COVID-19 changed that.
To help ensure public health and safety during the crisis, officials have requested that HIPAA business associates disclose PHI or perform public health data analytics on their PHI. However, some business associates were unable to comply with these requests, because their agreements did not allow it.
The U.S. Department of Health & Human Services (HHS) therefore issued a notice stating the Office for Civil Rights (OCR) would not impose penalties against a business associate or covered entity if:
- The business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities or health oversight activities consistent and
- The business associate informs the covered entity within 10 calendar days after the use or disclosure occurs.
To facilitate telehealth services during this time, OCR also won’t impose penalties against covered entities that don’t have a HIPAA business agreement with video communication vendors.
Business Associates and the Breach Notification Rule
Times are changing, to be sure, but OCR’s relaxed enforcement does not relieve healthcare covered entities and their business associates from everyday compliance. This includes compliance with the Breach Notification Rule, which requires business associates to:
- Complete a HIPAA incident risk assessment to determine if a privacy or security incident involving unsecured PHI is a notifiable breach.
- Notify the covered entity of the breach without “unreasonable delay” but no later than 60 days. However, contractual notification obligations are often measured in hours or days rather than weeks or months.
- Where possible, identify the affected individuals and provide any information the covered entity needs to properly notify these individuals.
- Provide a burden of proof that all notifications were made or that one of the existing exceptions to the definition of a breach applies.
3 Best Practices for Covered Entities and Their Business Associates
- Does the covered entity have contracts with business associates?
- Do the business associate agreements (BAAs) contain all the required elements?
- How does management identify and engage business associates?
- Do the BAs involve onward transfer of protected health information (PHI) to subcontractors?
- Has the covered entity become aware of a pattern or practice of the business associate that constitutes a material breach or violation of the business associate’s obligation?
While the audits have come and gone, these questions are as applicable today as ever. To meet HIPAA business associate requirements, consider these three best practices:
#1: Correctly identify your business associates.
In a healthcare ecosystem, with hundreds or even thousands of third-party vendors, it’s not always easy to identify who is a business associate and who is not. Komoto and Habte provided a decision framework for identifying business associates:
- Step 1: Does the arrangement involve PHI?
- Step 2: Are the functions or services defined as business associate functions/services?
- Step 3: Are the functions or services provided for or on behalf of the covered entity?
Of course, exceptions apply, and there are many gray areas. The HHS provides some guidance in this area.
#2: Ensure you have proper business agreements in place.
These agreements ensure, in part, that business associates properly safeguard PHI in accordance with the HIPAA Rules. HHS provides a sample of the provisions for a business associate agreement.
OCR recommends that these agreements should:
- Include guidelines for the use and disclosure of PHI.
- Require the business associate to report to the covered entity any use or disclosure of PHI not spelled out in the contract.
- Establish notification timelines and content.
#3: Invest in privacy automation.
Healthcare covered entities often have hundreds, if not thousands of business associates. Managing this complex network of relationships is a huge burden. Privacy automation can help both covered entities and business associates successfully manage their contractual notification obligations.
A large U.S.-based health insurer discovered this firsthand. The company, serving more than 16 million members across the U.S., was managing an average of 250 reported incidents per month, each of which potentially affected around 10,000 contracts. By automating its privacy incident response process, the insurance company slashed the time it spent addressing contractual obligations.
Citing a recent incident that involved state and federal laws and affected 180 contracts, the insurer’s privacy director said, “Before, this incident would have taken 1–2 days to work through manually. With Radar, our team had all the information we needed right in front of us in minutes.”
Only together, we can weather the storm.
Now, more than ever, patients are trusting their healthcare providers to keep their personal data safe and healthy. To do this, HIPAA covered entities and their business associates need to ensure that their agreements are in place and updated, consistently risk assess every incident, and provide timely notification in the event of a breach.