February 24, 2017
HIPAA, as amended by HITECH, imposes significant requirements on those persons or entities who qualify as a business associate (BA) as a result of their access to protected health information (PHI) in the performance of services on behalf of a covered entity (CE).
For example, a BA could be a third party billing company, a shredding company, a law firm handling a Medicare audit appeal, a health care design consultant responsible for re-design of an emergency triage process, or even a third party responsible for storing PHI off-site. In each case, the drafting and negotiation of a business associate agreement (BAA) is an important step in confirming BA duties and obligations related to these service arrangements. Some level of due diligence is also important before the BAA is executed and the CE is in a position to trust the BA with its PHI.
To begin, the CE should confirm any and all names that have been used by the BA, whether now or in the past, so to confirm that none of these names are listed in the Office of Inspector General’s List of Excluded Individuals and Entities (OIG) or the General Services Administration’s System for Award Management (SAM), formerly known as the Excluded Parties List System.
A review of the OIG Corporate Integrity Agreement database can also confirm any prior enforcement actions that may have involved a prospective BA. Additionally, if the BA maintains certain licenses, registrations or other credentials necessary to perform their services on behalf of the CE, these qualifications should be verified by the CE. Review of business references or a telephone interview with another CE may also be helpful.
Proof of insurance coverage and some information about claims history should be requested. A general search for any public filings about the BA can provide additional information about their resources, business relationships and reputation. The BA may also be asked to disclose any outside business relationships which might represent a conflict of interest in doing business with the CE.
Because the BA is subject to HIPAA, as a result of the HITECH amendments, the CE should inquire about the BA’s HIPAA compliance program, including but not limited to the recent completion of a HIPAA security risk assessment process, the adoption of HIPAA policies and procedures, and the extent to which the BA will engage the services of subcontractors to assist in the performance of services. Although not a HIPAA consideration, many CEs take additional steps to confirm the health status of the BA who will have any physical contact with the CE’s workforce or clients, including but not limited to up-to-date vaccination records and negative TB testing results.
The CE can conduct its due diligence using a range of techniques. The BA could be asked to submit to a formal request for proposal process or the CE may ask the BA to complete and return a due diligence questionnaire. Selected HIPAA compliance documents may be requested as well. Depending on the nature of services to be performed, an in-person interview or a site visit may be in order.
Once the BA arrangement has been finalized, pursuant to the terms and conditions of the BAA, the CE should adopt certain safeguards to verify, on a regular basis, the identification of any and all persons who perform services, whether in-person or remotely, so to prevent any risk of an unauthorized actor gaining access to CE PHI.
For example, the CE contracts with a third party shredding vendor. On a regular basis, the vendor comes on premises and removes secured documents to be shredded. Without confirming the identification of any vendor employees before removing the documents, there is a serious risk that a "rogue actor" could represent themselves as a vendor employee and walk away with the CE documents, resulting in a serious HIPAA breach incident. In the case of a remote or electronic arrangement, the CE and BA should also maintain an up-to-date list of those individuals who are authorized to access CE PHI on behalf of the BA, subject to the host of safeguards required under HIPAA security.
In summary, the use of a well-drafted BAA, in addition to the use of an effective due diligence process, not only makes for a proper introduction to the BA but also serves another important purpose in allowing the CE to educate the BA and to communicate the importance of HIPAA compliance long before the parties sign on the bottom line. Additionally, after the BAA has been executed, the CE should also institute safeguards to ensure that only authorized individuals perform the designated BA services for the duration of the business relationship.