Now that the HITECH Act has effectively (if not legally—business associates were not added to the list of covered entities) made business associates covered entities under HIPAA, having proper business associate contracts in place takes on additional importance. Additionally, the Department of Health and Human Services (“DHHS”) has proposed to expand covered entities’ liability for the breaches of business associates from liability only when the covered entity has actual knowledge of the breach and does not properly handle it to when, in the exercise of good business judgment, they should have known of the breach (implying a duty to audit business associates for compliance?). Regardless of whether this increased liability is adopted, DHHS is likely to find that a breach by one that should have signed a business associate agreement (“BAA”) but did not to be “willful neglect,” which would make the covered entity that failed to get the contract in place subject to the highest civil money penalty.
Thus, implementing a business associate policy may be a wise precaution. It would require any workforce member that intends to use an outside agency to perform a service that may involve protected health information (“PHI”) to have the covered entity’s responsible official determine whether a BAA is required and specifying responsibilities for getting such agreements in place, for enforcing them, for how to respond to a breach by the business associate, and for how long to retain such agreements. Consequently, Premium Members may download a sample business associate policy to adapt for their organization. Also, note that business associates must have “downstream” BAAs for subcontractors that maintain, use, or disclose the covered entity’s PHI in support of the business associate’s operations.