A Business Associate Agreement (BAA) is one of the core items contained within HIPAA regulations. If a Covered Entity doesn’t have them in place with their outside vendors, then they cannot be in compliance. If a Business Associate suffers a breach of the covered Entity’s Protected Health information, (PHI), then that liability flows upstream to the Covered Entity. the recent case of Atrium Health is a prime example of this. Atrium had outsourced a service to a third party. That third party, had in turn, outsourced some as well. The final third party was breached resulting in 2.65 million patient records being exposed. This liability flowed upstream to the first third party and then to Atrium Health. While each Business Associate will be held responsible, the ultimate responsibility lies with Atrium Health.
Today’s case study, however, will cover another recent breach that was a result of a third party and not having a Business Associate Agreement.
Advanced Care Hospitalists PL (ACH) engaged a third party to perform services for them between November 2011 and June 2012. This third party was an individual that represented himself as being a representative of a Florida-based company named Doctor’s First Choice Billing, Inc. This individual provided medical billing services to ACH under the name of Doctor’s First Choice Billing, Inc. One issue is that Doctor’s First Choice Billing, Inc. claims to have no knowledge of the this arraignment or even the individual claiming to represent them.
A local hospital noticed in February 2014 that patient data for ACH was visible on the website belonging to Doctor’s First Choice Billing, Inc. After investigation, it was discovered that 8,855 patients were affected in the breach. ACH filed a breach notification.
OCR began their investigation and discovered that ACH never had a Business Associate Agreement in place with individual or Doctor’s First Choice Billing, Inc. The investigation also revealed that even though ACH had been in operation since 2005, it did not conducted a Risk Assessment until 2014.
OCR fined ACH $500,000 and required them to imitate a corrective action plan that would include the use of a Business Associate Agreement with all third parties had access to ACH’s PHI. The plan also required that ACH perform an enterprise wide Risk Assessment and implement polices and procedures to bring them into compliance with the HIPAA Privacy Rule.
What is a Business Associate Agreement?
Business Associates are any outside party (individual or company) that provides services to a Covered Entity that involves the user or disclosure of Protected Health information. These agreements outline what protections the third party will apply to the PHI that they have access to. The purpose is to ensure that the third party will continue the protections that the Covered Entity has been performing to secure the PHI. It will also outline how the third party will react in a breach. Since there is a time frame of when a breach must be reported (depending on the number of records that were impacted), a Covered Entity would want to specify a time limit on when the Business Associate would report a breach to them.
There are many possible examples of who is a Business Associate.
Some examples of Business Associates:s
- A third party administrator that assists a health plan with claims processing.
- All third party medical billing companies.
- A CPA firm whose accounting services to a health care provider involve access to protected health information such as for collections processing.
- An attorney whose legal services to a health plan involve access to protected health information.
- A clearinghouse that converts claims from non-standard formats into a standard one and then forwards the processed transaction to a payer.
- An outside medical transcriptionist that provides transcription services to a physician, even those overseas.
- An IT company that in the course of performing their duties has regular access to protected health information
A Covered Entity needs to have a Business Associate Agreement with each third party that will have access to their PHI.
Whenever a third party will have access to a Covered Entity’s PHI, a Business Associate Agreement is required under HIPAA regulations. These agreements are to ensure that the third party will protect the privacy of the information that they access. Not having a Business Associate Agreement will result in fines in the event of an audit or investigation.
For information on what needs to be included in a Business Associate Agreement, please visit HHS’s website here.
You can also download and sample agreement from HIMSS here.