Previously, business associates' only liability for mishandling Protected Health Information (PHI) arose under the business associate's contract with the health care provider, and the only party responsible for ensuring the existence of a proper Business Associate Agreement was the provider itself. Under the amended regulations, a business associate can now be held directly responsible for improper use of PHI and for the failure to maintain proper policies for its protection. §13404(a).
The HITECH Act makes the following provisions, previously directed at covered entities only, applicable to business associates:
- Administrative safeguards (45 C.F.R. § 164.308)
- Physical safeguards (45 C.F.R. § 164.310)
- Technical safeguards (45 C.F.R. § 164.312)
- Policies and documentation (45 C.F.R. § 164.316)
The breach notification requirements affecting covered entities and business associates have also changed. The HITECH Act requires notification by a covered entity to the individual whose PHI has been breached, within a reasonable time, not longer than 60 days. Business associates must notify covered entities of any breach within the same time period. The notice must be sent in writing via first class mail, and in the case where the breach concerns 10 or more individuals and the individuals cannot be located, notice must be posted on the breaching party's website and through public media. Notice regarding the breach must also be provided to the Secretary, immediately in the case of a breach concerning 500 or more individuals, and via an annual log in the case of a breach of fewer than 500 individuals. §13402.
The penalties for failing to comply with these provisions include criminal charges, §13409, and civil sanctions, §13410.
From a practical standpoint, this means that agencies should implement their own documented policies for protecting PHI and should immediately ensure that a Business Associate Agreement is executed with the covered entities with which they do business. Covered entities should review the policies of each and every business associate. If an agreement already exists (which it should), it may need to be amended. It must limit the exchange and use of PHI to the minimum amount necessary for the business associate to carry out its function. HHS has a website discussing the recommended contract language, here. Our sample contract is found below. Note: the agreement requires customization based upon the use of PHI contemplated by the parties' business relationship.