Last year, the U.S. Department of Health and Human Services (HHS) released the omnibus regulations under the Health Insurance Portability and Accountability Act (HIPAA), including implementing changes made by the Health Information Technology for Economic and Clinical Health Act (HITECH, the final rule).
Some of the sweeping changes directly affect business associates. CAMICO has experienced an uptick in the number of policyholder inquiries regarding this area, as covered entities work at revising their Business Associate Agreements (BAAs) to include some of the new requirements.
CPAs who have access to protected health information (PHI) are considered "business associates," regardless of whether that access comes directly from a covered entity, which may be a client, or through another third party (business associate) of the covered entity. (A business associate may be a CPA's client in an unrelated engagement.)
Consequently, if the CPA has a health care client that falls under the definition of "covered entities" as defined by HIPAA, and the CPA has access to the client's PHI when performing duties and responsibilities, regardless of whether the CPA actually exercises this access, the CPA is considered a business associate.
With the revised regulations in 2013, HHS clarified that business associates are directly liable under the HIPAA privacy and security rules for:
- impermissible use or disclosure of PHI,
- not providing breach notification to the covered entity,
- not disclosing PHI as necessary to satisfy a covered entity's obligations related to an individual's request for an electronic copy of PHI,
- not disclosing PHI to the Secretary of HHS to investigate or determine the business associate's compliance with the rules,
- not complying with minimum necessary standards,
- not entering into Business Associate Agreements with subcontractors that create or receive a covered entity's PHI on its behalf,
- not providing an accounting of disclosures, and
- not complying with the electronic security requirements.
Although there is direct enforcement authority for business associates committing the preceding acts or omissions, BAAs are still requested to address other requirements under the HIPAA privacy and security rules. Business associates/subcontractors remain contractually liable under those business associate/subcontractor agreements. As such, HIPAA-compliant BAAs are being executed in accordance with the final rule for covered entities to obtain from their business associates satisfactory assurances that the business associate will appropriately safeguard the PHI it receives or creates on behalf of the covered entity.
Before contractually binding the CPA firm to the terms and conditions of a BAA, take the time to understand all the implications of the agreement's legal terminology. The terms and conditions should not contractually expose the firm or it partners to standards higher than those to which they are already held as business associates under the new regulations. Many of the BAAs reviewed by CAMICO contractually shift liability and obligations from the covered entity to the CPA firm.For example, HIPAA does not require the business associate to accept the responsibilities and duties of the covered entity with respect to required notifications to the affected individuals in the event of a breach. Nor does HIPAA require the business associate to indemnify the covered entity.
Many BAAs with indemnification clauses would put the firm at great risk. It is therefore important to review the BAA, accept only the terms required by HIPAA, and not contractually agree to terms that would expand exposure to the firm.Copyright 2014 CAMICO Mutual Insurance Company. All rights reserved.