In February 2013, the Final Omnibus Rule brought in measures regarding HIPAA Business Associate compliance. The Rule not only redefined what a Business Associate (BA) was, but made portions of the Privacy and Security Rules directly applicable to BAs, added provisions within the HITECH Act to BAs, and stated that BAs must have written Business Associate Agreements.
Towards the end of 2016 – almost four years after the Final Omnibus Rule became enforceable – the California Healthcare Foundation invested in research into HIPAA Business Associate compliance. In the compilation of the “Business Associate Compliance with HIPAA” report, researchers carried out telephone interviews with sixteen Covered Entities ranging in size from small physician offices to big integrated health groups.
The researchers concentrated on the number and size of hired-in BAs, the types of services performed by BAs, the “sophistication levels” of BAs, and the Covered Entities efforts to complete due diligence on BAs and review HIPAA Business Associate compliance. It is important to remember that, in California, BAs may also be included in the State’s Confidentiality of Medical Information Act (CMIA).
One of the key outcomes was that many Covered Entities do not comprehend what a Business Associate is. Although it was acceptable larger Covered Entities could only estimate how many BAs they hireded (due to multiple relationships originating throughout their organizations), many implemented a “better safe than sorry” approach to HIPAA compliance.
Some Covered Entities answered that every company with whom they had a relationship completed a Business Associate Agreement, irrespective of whether they were likely to come into contact with Protected Health Information (PHI) or not. In one instance, a Covered Entity had its landscaper sign a Business Associate Agreement as it was possible the landscaper could come into contact with PHI.
Several Covered Entities required other healthcare groups – who were also Covered Entities and who were receiving PHI for their own treatment or healthcare operations reasons – to complete Business Associate Agreements, even though the PHI would be included in the receiving Covered Entity’s records and not returned or destroyed at the expiration of the Agreement as necessary.
What was not shocking in the report was that smaller BAs and those that are newer to the healthcare sector (i.e. software vendors) are less likely to be aware of their obligations under HIPAA and the Final Omnibus Rule. While larger, more complex, BAs may have a specific officer or team dedicated to HIPAA Business Associate compliance, smaller BAs do not have the same level of resources.
However, despite saying that “PHI is just data to information technology vendors”, few Covered Entities put a great deal of work into establishing Business Associate compliance with HIPAA – among the reasons given were a lack of resources, time-sensitivity, and provisions within the Business Associate Agreement to permit the Covered Entity to revisit the Agreement if due diligence concerns occur.
The oversight of Business Associate compliance with HIPAA was even more unbelievable. Most Covered Entities interviewed for the report did not review their BAs or solely focused on their compliance with the requirements of the HIPAA Security Rule. Only a small number said they had asked to see the BA´s HIPAA-required risk assessments, or their policies and procedures in the event of a PHI violation.