In February we started a post with this quote on BA agreements:
“This means a business associate will violate the law, not just his business associate contract, if it fails to meet these requirements” – Priority Health letter to all BA’s.
I hate to be right but last week OCR/HHS reaffirmed this and the role and legal responsibilities of BA’s like brokers with total clarity:
“We expect that most business associates make a good-faith effort to follow the terms of their contracts and comply with current security and privacy standards.”
“For those business associates that have not already adopted HIPAA-compliant privacy and security standards for protected health information, the risk of criminal and/or civil monetary penalties may spur them to increase their efforts to comply with the privacy and security standards.”
This is the fourth post on this subject and clicking here will take you to the relevant paragraphs from numerous carrier BA agreements and how they relate to you as a broker or other type of BA.
Some require a signature, many are simply being done unilaterally by the carriers and some are online. Either way they all state the obvious specifically and clearly and HHS has reinforce this all as well:
- You are a BA
- You are subject to the HIPAA / HITECH privacy and security regs
- Yiou are now subject to breach reporting and penalties for violations just liike the carriers are
And all of this should have been in place no later than 2/17/2010.
HHS also said last week:
“Regardless of the reason, to avoid the risk of the far more serious penalties in this proposed rule, we expect that business associates and subcontractors that have been lax in their complying with the privacy and security standards may now take steps to enhance their security procedures and strengthen their policies for protecting the privacy of the protected health information under their control.”
Trying to feign ignorance will not work:
“Moreover, a covered entity or business associate cannot assert an affirmative defense associated with its “lack of knowledge” if such lack of knowledge has resulted from its failure to inform itself about compliance obligations or to investigate received complaints or other information indicating likely noncompliance.”
And you are on the hook for your staff and subcontractors as well:
“A business associate is liable, in accordance with the federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency.”
Need help? We have helped dozens of brokers nationwide already.