When it comes to protected health information, it’s important that labs manage contracts with external sources to ensure HIPAA compliance.
Laboratorians involved in management activities have likely established agreements with external professionals or consultants who may have access to patient-specific information. Such information requires protection to secure patient health privacy. The Administrative Simplification provisions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) address what’s required of covered entities and their business associates (BAs) when it comes to protecting patient information. It is important to establish policies, as required by law, to manage contracts with external sources who will have access to protected health information (PHI).
HIPAA establishes definitions for various components of business associate agreements and contracts. More detail can be found in 45 CFR 160.103, but here are some of the key definitions: 1
These basic definitions help lab leaders understand HIPAA and BAAs. The purpose of a BAA is to outline the responsibilities of the covered entity and BA to protect PHI and reduce the chances of a breach involving PHI. The key components of BAA documents include:
The agreement identifies the functions that a BA is to perform and that allow the BA to have access to PHI. The BA will maintain the privacy of the PHI and only disclose what is permitted under the agreement and according to law. A covered entity may request to see any PHI that a BA or subcontractors of the BA may have.
When PHI is legitimately disclosed, it should be the minimum amount necessary. This infers a selective release of information. These disclosures may be required by law, or related to public health or safety requirements, organ donation, coroners’ work, and workers’ compensation.
A BA should create administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI. This includes appropriate training and education of personnel.
Any disclosure or security issues that are not permitted by the agreement should be reported promptly to the covered entity. This reporting also applies to unsecured breaches. Such severe breaches may be associated with financial liability for the BA. Steps must be taken to mitigate damages and prevent future breaches. This may impact agreements with subcontractors.
Specific information should be provided to the covered entity by the BA when inappropriate disclosures are detected. A report should document the date of disclosure of PHI, the name of the entity or person who received PHI, and, if known, the address of such entity or person, a brief description of the PHI disclosed, and a brief accounting that includes the basis for such disclosure. The covered entity is responsible for reporting a breach to the individuals involved and the HHS.
It is important to identify when the agreement is initiated and how long it will be in effect. Usually, the BAA can be terminated by either party. If the BAA is terminated, identifying how PHI will be either returned to the covered entity, or destroyed, is crucial. Our consulting firm retains PHI for three months following the delivery of final reports. After that period of time, all PHI is cross-shredded or electronically altered. We de-identify any PHI appearing in any reports.
With HIPAA’s inception, covered entities carried the compliance burden pertaining to HIPAA Privacy, Security, Breach Notification, and Enforcement Rules. But in 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act, which makes business associates directly liable for compliance with certain requirements of the HIPAA Rules. A final rule was issued in 2013, confirming that HIPAA rules apply to both covered entities and their business associates. 3
According to the HHS, the provisions in this final rule that directly apply to business associates and for which business associates become liable for infractions include: 3
Our firm has noted that laboratories frequently fail to initiate and update agreements with other service groups and agents. For example, lab leaders should establish a BAA with a shredding company that transports PHI or with a storage company that archives requisitions, results, specimens, and slides.
If labs and their BAs are found to be neglectful in failing to protect PHI, the consequences can be costly. Civil penalties (fines) are mandatory for willful neglect. These fines vary depending on which of four different levels HIPAA violations fall under:
| Conduct of Covered Entity or Business Associate | Penalty |
|---|---|
| Did not know and, by exercising reasonable diligence, would not have known of the violation | $100 to $50,000 per violation; Up to $25,000 per identical violation per year |
| Violation due to reasonable cause and not willful neglect | $1,000 to $50,000 per violation; Up to $100,000 per identical violation per year |
| Violation due to willful neglect, but the violation is corrected within 30 days after the covered entity knew or should have known of the violation | Mandatory fine of $10,000 to $50,000 per violation; Up to $250,000 per identical violation per year |
| Violation due to willful neglect, and the violation was not corrected within 30 days after the covered entity knew or should have known of the violation | Mandatory fine of not less than $50,000 per violation; Up to $1,500,000 per identical violation per year |
What counts as a HIPAA violation? The government provides helpful examples of conduct that would be penalized. In one such example, the loss of a laptop containing PHI for 500 individuals represents 500 HIPAA violations. If a policy or safeguard is not implemented, each delayed day equals a violation. 5 However, there is some room for discretion if the BA’s conduct was not a result of willful neglect.
Further, the Centers for Medicare & Medicaid Services (CMS) website includes a slide presentation that can help leaders determine whether their lab is a covered entity. 6 Lab leaders can also download a Model Business Associate Agreement from the HHS website to help in drafting their own BAAs. 7
Though there are many other details related to the use of BAAs not covered here, this article should provide laboratory leaders and their staff with the basics.
Diana W. Voorhees, MA, MLS(ASCP)SH, CLCP, CPCO, is principal in DV & Associates, Inc., Salt Lake City, UT, which makes no representation, guarantee, or warranty, expressed or implied, that the information provided is free of error, and will bear no responsibility or liability for results or consequences of its use.
