Have you signed a HIPAA BAA? Why you NEED to care!

Good News!  If you have signed a HIPAA BAA (Business Associate Agreement) you are required to adhere to HIPAA security and privacy rules just as a health care provider in the healthcare space would.  Why do I say Good News?  I believe that better security protection being required by more companies helps to protect more patients from having patient information stolen, sold or lost. 

Other than protecting patient information and being required, why should you take this seriously?  With the passing of the final Omnibus rules for HIPAA/High-tech there are serious consequences, financial penalties and potential jail time. 

For example a single type of breach could create up to a 1.5 million dollar fine.  Considering there are multiple types of breaches the fines could exceed that number.  Also, the HHS (Health and Human Services) has the ability to increase or decrease the fine based on how the covered entity has been adhering to HIPAA guidelines.  IE being proactive and adhering to HIPAA security and privacy rules could lessen the liability WHEN a security breach happens.

Specifically rules for Business Associates or people that have access to PHI and are declared a business associate by definition are summarized below.

• Business Associates are directly liable under HIPAA/HITECH 13404a for uses and disclosure that violate the HIPAA Privacy Rule or are in breach of the Business Associate contracts.
• Business Associates are not permitted to use or disclose Protected Health Information if it would be a HIPAA Privacy Rule or violation for a Covered Entity, except that a Business Associate may use Protected Health Information for internal administration purposes.
• An entity becomes a Business Associate by definition, and NOT because there happens to be a Business Associate contract in place; therefore liability attaches immediately when an entity "creates, receives, maintains, or transmits Protected Health Information on behalf of a Covered Entity."
• Business Associates are now directly liable under the HIPAA rules: 
• impermissible uses and disclosure
• failure to provide breach notification to the Covered Entity
• failure to provide access of Electronic Protected Health Information either to the individual or the Covered Entity
• failure to disclose Protected Health Information to the Secretary
• failure to provide an accounting of disclosures
• failure to comply with the requirements of the HIPAA Security Rule
• Comment: Business Associates and Covered Entities should recognize that these rules have "teeth".
• Business Associates must comply with the "Minimum Necessary" rule defined in the HIPAA Security rules.
• Business Associates are required to have Business Associate Agreements with their sub-contractors that use Protected Health Information on their behalf.
• Business Associates must monitor their Business Associate Agreements with their sub-contractors.
• Requirements in Business Associate Agreements apply to sub-contractors and sub-contractors of sub-contractors.  IE all sub-contractors that work on PHI regardless of how far downstream it is.

Do these items shock you?  I hope they do not but this facet of HIPAA is not understood very well.  

What do you need to do next?  Follow HIPAA guidelines or hire a consultant to help you get on the road to compliance.  If interested I can help you start the process and become compliant. 

One final clarification for small companies using cloud services, if you are using HIPAA compliant cloud services, the fact of the cloud service provider being HIPAA compliant does not make you/your organization HIPAA compliant.  You still need to put in the time and perform the work to become compliant yourself.