Should protected entities check business associates for HIPAA compliance or is it enough just get a signed, HIPAA-compliant business associate contract?
If a business associate offers reasonable assurances to a protected unit that HIPAA Laws are being followed, and mistakes are made by the BA that lead to the theft, exposure, or accidental disclosure of PHI, the protected unit will not be answerable for the BA’s HIPAA breaches – if the protected unit has entered into a business associate agreement with its BA.
It’s the duty of the BA to make sure compliance with HIPAA Laws. The failure of a BA to abide by HIPAA Laws can lead to financial penalties for HIPAA violations for the BA, not the protected unit.
A protected unit must ‘get adequate guarantees’ that HIPAA Laws will be followed before disclosing PHI. Although covered entities aren’t required by HIPAA to check BA for HIPAA compliance, they must obtain proof that their BA has carried out an organization-wide risk examination, has created a risk management strategy, and is decreasing risks to an appropriate and acceptable level.
If the information is delivered to a protected unit which suggests noncompliance, a covered entity should act on that info. The failure of a protected unit to take suitable action to settle a known breach of HIPAA Rules by a BA would be a breach of HIPAA Laws. If the BA can’t settle that breach, it’s the duty of the protected unit to terminate the BAA. 45 CFR § 164.504(e)
A protected unit will be in breach of HIPAA Laws if it “knew of a practice of the BA or pattern of activity that formed a material violation or breach of the BA’s duty under the agreement or other arrangements unless the protected unit took sensible steps to alleviate the breach or stop the violation.” If cessation of the BAA isn’t feasible, the issue should be reported to the Division of Health and Human Services’ OCR.
Although a protected unit isn’t responsible for business associate HIPAA breaches, any business associate violation is likely to reflect poorly on the protected unit and is likely to produce harm to its members or patients. It’s thus in the advantages of both parties to make sure HIPAA Laws are being respected. It may assist to provide BAs with a HIPAA compliance checklist to help them with their compliance attempts, as well as access to other means to assist them to avoid breaches and alleviate risk.