What To Do About Your Unexecuted Business Associates Agreement?

What To Do About Your Unexecuted Business Associates Agreement?

In recent weeks we have seen several OCR fines levied against organizations that were transferring PHI or receiving PHI without executed Business Associates Agreement.  It is clear this has become a point of intense focus for federal regulators, and one from which we can expect continued fines. However, that is only half of the story.  In practice, Business Associates Agreement are not always easy to get executed; for a plethora of reasons. Therefore, let’s analyze some best practices to get those outstanding Business Associate Agreements executed.

1.  Get the ball rolling:  Whether you are a Business Associate, Covered Entity, or subcontractor don’t hesitate to be the first to send a Business Associate Agreement for negotiation and execution.  It establishes the parameters of the negotiation, states that this is a serious matter to you, and takes the first step in getting a BAA executed.  If you need a place to start, there are plenty of examples readily available,including from HHS.

2.  Stress the importance:  A Business Associate is determined by the specifics of the business relationship, not by the existence of a Business Associate Agreement.  In other words, not executing a Business Associate Agreement does not absolve an organization from HIPAA required safeguards, therefore there is no compelling argument not to execute a Business Associate Agreement.  It is a requirement of both the Business Associate/Subcontractor and the Covered Entity to have a BAA in place.  The requirement is not one-way.

3.  Cause for termination:  Almost all contracts outlining the business relationship will permit (or require) the termination of the agreement if one party does not comply with applicable laws or regulations. Signing a BAA is required by HIPAA, thus not signing one is grounds for termination. While it might be a disconcerting thought, your only protection against an organization that refuses to sign a Business Associate Agreement is to stop the transfer of PHI.  This may create an incredibly challenging situation, but in extreme situations it is the only option.  Most likely, when threatened with terminating the underlying contract, organizations will agree to execute the BAA.

This topic is one of the more difficult facing the entire industry at present.  It is not that the answer to the situation is an unknown, it is that the best answer is the most challenging solution.  However, you must ask yourself one question, “How much can you trust an organization that will not execute a Business Associate Agreement to ensure the privacy and security of PHI?”  I am willing to guess an organization that won’t execute a BAA is probably an organization you don’t want to do business with.

Learn more:

How To (Reasonably) Oversee Your Business Associates

How to Negotiate Business Associate Agreements

How to Negotiate Business Associate Agreements

Negotiating business associate agreements (BAA) can be one of the trickiest aspects of HIPAA. By now, most people know that they need to have a BAA executed with their business associates (BA) or subcontractors. But, what should you do if there is some sticking point in the BAA, or if the entity you feel is your business associate disagrees and won’t execute a BAA?

What is the best practice when you have identified an entity as a business associate or subcontractor, and therefore want them to execute a BAA, but they refuse? First, have that entity send you a formal document (preferably from their attorney) which outlines why they disagree with your analysis that they qualify as a BA. Once you receive their analysis you may be convinced by their reasoning. The determination of a BA is sometimes a close call, so be open to the fact that they may be correct. However, if you disagree with their analysis, and they continue to refuse to sign a BAA, you should stop all transfer of PHI to that entity. The loss of business may sway them to see things your way. But remember, a BA is determined by what type of work the entity does for you and access to PHI, not by executing a BAA. Therefore, refusing to sign a BAA does not absolve them of BA status. They are still a BA as long as they have access to PHI.

In situations where you are negotiating with a BA on terms of the BAA, remember that there are 10 items which must be included in all BAA. Be sure you are not negotiating on the inclusion/exclusion of those provisions. One helpful idea is to convert the BAA into a standalone agreement. This way you can negotiate the terms that are unrelated to them being a business associate without impacting the BAA provisions. These could be things like pricing for services, term of the contract, or indemnification. You can simply include the BAA as an appendix to the service contract.

Reduce Business Associate Risk in 60 Minutes!

Business associates play an essential role in helping your organization run smoothly. Managing business associates is a HIPAA requirement, but it is also one of the most complicated tasks facing clinics and providers. Join experts from HIPAA HITECH Express on February 4, 2016 at 12:00 pm PST/3:00 pm EST. In just 60 minutes they will explain how to manage your business associates and reduce your risk. Topics will include:

  • Identifying business associates;
  • Negotiating and executing business associate agreements;
  • Monitoring business associate compliance; and
  • What HHS/OCR HIPAA auditors are looking for.
Free Registration!