Conference Coverage

Ensure business associate agreements comply with HIPAA rule, attorneys advise



CHICAGO – A new HIPAA rule means physicians face broader liability for protected health information breaches by their business associates.

The final omnibus rule on the Health Insurance Portability and Accountability Act broadens the definition of who and what is considered a business associate and places more responsibility on doctors for protected health information (PHI) acts or omissions by such associates.

Clinton R. Mikel

About "28%-49% of breaches in the health care industry are associated with business associates and how they’re using data," health law attorney Clinton R. Mikel said at a physicians’ legal issues conference held by the American Bar Association.

"It’s important to know who your business associates are, how you’re [interacting] with them and what they’re doing with your data."

The final HIPAA omnibus rule went into effect in September 2013, but allowed covered entities and businesses to continue operating under some existing contracts for up to 1 year. Grandfathered business agreements must be revised to meet the new HIPAA requirements by Sept. 22, 2014.

Under the omnibus rule, a business associate is defined as any person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. The regulation means that business associates now include patient safety organizations, data transmission organizations, personal health record vendors, entities that transmit and need routine access to PHI, and data storage vendors – paper based and cloud based.

On physicians’ immediate checklist of things to be reviewed and updated is their existing business-associate agreement template, said Mr. Mikel, a partner at The Health Law Partners, PC, in Southfield, Mich. The revised agreement should ensure that associates comply with all measures of the Security Rule for electronic PHI and that business associates report any breach of unsecured PHI.

In addition, business associates should enter into contracts only with subcontractors that comply with such agreements and restrict subcontractors from disclosing PHI in an inappropriate manner.

Distribute the new template as soon as possible for all new contracts and evaluate outstanding business associate relationships, Mr. Mikel advised.

Proper data security from cloud-based vendors is especially important in light of the new HIPAA rule, said Hemant Pathak, assistant general counsel for Microsoft. Make certain they are told where and how their data is stored in "the cloud" and have clear data maps and geographic boundary information.

Vendors should be "transparent about what their operations are, have a breach procedure, and be willing to share" their policies, Mr. Pathak added. "It should not be something that is obtuse. It should be something that is clear and transparent."

Under the omnibus rule, both the doctor and vendor are on the hook if PHI is exposed.

"It’s important for both of us in protecting our reputations and understanding what the needs are from a compliance" standpoint, Mr. Pathak said.

Next Article: