Problem solve Get help with specific problems with your technologies, process and projects.

HIPAA covered entity and business associate agreement requirements

Under HITECH, both "covered entities" and "business associates" must comply with HIPAA data protection mandates, but, as a covered entity, what's the best way both to maintain compliance for your organization, and make sure all your BAs are compliant? Compliance expert Ernie Hayden offers an easy-to-understand primer on the HITECH changes and key questions to ask potential business associates.

HITECH, or the Health Information Technology for Economic and Clinical Health, is a new standard established as...

part of the American Recovery and Reinvestment Act (ARRA) of 2009.

The objectives of HITECH are to:

  1. Develop standards for electronic exchange of health care information.
  2. Establish incentives to encourage doctors and hospitals to digitize their medical records.
  3. Save the government approximately $10 billion, presumably as the product of the digitization efforts.
  4. Strengthen privacy and security to guard protected health information (PHI).

Also, HITECH expands the scope of the Health Insurance Portability and Accountability Act (HIPAA) to mandate public notification of data breaches containing PHI, require stricter compliance and accounting for electronic PHI requests, and add responsibility for managing PHI handled by business associates.

It's important for any organziation that deals with HIPAA compliance to be familiar with the concept of a business associate, because not doing so can cause numerous HIPAA compliance problems. With that in mind, the focus of this article is on the new controls and questions that arise from HITECH regarding management of business associates.

First, what is a business associate? A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of personal health information. Business associates usually work on behalf of, or provide services to, a HIPAA covered entity . (Of note, a member of the covered entity's workforce is not considered a business associate.)

Business associates can include such individuals and entities as accountants, consultants, pharmacies, payers (i.e., health insurance providers), laboratories, e-health record software vendors, RHIOs (Regional Health Information Organizations) and HIEs (Health Information Exchanges).

How many business associates are usually associated with a covered entity? It depends, but based on statistics I've seen, I estimate 3,600 or more for a large health insurance provider and 900 or more for a large national mail-order pharmacy.

Basically, covered entities can probably expect to have many business associates who will be expected to be compliant with HIPAA as extended by HITECH.

As of February 18, 2010, business associates are subject to HIPAA security and privacy rules, as well as the same civil and criminal penalties as HIPAA covered entities. Additionally, business associates are regulated by the U.S. Department of Health and Human Services (HHS) and they must be prepared to be audited by the HHS Office of Civil Rights (OCR).

HITECH also requires that the covered entities -- when working with business associates --have contractual relationships if PHI is shared. From the covered entity's perspective, these HITECH rules can be beneficial in that some of the risk of handling and managing PHI is transferred to the business associates. Sample agreements between a covered entity and business associate (.pdf) can be found online, but it's important to know what the key HIPAA business associate agreement requirements are as a covered entity. Here are some starter questions for a covered entity to consider when creating a contact for a new business associate, or reviewing a contract with an old one:

  1. Does your business associate realize what its responsibilities are under the auspices of HITECH and HIPAA? In a 2009 survey sponsored by the Healthcare Information and Management Systems Society (HIMSS) (.pdf), it was revealed that more than 30% of business associates surveyed did not know the HIPAA privacy and security requirements have been extended to cover their organizations.
  2. Does your business associate have appropriate safeguards in place to protect PHI, along with formal policies and procedures, data backup capabilities, training, disaster recovery plans and systems and audits? Is the business associate capable of handling compliance audits by the HSS Office of Civil Rights? These audits can be very detailed and serious reviews of a company's compliance with the HIPAA Security and Privacy Rules. The HHS offers some added information on the enforcement process.
  3. Does your business associate have a security officer formally identified? Have you spoken to this person? Do they have any formal security, privacy or HIPAA-specific training?
  4. Have you reviewed your business associate's formal, written risk assessment required by HITECH/HIPAA? Are there any "red herrings" you are concerned about? Are there any special actions you should take to protect your company from any high-risk issues at the business associate? Some of these concerns should include whether the business associate has anyone on staff with formal security and privacy training, or if security is just an employee's collateral duty. Another best practice would be to perform a walkthrough of the business associate's facility to check that simple-but-important practices like clean-desk policies, storage of database backup tapes, hard-copy record filing security, and other concerns are addressed.
  5. Have you reviewed your business associate's privacy policies and procedures to see if they address the applicable requirements under the HIPAA Privacy Rule?
  6. Do you have a formal, written and signed agreement between you as a covered entity and the business associate? Has this agreement been updated to include the new requirements under HITECH and the HIPAA Privacy and Security Rules?
  7. Do you have a breach management process in place so your business associate will properly and effectively notify you as the covered entity of privacy and security breaches? What penalties will the business associate face should it not comply with your contractual expectations, separate from HITECH fines?
  8. On a scale of 0 – 5 (5 being perfect), how would you rate your business associate's readiness to comply with HITECH and protect your PHI? What contingencies do you have in place to provide added emphasis on those business associates you would define as high risk? Should you renegotiate your contract to provide better protection for your organization?

Overall, covered entities may have more protection and better risk transfer with the HITECH rules and their new emphasis on business associates. However, this is an added burden to covered entities in terms of time and resources spent on oversight to ensure business associates can comply with HITECH and won't be an added distraction or public relations issue.

About the author:
Ernest N. Hayden (Ernie), CISSP, CEH, is the founder and owner of 443 Consulting, LLC, an enterprise focused on providing quality thought leadership in the areas of information security, cybercrime/cyberwarfare, business continuity/disaster recovery planning, and research. Most recently, Ernie was Information Security Strategic Advisor in the Compliance Office at Seattle City Light. In this role he was the primary leader of utility-wide efforts focused on complying with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards.


This was last published in June 2010

Dig Deeper on HIPAA