Where did the time go? Today’s the day – September 23, 2013. This is compliance day for most of the Omnibus Rule changes. I had a feeling this deadline would catch up with me faster than I would be able to blog my 10 tips, so I’m going to count “TIP TWO” as tips TWO through SEVEN so as to make my own deadline. I will post TIP TEN before midnight tonight…
Here are TIPS FOUR and FIVE (aka EIGHT and NINE) —
Business Associates: before you sign that Business Associate Agreement (BAA), make sure you ARE one!
As noted in TIP THREE, entities that create, receive, maintain, or transmit protected health information (PHI) on behalf of another entity are likely to be Business Associates. However, it’s worth taking the time to analyze whether you really are a Business Associate subject to HIPAA before contractually obligating yourself to act like one. By entering into a BAA, not only are you agreeing to take on BA duties and responsibilities, but you may be admitting that you are, in fact, a BA and make it more difficult to establish to the putative Covered Entity or to a court or regulatory authority that you’re not.
To determine if you are a Business Associate, first ask yourself if you are creating, receiving, maintaining, or transmitting PHI on behalf of the Covered Entity. If you are doing any of these things on your own behalf and you are a health care provider, health plan, or clearinghouse, you may be a Covered Entity with respect to the PHI at issue. Alternatively, HIPAA may not even apply (for example, if you’re a provider who doesn’t transmit PHI in electronic form in connectin with a HIPAA-covered transaction).
It’s important that you know your role prior to signing the BAA so that you aren’t bound by contract to take on the BAA role, but also so that you fully understand the implications of a breach. If a breach occurs while the PHI is under your watch (directly, as a result of actions or inactions of workforce members, agents, etc., or indirectly, as a result of actions or inactions of subcontractors, for example) and you are actually the Covered Entity, notifications to HHS and to affected individuals will be your responsibility, as will the determination of whether a reportable breach occurred. A BAA, under which you are purportedly the BA, will not protect you from these obligations, but will certainly muddy the waters and complicate your obligations with respect to the putative Covered Entity.
Check to see if your contractors are actually acting as your agents.
The Omnibus Rule makes it clear that if your “Business Associate” (or “Subcontractor”) is actually an agent, the time frames for notification set forth in your BAA (or Subcontractor Agreement) are off. The day on which the contracted party knew or should have known, by the exercise of reasonable diligence, of a breach will be imputed to you, and your failure to notify HHS, the media, and/or affected individuals within the HIPAA-required timeframes could result in significant penalties.
The preamble to the Omnibus Rule explains that HHS will look to the federal common law of agency in determining whether an agency relationship exists, and language in a BAA stating that the BA is an “independent contractor” is irrelevant: “Rather, the manner and method in which a covered entity actually controls the service provided decides the analysis.” HHS uses this example of BAA language that shows that the BA is actually an agent of the Covered Entity: the Business Associate “must make available protected health information in accordance with § 164.524 based on the instructions to be provided by or under the direction of” the Covered Entity. The clear message: if you exercise authority and control over the contractor during the course of its provision of contracted services, the contractor may be your agent and you won’t be able to point to a BAA’s notice requirements to say you didn’t know and couldn’t reasonably have known of an unreported breach.