Banner

Article

HIPAA liability protections: business associate agreements are must for effective risk management

The first step for a physician, known under the language of HIPAA as a “covered entity,” is to determine the need for a BAA with a vendor. A vendor is considered a “business associate” under HIPAA if the vendor creates, receives, maintains, or transmits patient health information (PHI) on the provider’s behalf.

Common services performed by a business associate (BA) include claims processing, data analysis, quality assurance, billing and collection, practice management, legal, accounting, and consulting.

Entities that only serve as conduits, such as the post office or Internet service providers, are not considered BAs even though they handle patient information.

What BAs must include

If a business associate is providing services to a covered entity, the parties must enter into a written BAA that:

  • establishes the permitted uses/disclosures of PHI,

  • stipulates that the BA must use appropriate safeguards to prevent unauthorized PHI uses and disclosures,

  • spells out that the BA reports to the covered entity any unauthorized uses and disclosures,

  • extends the terms of the BAA to its subcontracts, and

  • establishes that upon termination of the BAA, the vendor must either return or destroy all PHI.

The consequences of not having a written BAA can be severe. The Office of Civil Rights (OCR) could request a copy of a covered entity’s BAA if there is a complaint registered over a covered entity or if a breach occurs.

Violations under HIPAA can be penalized at anywhere between $100 to $50,000 per violation, up to a calendar year maximum penalty of $1,500,000 for a single violation. The OCR could take the position that every day that the BA and covered entity did not have a business associate agreement is a violation, and multiply the fine by the number of days no BAA penalty was in place, so the penalties can be steep.

Liability of agents

Under HIPAA, a covered entity is liable for the acts of its agents, which can include a BA.

Whether an agency relationship exists is determined case by case, with the essential factor being whether the provider has the right or authority to control the BA’s conduct. The authority of a provider to give instructions or directions is the control that can result in an agency relationship.

The language in the BAA will be considered in determining whether an agency relationship is present. If a covered entity is controlling the performance of its BA, the covered entity should closely monitor the BA’s performance since the covered entity will be held accountable for its performance.

Zachary B. Cohen, JD, is an associate at Garfunkel Wild, P.C., in Great Neck, New York. Send your medical legal questions to medec@advanstar.com.

MORE COVERAGE: How to protect yourself and your practice

Related Videos
Related Content
© Darwin Brandis - stock.adobe.com
December 23rd 2024

Emergency department admission rates vary widely among physicians, study finds

Ep 40: Malpractice caps and nuclear verdicts with Bob White, the Doctors Company
September 20th 2024

Ep 40: Malpractice caps and nuclear verdicts with Bob White, the Doctors Company

2025 offers a remarkable opportunity for concierge physicians to thrive
December 20th 2024

2025 offers a remarkable opportunity for concierge physicians to thrive

Ep 34: U.S. Rep. Earl L. 'Buddy' Carter on physicians getting involved in policy
June 28th 2024

Ep 34: U.S. Rep. Earl L. 'Buddy' Carter on physicians getting involved in policy

Long COVID © tilialucida - stock.adobe.com
December 18th 2024

Unemployment: A side effect of long COVID

Two physicians handoff © Ranta Images - stock.adobe.com
December 17th 2024

The clinical impact of biased language in handoffs