Chester County Medicine Winter 2019 - 19

www.CHESTERCMS.org

HIPAA regulations at 45 C.F.R. § 314 set forth the various
requirements of a BAA. Included among them are requirements
related to reporting security incidents, complying with the HIPAA
regulations applicable to covered entities, and implementing
administrative, physical, and technical safeguards.
While these requirements may seem overwhelming upon first
glance at the regulations, covered entities and business associates
need not start from scratch when preparing a BAA. The U.S.
Department of Health & Human Services ("HHS") very helpfully
published form BAA provisions on January 25, 2013. The date is
worth mentioning because it means that the proposed provisions
reflect the additional BAA requirements at 45 C.F.R. § 164.504(e)
arising from the 2013 HITECH HIPAA Omnibus Rule (e.g.,
related to complying with the HIPAA Privacy and Security
Rules, reporting breaches, and ensuring that business associates'
subcontractors are subject to the same conditions and restrictions
as are the business associates themselves). These form provisions
are available on HHS's website. Simply type "Sample Business
Associate Agreement Provisions" into the search box on www.
HHS.gov and the link to the form provisions will be among the
first three links listed.

The When.
A BAA is required when a covered entity wishes to "permit
a business associate to create, receive, maintain, or transmit"
electronic PHI. Under applicable law, covered entities are held
to a higher standard than business associates with regard to
PHI protection (e.g., the Privacy Rule under HIPAA applies to
covered entities). But the different standards do not change the
fact that covered entities do not and cannot work alone. Covered
entities often require the assistance of business associates and such
assistance often involves the creation, receipt, maintenance, and/or
transmission of PHI.
Recognizing this, 45 C.F.R. §164.308(b)(1) allows a covered
entity to grant permission to a non-covered entity (i.e., a
business associate) to "create, receive, maintain, or transmit"
PHI on the covered entity's behalf. The next subsection, 45
C.F.R. §164.308(b)(2), grants that same right to business
associates working with subcontracted business associates. Short
of unreasonably and unnecessarily expanding the definition of
covered entities to ensure all who handle PHI are held to the
same standard, the BAA is a document that pulls the non-covered
entity up nearer to the standard that the covered entity must
meet. As discussed in the previous section, the BAA formalizes the
administrative safeguards that address concerns about PHI. So,
before engaging a business associate in connection with any work
that involves creating, receiving, maintaining, or transmitting PHI,
the covered entity and its business associate must sign a BAA.

The Why.
Apart from the fact, mentioned above, that a BAA represents a
useful way to define the rights and obligations of the covered entity
and its business associate with regard to protecting patients' PHI,
there are also the financial implications to consider. By way of a
recent example, in December of 2018 a group in Florida called
Advanced Care Hospitalists ("ACH") agreed to pay the Office of
Civil Rights ("OCR") $500,000 and to adopt a corrective action
plan to settle potential claims that it violated HIPAA's Privacy and
Security Rules by releasing PHI without a BAA in place.
ACH's business was contracting internal medicine physicians to
hospitals and nursing homes in western central Florida. From
November 2011 to June 2012, ACH utilized the services of
an individual who held himself out to be a representative of a
Florida company called Doctor's First Choice Billings, Inc. ("First
Choice"). Though that individual provided ACH with medical
billing services ostensibly through First Choice and its website,
the individual allegedly did so without either the knowledge or
the permission of First Choice's owner. On February 11, 2014 a
local hospital informed ACH that PHI (including names, dates of
birth, and social security numbers) were viewable on First Choice's
website. After ACH was able to identify at least 400 affected
individuals, it asked First Choice to remove the information from
First Choice's website.
Two months after learning of the issue, ACH filed a breach
notification report with the OCR indicating that at least 400
individuals were affected. ACH raised that number by 8,855 in a
supplemental breach report. OCR Director Roger Severino said of
the incident, "[t]his case is especially troubling because the practice
allowed the names and social security numbers of thousands of its
patients to be exposed on the internet after it failed to follow basic
security requirements under HIPAA." While one may quibble with
how basic the requirements are, the consequences of such a failure
can be devastating to both patient privacy and practice solvency. It
is for these reasons that we prepared this refresher. We hope that it
proves useful to you.
Vasilios ("Bill") J. Kalogredis, Esquire, is Chairman of Lamb
McErlane's Health Law Department. Bill has been practicing health
law for over 40 years, representing exclusively physicians, dentists,
group practices, other health care professionals and health care-related
entities. bkalogredis@lambmcerlane.com. 610.701.4402
Andrew Stein, Esquire, is an associate in Lamb McErlane's Health
Law Practice. He represents practitioners and practices with services
at the intersection of health and business, from entity formation
and employment through licensure issues and practice sales. astein@
lambmcerlane.com. 610.701.4433
Lamb McErlane PC, a full service regional law firm based in West
Chester, PA, has built a reputation on delivering the highest caliber
of legal service in an environment focused on personal attention and
results that clients deserve. www.lambmcerlane.com.

WINTER 2019 | CHESTER COUNT Y Medicine 19
http://www.chestercms.org http://www.HHS.gov http://www.lambmcerlane.com
Chester County Medicine Winter 2019

Table of Contents for the Digital Edition of Chester County Medicine Winter 2019
