What are your healthcare organization’s responsibilities when using contractors?
45 CFR 164.502(e)(1)(i) - A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.
45 CFR 164.502(e)(1)(ii) - A business associate may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if the business associate obtains satisfactory assurances, in accordance with § 164.504(e)(1)(i), that the subcontractor will appropriately safeguard the information.
The requirement of a valid “Business Associate Agreement” is meant to provide assurances that a contractor understands its responsibilities under the HIPAA rules. However, even with a valid BAA in place, a breach of information will undoubtedly begin a series of investigations to determine any faults, failures and negligence.
-
For Covered Entities this means that a breach of information by a Business Associate or by one of the Business Associate’s Subcontractors, could create a situation where its reputation is affected and significant costs are incurred in dealing with the situation. The government is on record as stating that the “covered entity is ultimately responsible for providing individuals with notification of breaches”.
-
For Business Associates the risks are similar. Although a Business Associate may not have notification responsibilities (depending on the Business Associate Agreement), it could face significant legal actions from the Covered Entity (or from a Business Associate if they are a Business Associate Subcontractor), the state or federal government, in the event of a breach by one of it’s Subcontractor’s.
Beyond the Business Associate Agreement, exposed entities should consider “risk shifting” activities to protect themselves as best possible in the event of breach of protected health information. To begin, entities should consider having their legal counsel add language to their Business Associate Agreements which protects them in the event of a breach by a Business Associate. Then, mitigate. The best way to deal with a breach is to prevent it from happening. The next best thing is to be able to prove that you did everything possible to prevent it.
The HIPAA CheckSM Compliance Verification Service will contact your Business Associates or Business Associate Subcontractors and make random but specific inquiries on your behalf regarding their information privacy and security practices. We will document our findings and present them to you with our opinion as to how much effort the reviewed Business Associate appears to be making to protect your information. Using our report, you can then determine the best course of action based on whether you now have the necessary “satisfactory assurances” or not, that your information is being used and maintained safely.
Contact us today for more information on ensuring your information is truly safe at 1.855.79.HIPAA
