatory compliance. We have offices in midtown Atlanta (404-685-1662) and downtown Augusta, Georgia (706-722-7886).
*Disclaimer: Thoughts shared here do not constitute legal advice.