A covered entity is not liable for the actions of its business associates nor required to monitor their actions under HIPAA. While covered entities must enter into business associate agreements (BAAs) to ensure compliance with privacy regulations, they are not obligated to oversee how business associates implement privacy safeguards. However, if a covered entity becomes aware of a breach or violation by a business associate, it must take reasonable steps to address the issue.
Defining covered entities and business associates
Covered entities include healthcare providers, health plans, and healthcare clearinghouses that handle protected health information (PHI). Business associates, on the other hand, are individuals or entities that perform services on behalf of covered entities that involve the use or disclosure of PHI. Examples of business associates include billing companies, consultants, and vendors who access patient data.
Related: Can you be a covered entity and a business associate?
Legal framework under HIPAA
Overview of the HIPAA Privacy Rule
The HIPAA Privacy Rule requires that covered entities implement safeguards to ensure the privacy and security of sensitive patient information, and "enter into written contracts or other arrangements with business associates which protect the privacy of protected health information". These agreements outline the responsibilities of each party concerning the handling of PHI.
The importance of BAAs
BAAs ensure that business associates follow HIPAA requirements. These contracts specify the permissible uses and disclosures of PHI, outline the business associate's responsibilities for protecting this information, and detail the actions required in the event of a breach. While covered entities are not required to monitor their business associates constantly, having a robust BAA helps ensure compliance.
Read more: What is the purpose of a business associate agreement?
Responsibilities of covered entities
The HHS states "covered entities are not required to monitor or oversee the means by which their business associates carry out privacy safeguards or the extent to which the business associate abides by the privacy requirements of the contract. Nor is the covered entity responsible or liable for the actions of its business associates."
However, if a covered entity learns of a breach or violation of the BAA, it must take reasonable steps to address the situation. Organizations may need to help resolve the breach or end the relationship if the violation can’t be resolved.
Actions required when breaches occur
When a covered entity discovers a breach or violation by a business associate, it must make a reasonable effort to remedy the breach. If the issue cannot be resolved, the covered entity must terminate the contract with the business associate.
In situations where termination is not feasible (perhaps due to a lack of alternative business options), the covered entity is required to report the breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
Compliance considerations
If a covered entity fails to take appropriate action in response to a breach by a business associate, it may be deemed out of compliance with the HIPAA Privacy Rule. Non-compliance can lead to significant penalties, including fines and reputational damage.
When a covered entity is found non-compliant, it may be prohibited from disclosing PHI to that business associate in the future.
Best practices for covered entities
Establishing effective BAAs
Creating comprehensive BAAs is crucial for compliance. These agreements should clearly outline the responsibilities of each party, specify acceptable uses of PHI, and detail the procedures for breach notification and remediation.
Read more: What does a HIPAA compliant BAA look like?
Conducting regular reviews
Covered entities should conduct periodic assessments of their business associates' compliance with HIPAA regulations. Regular reviews help identify potential risks and ensure that business associates stick to the terms of the BAA.
Training and awareness
Educate staff about the roles and responsibilities of business associates. Training programs should stress the importance of compliance and detail the procedures for reporting potential breaches.
FAQs
What is the primary purpose of a BAA?
A BAA serves to define the responsibilities of the business associate regarding the use and protection of PHI, ensuring that the business associate complies with HIPAA requirements while handling PHI on behalf of the covered entity.
How often should covered entities review their BAAs with business associates?
Covered entities should regularly review their BAAs, ideally annually, to ensure they remain compliant with HIPAA regulations and reflect any changes in the business relationship or legal requirements.
What are some common risks associated with not having a BAA in place?
Without a BAA, covered entities expose themselves to risks such as non-compliance with HIPAA, potential fines, and liability for any breaches or misuse of PHI by the business associate, which can lead to reputational damage and patient trust.
Liyanda Tembani
