HIPAA Business Associates … How Do I Know Thee?

HIPAA, as amended by HITECH, imposes significant requirements on those persons or entities who qualify as a Business Associate (BA) as a result of their access to Protected Health Information (PHI) in the performance of services on behalf of a Covered Entity (CE).  For example, a BA could be a third party billing company, a shredding company, a law firm handling a Medicare audit appeal, an accounting firm responsible for cost reports or even a third party responsible for storing PHI off-site.  In each case, the drafting and negotiation of a Business Associate Agreement (BAA) is an important step in confirming BA duties and obligations related to these service arrangements, but it is also important to complete some level of due diligence before the BAA is executed and the CE is in a position to trust the BA with its PHI.   

What should the CE know about a prospective BA? 

To begin, the CE should confirm any and all names that have been used by the BA, whether now or in the past, so to confirm that none of these names are listed in the Office of Inspector General’s List of Excluded Individuals and Entities (OIG) or the General Services Administration’s System for Award Management f/k/a the Excluded Parties List System (SAM).   A review of the OIG Corporate Integrity Agreement database is another way to confirm any prior enforcement actions that may have involved a prospective BA.  Additionally, if the BA maintains certain licenses, registrations or other credentials necessary to perform their services on behalf of the CE, these qualifications should be verified by the CE.  Review of business references, or maybe even a telephone interview with another CE, may also be helpful. 

Proof of insurance coverage and some information about claims history should be requested.  A general search for any public filings about the BA can also provide additional information about their resources, business relationships and reputation.  The BA may also be asked to disclose any outside business relationships which might represent a conflict of interest in doing business with the CE. 

Because the BA is subject to HIPAA, as a result of the HITECH amendments, the CE should inquire about the BA’s HIPAA compliance program, including but not limited to the recent completion of a HIPAA security risk assessment process, the adoption of HIPAA policies and procedures, and the extent to which the BA will engage the services of subcontractors, from time to time, to assist in the performance of services.  Although not a HIPAA consideration, many CEs take additional steps to confirm the health status of the BA who will have any physical contact with the CE’s workforce or clients, including but not limited to up-to-date vaccination records and negative TB testing results. 

How should the CE gather this information about the BA?

The CE can conduct its due diligence using a range of techniques.  The BA could be asked to submit to a formal request for proposal process or the CE may ask the BA to complete and return a due diligence questionnaire.   Selected HIPAA compliance documents may be requested as well.  Depending on the nature of services to be performed, an in-person interview or even a site visit may be in order. 

In summary, the use of a well-drafted BAA, in addition to the use of an effective due diligence process not only makes for a proper introduction to the BA but it also serves another important purpose in allowing the CE to educate the BA and to communicate the importance of HIPAA compliance long before the parties sign on the bottom line. 

If you have any questions or require additional information regarding the establishment of a HIPAA-compliant CE-BA business relationship, please contact Susan Ziel at sziel@kdlegal.com, Mark Morrell at mmorrell@kdlegal.com, Meghan McNab at mmcnab@kdlegal.com or Jaya White at jwhite@kdlegal.com.