4 minute read
Regulatory Compliance: The Importance of a HIPAA Associate Agreement
CDA Practice Support
Dental practices are HIPAA-covered entities should understand what a business associate’s obligations are when the business associate experiences a breach of the dental practice’s protected health information (PHI). A business associate has specific obligations to protect PHI and to inform the affected covered entity when there is a breach. A dentist should look to the agreements with their respective business associates for specific information on how each business associate will protect PHI, manage a breach and inform the dentist when a breach occurs.
Advertisement
A HIPAA business associate is a third party that uses, accesses or stores PHI to provide nonclinical services, typically, to a covered entity. Examples of business associates include practice management consultants, electronic health record companies, encrypted email services and online data backup and storage services. Although HIPAA places the obligation on the covered entity to have HIPAA-compliant agreements with their business associates, in reality, the third party provides the covered entity with its version of a HIPAA-compliant business associate agreement. When this occurs, a dentist should review the agreement to ensure it contains the minimum required provisions. A dentist can compare the agreement to the sample business associate agreement on cda.org/practicesupport.
A compliant business associate agreement requires the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured PHI. The dentist and business associate are responsible for adding to the agreement details, such as:
■ How soon after discovery of an impermissible use or disclosure of PHI should the business associate inform the dentist. HIPAA requires a business associate to notify a covered entity no later than 60 days from the discovery of a breach at or by the business associate. However, this provides little time for a dentist to notify their patients since a covered entity is required to notify affected individuals no more than 60 days from the discovery of a breach. A dentist can consider requiring that a business associate notify them soon after the discovery of an impermissible use or disclosure of PHI.
■ Whether the dentist wants details of the business associate’s investigation and assessment of an impermissible use or disclosure of PHI.
■ Who will send notification to patients if the business associate determines the incident is a breach. The covered entity is required to notify affected individuals and, with incidents involving PHI of 500 or more individuals, the media and the Department of Health and Human Services. However, the dentist may delegate the tasks to the business associate or to another business associate.
The agreement also must include a provision that any subcontractor that a business associate may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the business associate with respect to the PHI.
HIPAA business associates are directly liable for violations of the law. Some violations include:
■ Failure to provide breach notification to a covered entity or another business associate.
■ Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
■ Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
■ Failure to comply with the requirements of the HIPAA Security Rule.
■ Impermissible uses and disclosures of PHI. In January 2021, the Department of
Health and Human Services released a proposal to update HIPAA regulations. When finalized, the updated regulation will trigger a requirement for covered entities to revise business associate agreements in order to include new provisions. Covered entities should take this opportunity and the time to review and understand their business associate agreements.
Regulatory Compliance appears monthly and features resources about laws that impact dental practices. Visit cda.org/ practicesupport for more than 600 practice support resources, including practice management, employment practices, dental benefit plans and regulatory compliance.
