Proactive relationships protect patient rights
Healthcare organizations often contract with third parties to handle work they are unable to perform themselves. That work often involves protected health information (PHI). This article considers the government’s increasing interest in patient rights in relationship to covered entities or business associates and what proactive compliance officers can do to fulfill those obligations through effective monitoring. Steps for compliance officers include prioritizing the agreements based on risk, establishing channels of communication, and collaborating on a risk analysis.
Agreements between covered entities and business associates
Due to the abundance of agreements, covered entities generally develop a template for all business associate agreements with the position that the content cannot be edited by the business associate.
A business associate is defined at 45 C.F.R. § 160.103 and generally includes any person, including a partnership, corporation, or other public or private entity, that performs functions or activities related to electronic transactions for which the Secretary has adopted a standard under the Health Insurance Portability and Accountability Act (HIPAA) or provides certain other listed services to a covered entity. Members of a covered entity’s workforce are not business associates.
A covered entity is defined at 45 C.F.R. § 160.103 as a health plan, healthcare clearinghouse, or a healthcare provider that transmits any health information in electronic form in connection with a transaction for which a standard has been adopted.
A template business associate agreement generally addresses definitions, obligations of the business associate, obligations of the covered entity, terms and miscellaneous provisions. The variables are in the details. Business associates are commonly under a multitude of templated agreements from different covered entities. These agreements contain different timelines that add complexity and risk, especially if the business associate does not have an effective compliance program. For example:
- Breach notifications vary from “immediately” or the number of business days identified as 5 (five), ten (10) or more.
- Response time to a request from the covered entity for an amendment, access, accounting of disclosures or a restriction also vary.
- Definitions and policies from the covered entities vary.
- Outdated business associate agreements sometimes lack contact information or a hotline number for reporting.
Changing requirements
Under the original Privacy Rule, HIPAA business associate responsibilities and liabilities for PHI were based purely on the contractual responsibilities of the covered entity. Covered entities were required to include specific provisions in agreements for business associates to safeguard PHI. Although the Rule did not prohibit the covered entity from requiring the business associate to receive and/or address requests regarding patient rights, few agreements contained language specific to patient right provisions.
In 2013, the HIPAA Omnibus Rule made the business associate subject to the HIPAA Security and Enforcement Rules and parts of the HIPAA Privacy and Breach Notification Rules. The industry flurried with new agreements and addendums that escalated accountability for the business associates. However, frequently the template did not include specific language addressing each of the patient right provisions.
Fast forward to 2023: covered entities are adding language specific to the time-sensitive patient rights within the business associate agreements:
- 45 CFR § 164.502 Use and disclosure to include following “minimum necessary” standards.
- 45 CFR § 164.524 Patient right access to inspect and receive a copy of their PHI in a designated record set
- 45 CFR § 164.526 Patient right to amend protected health information in a designated record set
- 45 CFR § 164.528 Patient right to receive an accounting of disclosures.
- 45 CFR § 164.522 Patient right to restrict disclosures and request confidential communication.
- 45 CFR § 164.410 Patient right to be notified of a HIPAA breach.
What is prompting the focus on patient rights?
The increased focus is due largely to increased enforcement action against covered entities due to violations of patient rights. In the Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2021, there are 15 Resolution Agreements listed with 13 due to violations of patient’s right to access. One physician office received a Civil Monetary Penalty of $100,000 for violating the provision of patient’s right to access. Resolutions agreements are the result of an investigation by the Office of Civil Rights (OCR). When investigating a breach reported by a covered entity, the OCR may learn that the breach was caused by the covered entity’s business associate and may therefore open a compliance review of the business associate. Both parties bear financial and reputational risk with the outcome. The compliance program effectiveness for both parties will be scrutinized.
Challenges with using one template business associate agreement
One can understand the ease of using one standard template for business associate agreements. It simplifies the negotiation and the content is consistent.
However, while a template agreement functions well for most business associates involved with the use and disclosure of PHI, one size does not fit all.
That’s partially due to the fact that not all business associates maintain a designated record set.
With limited exceptions, a covered entity is required to provide an individual access to his or her PHI in a designated record set. This includes PHI held by a business associate unless the business associate merely duplicates information maintained by the covered entity. A designated record set includes medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals. See 45 CFR 164.501. Patients have the right to access, inspect, and receive a copy of their PHI in a designated record set. Patients also have the right to amend PHI in a designated record set. While covered entities may follow common principles when defining the designated record set, each covered entity may have varying elements of what is, or is not, included in a designated record set. Unless the covered entity shares their policy with the business associate, the information requested by the covered entity and produced by the business associate may not align.
Steps for Proactive Healthcare Compliance Officers
1. Prioritize monitoring business associates by risk
The scope of work in the business associate agreement may be unique on both ends of the risk spectrum. Business associates that host data pose a greater risk due to cybersecurity issues and the level of scrutiny should be commensurate with the risk. Conversely a third party with a limited scope of work and access to perform a targeted billing audit could be rated at a lower risk. There may also be third parties that are required to retain legacy data as required by the agreement. Assess and prioritize business associates by risk categories for effective monitoring.
For those business associates identified as high risk, it would be prudent to request a copy of their codes of conduct and pertinent policies (IT Security, Breach Notification, etc.) If the business associate cannot produce the documents, that may signal an ineffective compliance program. Dedicate time to look closer at this business associate and its ability to safeguard protected health information prior to learning the lack of controls when a breach occurs.
2. Communicate with Business Associate Compliance Teams
The sophistication of compliance programs may contrast dramatically between third parties; therefore, if you, as the covered entity, truly desire a collaborative approach, ask for (all or high risk) business associates to notify you when a privacy incident (disclosure) arises that may or may not be a breach. The covered entity and business associate may not always agree with the risk analysis performed by either party. The discussion about the privacy incident (disclosure) facts are so important prior to a conclusion. If the business associate is only reporting a breach (as specified in many agreements), the business associate is performing the risk analysis independently. If the business associate compliance program is effective, there shouldn’t be an issue. However, if not, the covered entity may learn a year or two later that an individual filed a complaint regarding an incident. This business associate determined the disclosure wasn’t a breach, and in this example, this created a risky situation for a covered entity. As noted in the Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2021, between 2017 and 2021, the number of complaints received by the OCR increased by 39%. The number of compliance reviews initiated by the OCR increased by 44%.
It has been my experience that most business associates welcome the collaboration with a covered entity. Both learn aspects of their business from each other as well as develop confidence with their respective compliance programs. It has been my experience that notification by the business associate to the covered entity that an incident(s) occurred resulted in accurate risk analysis, effective notification and survived the scrutiny of state and federal investigations without adverse consequences.
3. Create a Tool to Collaborate on Disclosures
Both covered entities and business associates should have a list of their agreements and know which involve PHI. The list could include, but is not limited to, the following:
- Name: company name and individual stakeholder for covered entity and business associate (contract signature).
- Contact: Phone number and/or email of compliance department for reporting.
- Risk Rating: Assess the type, quantity as well as frequency of the data use to prioritize attention to that agreement and collaborate with the respective compliance team.
- Reporting Disclosures: (submitted to covered entity or received from business associate) with subfields for details such number of individuals involved, risk analysis, corrective action, outcome, notifications, etc.
- Policies: List pertinent policies obtained that would assist with patient rights, breach notification, designated record set, minimum necessary, remote access etc.
- Exclusion check: Date of verification.
- Reporting Dates:
- Deadline for privacy incident or breach
- Deadline to respond to patient rights requirements (as applicable)
- Clarification of calendar or business days for reporting as each agreement may vary
- Reporting deadline variations based on location (state)
Invest in Communication and Collaboration for Effective Healthcare Compliance
It is best to build a relationship between the covered entity and the business associate compliance departments proactively. Yes, initially this process requires a time commitment to communicate, collaborate and document reporting expectations. However, the benefit of proactive action at the beginning will reduce risk and save an immense amount of time when managing a breach.
We live in a world where hacking an electronic data system is no longer “if” but “when.” As compliance professionals we know that investment on the front end is always the preferred approach to maintain an effective compliance program. Prioritizing the agreements based on risk, establishing channels of communication and collaborating on a risk analysis are all proactive measures. As William Shakespeare stated, “Better three hours too soon than a minute too late.”
Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management
Our in-house team works tirelessly to monitor US regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm.
Get the latest from healthcare compliance experts
Never miss an article from Shawn Y. DeGroot. Sign up for YouCompli’s weekly email if you haven’t already.
Shawn DeGroot
Shawn DeGroot CHC-F, CCEP, CHRC, CCPC serves on the advisory board for YouCompli. She is also president of Compliance Vitals, providing consulting services for clients in need of practical guidance in a complex healthcare regulatory environment. Previously she served as president of the Health Care Compliance Association (HCCA) and the Society of Corporate Compliance and Ethics (SCCE).