How to ensure business associates are HIPAA compliant

Covered entities can ensure their business associates are compliant by signing a business associate agreement (BAA) with each associate, which outlines their responsibilities to safeguard protected health information (PHI) in line with HIPAA. Regularly reviewing the associate’s security practices, conducting audits, and requesting evidence of their compliance measures; such as encryption, access controls, and employee training, are also required. Additionally, covered entities should monitor for any breaches or issues and address them promptly to maintain ongoing compliance.

The role of business associates

Business associates are individuals or organizations that perform certain functions or services on behalf of covered entities and have access to PHI. These entities may include medical billing companies, third-party administrators, IT service providers, and healthcare consultants. 

Related: How to know if you're a business associate 

Conducting due diligence

Covered entities must conduct due diligence to assess the entity's HIPAA compliance status before engaging in a business relationship. Factors to consider during the evaluation include:

1. Past HIPAA compliance history: Review the business associate's track record in adhering to HIPAA regulations and any history of breaches or violations. A thorough background check can provide insights into their commitment to safeguarding PHI.
2. Security measures and safeguards: Evaluate the security measures and safeguards the business associate has in place to protect PHI. This assessment should focus on technical, physical, and administrative safeguards to ensure comprehensive protection.
3. Policies and procedures: Verify that the business associate has established appropriate policies and procedures to handle PHI securely and responsibly. This includes protocols for data access, transmission, storage, and disposal.
4. Breach notification processes: Ensure that the business associate has proper procedures to report and promptly respond to data breaches. A well-defined breach notification plan helps mitigate potential risks.

Establishing business associate agreements (BAAs)

The foundation of a compliant business associate relationship lies in the business associate agreement (BAA). This legally binding contract establishes the rules and expectations between the covered entity and the business associate regarding PHI. The elements to include in the BAA are:

1. PHI handling provisions: Clearly define how the business associate will handle PHI and limit its use to authorized purposes only. The BAA should specify the permissible uses and disclosures of PHI in alignment with HIPAA regulations.
2. Obligations and responsibilities: Outline the specific responsibilities of the business associate in protecting PHI and complying with HIPAA regulations. This should include requirements for safeguarding data, reporting incidents, and cooperating with audits.
3. Reporting and response procedures: Detail the process for reporting any breaches of PHI and the subsequent response and mitigation measures. This section should outline the timeline for reporting violations to the covered entity.
4. Indemnification and liability: Specify the consequences of non-compliance and the liabilities that may arise from breaches. This provision can clarify financial responsibilities in case of breaches or violations.

Read more: FAQs: Business associate agreements (BAAs)

Responding to non-compliance

In the event of non-compliance by a business associate, covered entities must act promptly and decisively.

1. Addressing non-compliance: Work with the business associate to address the compliance issues and implement necessary corrective actions. Communicate openly and collaborate during this phase.
2. Termination of business relationship: If the non-compliance persists or poses significant risks, the covered entity may need to terminate the relationship with the business associate. This decision should be made in alignment with the terms of the BAA.
   
   

In the news

Advocate Health Care (AHC) faced a $5.55 million HIPAA fine in 2016 following two data breaches and a failure to attain a BAA and this was reported as one of the largest HIPAA violation cases. 

FAQs

What should covered entities do if a business associate refuses to sign a BAA?

Covered entities should not engage with any business associate who refuses to sign a BAA, as this is a violation of HIPAA and could lead to penalties.

Can a covered entity audit a business associate’s HIPAA compliance at any time?

Yes, covered entities can include provisions in the BAA allowing for periodic audits to ensure the business associate remains compliant with HIPAA requirements.

What are the risks of not having a BAA in place with a business associate?

Without a BAA, covered entities may face HIPAA violations and hefty fines if a breach occurs, even if it’s caused by a business associate.

Read more: The consequences of not having a BAA with an email service provider

Related: HIPAA compliant email: the definitive guide