As HIPAA-covered entities, dental providers must understand the obligations of business associates, especially when there is a breach of protected health information (PHI).
What is a business associate?
The Health Insurance Portability and Accountability Act (HIPAA) defines a business associate as an individual or organization that performs certain functions or provides services for a covered entity.
Covered entities include healthcare providers like dentists, who often use business associates to manage tasks involving PHI. These business associates are legally responsible for protecting the PHI they use, access, and store.
However, it is up to the covered entity (in this case, the dental practice) to ensure that the business associate upholds their duties in maintaining PHI security.
To clarify these obligations, dental practices must have signed a business associate agreement (BAA) with their business associates. These contracts define how PHI will be protected and how breaches will be managed.
Ultimately, dental practices must check that these BAAs include the required HIPAA provisions.
What the BAA must include
The Journal of the California Dental Association emphasizes the importance of a HIPAA associate agreement stating, "A dentist should look to the agreements with their respective business associates for specific information on how each business associate will protect PHI, manage a breach, and inform the dentist when a breach occurs."
In addition, the agreement should specify the time frame within which the business associate must report breaches of PHI. According to HIPAA, a business associate must notify the covered entity no later than 60 days after discovering a breach.
Dental practices must also check that the BAA includes provisions regarding the investigation and assessment of a PHI breach. The study adds, "Whether the dentist wants details of the business associate’s investigation and assessment of an impermissible use or disclosure of PHI" must be discussed when revising the agreement.
The BAA should also determine who will notify patients if a breach occurs. According to HIPAA, the covered entity (the dental practice) must notify affected individuals about breaches.
However, if the business associate determines that an incident constitutes a breach, "the dentist may delegate the tasks to the business associate or another business associate."
Delegating these responsibilities can streamline the process, but the BAA must determine who holds the ultimate responsibility of notifying affected individuals.
Furthermore, when the business uses a subcontractor, they are bound by the same conditions that apply to the primary business associate. The agreement must include a provision for subcontractors to uphold HIPAA's requirements.
Go deeper: What is the purpose of a business associate agreement?
Why it matters
Business associates, like covered entities, are directly liable for HIPAA violations. These can include failure to notify the covered entity of a breach, failure to establish compliant agreements with subcontractors, or failure to protect PHI.
Some specific violations that business associates may face include "failure to provide breach notification to a covered entity or another business associate," or "impermissible uses and disclosures of PHI." In cases where these violations occur, business associates face significant legal and financial penalties.
Go deeper: Higher HIPAA penalties announced
FAQs
Who is subject to HIPAA?
HIPAA applies to covered entities like healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle protected health information (PHI).
What kind of information does HIPAA protect?
HIPAA safeguards PHI, which includes any information that can identify a patient and relates to their health condition or treatment.
See also: Communications that must remain HIPAA compliant
What are the legal risks of not being HIPAA compliant?
Legal risks include potential lawsuits from affected individuals and the associated costs of settlements, legal fees, and damage to reputation.
