In your hectic healthcare world, how are you managing your Business Associates and their Agreements? Over 21.3 million healthcare records were breached in the last six months of 2020, a substantial increase of .36% of all reported healthcare data breached were tied to third-party Business Associates.
The U.S. Department of Health and Human Services (HHS) maintains a healthcare data breach portal, referred to as the Wall of Shame. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.
The Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
Could your Business Associate be located on the HHS Wall of Shame?
Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, making Business Associates of covered entities directly liable for compliance with certain requirements of the HIPAA Rules. The HHS Office for Civil Rights (OCR) issued a final rule in 2013 to modify the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules.
Among other things, the final rule identifies provisions of the HIPAA Rules that apply directly to Business Associates and for which Business Associates are directly liable for.
The OCR has authority to take enforcement action against Business Associates and deem Business Associates are directly liable for HIPAA violations as follows:
Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
Failure to comply with the requirements of the Security Rule.
Failure to provide breach notification to a covered entity or another Business Associates.
Impermissible uses and disclosures of PHI.
Failure to disclose a copy of electronic PHI (ePHI) to either the covered entity, the individual, or the individual’s designee (whichever is specified in the Business Associate Agreement) to satisfy a covered entity's obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
Failure, in certain circumstances, to provide an accounting of disclosures.
Failure to enter into Business Associate Agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
Failure to take reasonable steps to address a material breach or violation of the subcontractor’s Business Associate Agreement.
Unsure how to handle your Business Associates and their Agreements? Dsyfer has a proprietary Automated Business Associate Management Platform.
Dsyfer can help. For more information, call a dsyfer client service member at 480.779.4653 or email firstname.lastname@example.org