Business Associate Agreements: Not Just for VendorsAttorney Adam Greene Sorts Through Complex Regulatory Requirements
Because the legal relationships between healthcare organizations can be very complex, it's not always crystal clear when business associate agreements should be in place to help safeguard patient data, says privacy attorney Adam Greene.
"Every healthcare system with multiple legal entities will be somewhat different," Greene explains in an interview with Information Security Media Group.
"We traditionally think business associates are vendors. But [a certain type] of parent entity that is providing support services to its subsidiaries or wholly owned members is actually going to qualify as a business associate even though they are essentially controlling those underneath it in the corporate chain."
And in those situations, Greene says, a business associate agreement is needed when the parent entity performs certain functions or activities that involve the use or disclosure of PHI on behalf of its subsidiaries that are considered HIPAA covered entities.
The complexities of these relationships, and the significance of having business associate agreements, came into the spotlight in the recent $400,000 HIPAA settlement between the Department of Health and Human Services' Office for Civil Rights and Care New England Health System in Providence, R.I.
The settlement arose from an OCR investigation involving the 2012 loss by Care New England of unencrypted backup tapes containing the ultrasound studies of approximately 14,000 patients at Women and Infants Hospital, a Care New England subsidiary.
The studies included patients' names, dates of birth, dates of exam, physician names and, in some instances, Social Security numbers.
The resolution agreement between OCR and Care New England noted that the organization "provides centralized corporate support to the covered entities under its common ownership and control, including technical support and information security for Women and Infants Hospital as its business associate."
OCR noted that the hospital had not updated its business associate agreement with Care New England Health System in a timely way to comply with the HIPAA Omnibus Final Rule.
In the interview (see audio link below photo), Greene also discusses:
- The legal issues involved in designating affiliated covered entities, organized healthcare arrangements and hybrid covered entities;
- Who is liable for data breaches when covered entities are involved in complex business arrangements;
- Who is responsible for notification when there is a breach involving an entity in one of these complex relationships.
As a partner at the Washington-based law firm Davis Wright Tremaine LLP, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.