If you've been watching HIPAA at all, you know that there have been some significant changes in the HIPAA rules that affect business associates.
One thing to think about as far as business associates; we get to the whole issue of an agency relationship and what that means. And a business associate is someone who's doing something on your behalf. But how deeply embedded in your operations are they?
Are they – are they working, you know, more like an employee or not? Defining this relationship really has a lot to do with if you've been involved with a – if you have people you hire as consultants or contractors and the whole question of can you consider these people as contractors – independent contractors or do you consider them as a – or do you consider as employees and how much do you – how much you figure this.
And this is all based on the common law issue, the whole definition of, you know, the agency relationship. And so – and it's the kind of thing that isn't defined very clearly anywhere except for the concept of it. And so you have to work it through each time.
And so it really depends on, well, you know, how much do they know about things? Are you really directing their every operation? If it's an organization that you just feed some information to and they have their staff do some massaging of the data on their premises according to their rules, on their payroll and they handle their benefits and all those kind of stuff, that whole operating separate business elsewhere, that's obviously – that's not an agency relationship because they're doing things – you're just giving them a task to do and they're executing it their own way.
But if there's somebody – if you have some people that you have hired and they've sort of become – may you have some technology consultants who are working with you on a transition to your EHR and they're your business associate because you're not hiring these people but they are working closely within your organization and they're following the direction of your managers as far as the schedules of things and when do they need to be where and how they should communicate and, you know, what the office hours are and things like that and that they're using, you know, systems and things that are, you know, they're on the premises and that sort of thing.
That's the kind of thing we might say, well, actually this is an agency relationship. This is close enough where you might as well call them an employee. So even if they're going to be technically a business associate, they're in an agency relationship.
And what that means is that they are – that you are more responsible for their actions, okay. The business associate is less – is still capable of themselves but you are just as responsible as they are because they're working as really a part of your organization.
So it's like if they – if there is a HIPAA breach at a business associate and they're not your agent, okay, then your clock for breach notification begins when you hear about it from the business associate.
If you have a business associate that's an agent and they have a breach, the clock on breach notification begins when they find out about it because they're really acting as a part of the organization.
So it is an important thing to make sure you understand how you're working together when it comes to some of these decisions as far as who's responsible for things because it's a very – it's a – it's a tricky thing to make sure you have it clear as to who's who and who is responsible for what to comply with HIPAA security rules.
You may have hundreds of them, depending on the – on the kind of organization you are. You may have a hard time even finding them all. So at least you have to find them all first thing.
Now, by risk we mean the one that handle – the one that handle larger amounts of information or greater detailed information. Those are the ones where if things are out of kilter, if things are not being done right, you have the biggest potential for the things to go wrong, the biggest penalties, the biggest breaches and things like that. So things that are expiring soon and – obviously and things that are more risky, you want to do those first.
You want to make sure you have the right breach and liability and indemnification, you know, all the – liability and indemnification clauses for HIPAA breach and incidents. Have that in there. Make sure that you get prompt notification from them.
Make sure the new required elements are in there. If they're an agent, make sure you have the stricter requirements in there for security reviews. If they're acting as your agent, you really have a right to, you know, get more deeply into their operations to find out what's going on.
There is one change that has been in there that is now removed. That was a requirement for a clause that would obligate the covered entities to report non-compliance by some downstream entity. Well, that's out of there since those downstream entities are now directly responsible to HHS themselves. They've taken that responsibility to report out of the agreements.
If you have agreement – a good agreement that's in place and meets the old requirements and was all in – all, you know, tucked away before January 25th of this year which is when they publish the new HIPAA rules, okay, so if it was all set when they publish the new rules on January 25th according to the current requirements – according to the old requirements, you have until September 23rd of 2014 to get it updated to meet the new requirements.
And now any new business associate agreements that you do after January 25th, the ones that you're, you know, if it's a new renewal or a new execution, those need to – those need to as of – as of – those need to follow the new rules when they're executed or renewed or you need to make sure that they're updated by September 23rd of 2013. So those got to be up to snuff by September 23rd 2013, that's this year, for the new ones.
Visit AudioEducator and ensure compliance with recent HIPAA security standards with a wide range of online HIPAA training programs.