Should You Take a Second Look at Your Business Associates?

EHR Training Strategies by Ron Sterling

By Ron Sterling
Sterling Solutions

The HIPAA Omnibus rules significantly affect Business Associate (BA) relationships and will require an adjustment to your Business Associates Agreement (BAA). Indeed, you may need to take another look at your BAAs, contractual relationships and even your vendor strategy.

Under the original HIPAA Security and Privacy Rules, non-employee entities or persons who worked with your Protected Health Information were required to abide by the applicable HIPAA Security and Privacy standards through the Business Associates Agreement.  However, the Business Associate was not subject to penalties and your organization was pretty much limited to the power to fire the BA, if you could.

Under the “new and improved” HITECH Rules and made better by the HIPAA Omnibus rules, BAs and even their subcontractors that use your PHI to do their job are now responsible for penalties for breaches. However, these changes require some additional considerations in managing your Business Associates and your contractual relationship.  The key issues to consider are:

Do BAs sign your BAA or will you sign the BA’s BAA? – Many vendors that have significant business with Covered Entities have their own BAA that they want their customers to sign.  These vendor BAAs will address compliance with HIPAA Security and Privacy, but may also include some additional terms at the discretion of the Business Associate.  For example, BAAs may include limits on costs to notify patients of a breach, use of deidentified patient information, decisions on response to a breach, and even termination triggers that could compromise your clinical operation.  If you have your own BAA that includes favorable terms that you prefer, then you will want to negotiate whose BAA will be used as part of your contract discussions.  However, if you do not have a BAA, carefully review the vendor BAA before signing to get rid of surprises in their BAA and even how the BAA works with the contract.

How do you insure that your Notice of Privacy Practices prevails? – Your organization cannot provide authority to handle or use PHI that is beyond you published Notice of Privacy Practices.  Organizations with obsolete NPPs need to update the documents and need to take a look at the NPP on a periodic basis, but the NPP is basically a part of the BAA.  For example, your NPP may state that you would not use patient information (in PHI or any other form) for any purpose but clinical care.  Some vendors reserve the right to use deidentified information for other purposes.  Regardless of how the BAA may deidentify your PHI, you cannot authorize the BAA to use deidentified information if your NPP represents that your will not use patient information for any purpose but clinical care.  Indeed, you may consider deidentified PHI as confidential practice information.

How do you monitor vendor protection of PHI? – Under HIPAA Omnibus, BAs and subcontractor Business Associates (SBAs) have to maintain a mechanism to evaluate impermissible disclosures and uses of PHI to determine if there is a breach and act accordingly.  However, the BA and SBA only have to report breaches to your organization.  In other words, your BAs and their SBAs could have a variety of impermissible disclosures and uses of PHI, but the events never exceeded the low probability of compromise barrier. Indeed, a BA vendor could have serious and frequent events involving impermissible disclosure and use of PHI that didn’t qualify as a breach or whose analysis may be more generous that you may want. Such a situation is certainly an indicator of problems to come or perhaps a liberal interpretation of the probability of compromise. In order to monitor what is happening with impermissible uses and disclosures, add the right to periodically review the BA’s and their SBA’s log of impermissible disclosures and uses as well as their probability of compromised PHI analysis.

As part of you compliance with HIPAA Omnibus, you need to reevaluate your Business Associates Agreements to add appropriate terms to meet the Omnibus Rules.  However, you need to think beyond the HIPAA Omnibus rules to insure that you do not end up with a contract or Business Associate relationship that does not protect your interests or business objectives.For more posts on HIPAA Security and Privacy, click here.

This article was originally published on Avoid EHR Disasters. Ron Sterling is a nationally recognized expert on EHR implementation, Meaningful Use, and HIPAA Security. He is also host of The EHR Zone, an Internet radio program airing daily at 4 pm Eastern. For expert advice on HIPAA Security and Privacy, you can contact him at or call Sterling Solutions at (800)967-3028.