Hi, it's Dr. Weitz. Thanks so much for joining me for this episode of the private medical practice academy. I know you've all heard of HIPAA and know that you're supposed to protect health information, and I'm sure that you have figured out that when you run a private medical practice, you're invariably going to need services and vendors outside of your practice. But did you know that you need to have a business associate agreement for anyone outside of your practice,

that you're going to share protected health information with business associate agreements need to be a fundamental part of your HIPAA compliance program. Today, I'm going to tell you who is a business associate and what you need to know about business associate agreements. First, we need to define how the HIPAA rules define the business associate. According to the guidance from the department of health and human services,

otherwise known as HHS, a business associate is a person or entity other than a member of the workforce of a covered entity who performs functions or activities on behalf of, or provide certain services to a covered entity that involve access by the business associate to protected health information. A business associate is also a subcontractor that creates receives, maintains or transmits protected health information on behalf of another business associate.

Okay, so let me simplify the legal mumbo jumbo. Basically, any person or organization that you hire to handle use distribute or access protected health information is a business associate. You need to have a business associate agreement in place before you share protected health information. And to be crystal clear, it's protected health information, regardless of whether it's physical or electronic. And that includes email and text.

So here's a list of some of the people in vendors that are business associates, starting with consultants, including your accountants, lawyers and bookkeepers, your EMR practice management, software vendor shredding and mobile shredding services, medical billing, medical coding, hosting services, answering services, clearing houses that you may use for billing, mobile apps, texting services, messaging services,

tele-health platforms, marketing companies, print and mailing services, transportation services, managed service providers, janitorial services, and virtual assistants. Basically anybody that you outsource anything to from your practice, where there's any potential to share protected health information, they're going to be a business associate. The goal behind the business associate agreement is to acknowledge that both parties are obligated to follow federal HIPAA regulations.

Now it should be obvious that if both parties agree that they're bound by HIPAA regulations, then they can excuse themselves from liability by claiming they don't have to follow the HIPAA laws. The purpose of the agreement is to protect both parties in the event of a breach. Aside from the fact that business associate agreements are federally mandated, they actually are in your best interest or protecting your reputation.

Given that having your patients trust you is fundamental to the success of your practice. You want to do everything possible to protect yourself from the liability of a HIPAA breach and to put things in perspective. If you have a HIPAA breach of 500 or more, you're going to end up on the H H S breach portal. Think of it like the wall of shame.

HHS can audit business associates and business associate subcontractors for HIPAA compliance, not just you as the covered entity. According to HHS, the business associate and or business associates, subcontractor agreement must include the following information. First, you need to describe the permitted and required protected health information uses by the business associate and or their subcontractors. Next, it needs to state that the business associates and their subcontractors will not use or further disclose protected health information beyond what is permitted or required by the contract,

or what's required by law. In the agreement also has to require that the business associate and their subcontractors use appropriate safeguards to prevent inappropriate, protected health information use, or disclosure. So according to HHS covered entities, meaning you, the practice may only disclose protected health information to an entity to help carry out its healthcare functions, not for the business associates independent use or purposes.

So what does this mean? I'll give you an example, the business associate or their subcontractor can't use your protected health information for their own email campaign. Now, I want to stop here and talk for a second about business associates, subcontractors, a business associates, subcontractor is a person or entity that the business associate delegates a function activity or service to while I covered entity again,

that's you receives help from a business associate. The business associate may need their own help. HIPAA refers to these people and companies as business associates, subcontractors. This is important to understand when you're choosing your outside help. A prime example of where this comes in is in the case of virtual assistant companies, some of the VA companies will sign a business associate agreement with your practice and have a business associates subcontractor agreement with the virtual assistant.

Others have the virtual assistant sign. The business associate agreement. Think about it for a second. The company that is actually hiring the VA assumes no liability for a HIPAA breach. That's a problem. It's also a problem. If the VA who's signing the agreement with you is out of the country. In the event of a breach, you're basically hanging out there.

You want to make sure that the company signs the business associate agreement and that for anything that they are outsourcing, they have business associates, subcontractor agreements in place. You want to ask these questions when you're choosing vendors who access your protected health information. Next, I want to talk about contractors and confidentiality agreements. Your employees, independent contractors who work for you exclusively,

or even a sole proprietor with other clients who basically work for you as an independent contractor are not necessarily business associates. In this case, your practice is solely responsible as someone breaches protected health information. One way to address this from a compliance perspective is to have your employees and independent contractors sign the confidentiality agreement. The confidentiality agreement would include clarifying the type of information that the agreement covers.

You're going to want to describe the type of information that cannot be copied, downloaded, or modified. As an aside, this is a really common source of a HIPAA breach. When some piece of protected health information is downloaded onto a desktop because it's quote unquote, easier to access. But in the end, it's not really secure. The agreement needs to address issues like not removing the laptop containing protected health information from your office.

You're going to want to state what information needs to be returned upon the employer's request, employer being you and what disciplinary action is going to be taken towards the person who is responsible for a breach of confidential information. Now, you may be wondering what happens if you don't have a business associate agreement in place. The answer is that the department of health and human services office of civil rights can impose huge fines and a corrective action plan.

If you get audited, you're going to have to provide your business associate agreements and demonstrate that you've done your due diligence in choosing business associates. If you hire another HIPAA covered organization to create, maintain, receive, transmit, protected health information on your behalf, they are your business associate. It doesn't matter that you're both covered entities. You still have to have a business associate agreement.

Sometimes a business associate has their own business associate agreement. And you're probably wondering which one should you use yours or theirs? Although HIPAA doesn't actually state who should provide the business associate agreement. Typically the hiring entity dictates the terms of the agreement. For example, you'd use your business associate agreement with your business associate and then the business associate would use their business associate agreement with their subcontractors,

regardless of whose version of the agreement you use, your business associate is liable for any breach of protected health information that they cause you're going to want to have your business associate agreement written in such a way that it's evergreen, meaning that it renews automatically and doesn't require a new signature to remain valid. That said, you're still going to want to set up a regular review schedule for all of your business associate agreements to make sure that they are current with your service contract and your state laws,

significant changes in the scope of work performed by the business associate is going to necessitate a change in the business associate agreement. Needless to say, you want to make sure that both you and your business associates sign and date the agreement you each keep a copy of the signed document. And of course you will also need to document your reviews of the agreement in any changes by doing this,

your business associate agreement will remain valid for as long as the vendor contract is in effect. Now that we've discussed having a business associate agreement let's address what happens if the business associate or their subcontractor discloses protected health information, HHS states that a business associate is directly liable under the HIPAA rules and subject to civil. And in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law.

But while the business associate has the liability, you, as the covered entity are still required to take reasonable steps to cure the breach or end the violation. If you can't HHS states that you need to terminate your contract or agreement with the business associate. And if for some reason it's not feasible to terminate that relationship, you're required to report them to HHS.

This is why it is so incredibly important that you do your due diligence in choosing a vendor on the frontend, simply signing a business associate agreement is not adequate to that end. You're going to want to check out the show notes for eight, download for questions you're going to want to use as part of that due diligence process. Thanks for joining me, please be sure to sign up for my newsletter below.

I'll be sending you tips on how to start a practice, grow a practice, and then add multiple services so that you can maximize your revenue.