Understanding Business Associate Agreements

A critical component of a dental office’s HIPAA compliance program is obtaining business associate agreements from their business associates. A business associate is a person or an entity that provides services for the covered entity (dental office) involving protected health information (PHI) and electronic protected health information (ePHI).

Examples of Business Associates

• Electronic claims vendors
• IT professionals
• Practice management software companies
• Appointment confirmation services
• Marketing companies
• Trainers
• Consultants
• Bookkeepers
• Accountants
• Lawyers
• Other similar roles

A business associate may also include subcontractors that create, maintain, or transmit PHI on behalf of another business associate.

Importance of Business Associate Agreements

To comply with HIPAA, dental offices and business associates must enter into a “business associate agreement.” This contract ensures the business associate properly safeguards PHI and adheres to HIPAA regulations.

HIPAA Compliance and Liabilities

Business associates are now directly liable under HIPAA regulations. Non-compliance can result in civil and criminal penalties for improper use or disclosure of PHI, including failing to safeguard ePHI. According to the Ponemon Institute, the average cost of a data breach for business associates is $1 million.

It is reasonable to ask business associates if they maintain HIPAA policies, conduct security risk assessments, and provide workforce training.

Required Safeguards

Dental offices require business associates to implement appropriate physical, technical, and administrative safeguards. These safeguards are meant to prevent unauthorized access, use or disclosure of PHI, including implementing requirements of the HIPAA security rule with regard to electronic PHI. This applies to the business associate’s sub-contractors.

Reviewing Business Associate Agreements

Carefully review existing relationships with independent contractors to determine if a current business associate agreement is in place or if the agreement must be revised. The agreements should reflect the most current HIPAA language. As of Sept. 22, 2014, dental offices qualifying as covered entities were required to have these contracts in place with all of their business associates. Matter of fact, if the dental office is audited randomly, the Office of Civil Rights will check whether or not these agreements are in place.

Business associates are also liable for their subcontractors’ activities, requiring subcontractors to sign business associate agreements.

Vendor-Proposed Agreements

In working with professional companies, the vendor may provide their own business associate agreement for the dental office. This raises concerns for dentists who are not familiar with reading such content. Is the agreement pro-business associate and not pro-dentist?

Requirements for Business Associate Agreements

According to the Department of Health and Human Services (HHS), business associate agreements must include:

• “Establish the permitted and required uses and disclosures of protected health information by the business associate. This places limits on how the information is used and ensures the information accessed for the intended purpose.
• Clarify that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law.
• Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information.
• Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information. Such compliance may help avoid fines for non-compliance and prevent legal action.
• Require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings.
• To the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation.
• Require the business associate to make available to Department of Health and Human Services (HHS) its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule.

Termination of Contract

• At the termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity;
• Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and
• Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract. Contracts between business associates and business associates that are subcontractors are subject to these same requirements.”

Find more information and sample language for business associate agreements at www.hhs.gov.

Key Considerations for Dentists

HHS warns that relying solely on sample language may not ensure compliance with state law. Therefore, consulting a lawyer and actively negotiating contract terms are critical steps to protect your practice.

Additionally, review corporate agreements carefully, focusing on clauses that minimize the business associate’s liability to the monthly service value. In the event of a breach with claims costing thousands or even millions, such clauses could leave the dental office financially responsible. To mitigate this risk, consult your attorney and verify with your liability insurance carrier whether you have data breach protection. Furthermore, thoroughly review indemnification clauses and agreed jurisdictions to ensure they align with your practice’s best interests.

Auditing and Maintaining Agreements

Set aside time to audit business associate agreements. Determine which agreements need revision or creation and maintain copies for six years.

Staying Compliant

Compliance evolves continually as part of managing a dental practice. Ensure all business associate agreements are updated and on file to protect your practice and patients.

Olivia Wann founded Modern Practice Solutions, LLC in the year 2000 focusing on compliance issues. She started her law practice is 2012. Reading this article does not imply legal advice or constitute an attorney-client relationship.