Regulatory Compliance
C D A J O U R N A L , V O L 5 0 , Nº 3
The Importance of a HIPAA Associate Agreement CDA Practice Support
D
ental practices that are HIPAA-covered entities should understand what a business associate’s obligations are when the business associate experiences a breach of the dental practice’s protected health information (PHI). A business associate has specific obligations to protect PHI and to inform the affected covered entity when there is a breach. A dentist should look to the agreements with their respective business associates for specific information on how each business associate will protect PHI, manage a breach and inform the dentist when a breach occurs. A HIPAA business associate is a third party that uses, accesses or stores PHI to provide nonclinical services, typically, to a covered entity. Examples of business associates include practice management consultants, electronic health record companies, encrypted email services and online data backup and storage services. Although HIPAA places the obligation on the covered entity to have HIPAA-compliant agreements with their business associates, in reality, the third party provides the covered entity with its version of a HIPAA-compliant business associate agreement. When this occurs, a dentist should review the agreement to ensure it contains the minimum required provisions. A dentist can compare the agreement to the sample business associate agreement on cda.org/practicesupport. A compliant business associate agreement requires the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of
unsecured PHI. The dentist and business associate are responsible for adding to the agreement details, such as: ■ How soon after discovery of an impermissible use or disclosure of PHI should the business associate inform the dentist. HIPAA requires a business associate to notify a covered entity no later than 60 days from the discovery of a breach at or by the business associate. However, this provides little time for a dentist to
■
notify their patients since a covered entity is required to notify affected individuals no more than 60 days from the discovery of a breach. A dentist can consider requiring that a business associate notify them soon after the discovery of an impermissible use or disclosure of PHI. Whether the dentist wants details of the business associate’s investigation and assessment of an impermissible use or disclosure of PHI.
M ARC H 2 0 2 1 LDM_CDA_Journal_1.3_Square_LindaBrown_05_23_17.indd 1
187
5/24/2017 9:21:40 PM
