Attention FAE Customers:
Please be aware that NASBA credits are awarded based on whether the events are webcast or in-person, as well as on the number of CPE credits.
Please check the event registration page to see if NASBA credits are being awarded for the programs you select.

News

The Trusted Professional | NYSSCPA

 
 

With HIPAA Changes, Entities Must Rethink Business Associate Agreements

By:
SUZANNE M. HOLL, CPA
Published Date:
May 5, 2014

Last year, the U.S. Department of Health and Human Services (HHS) released omnibus regulations under the Health Insurance Portability and Accountability Act (HIPAA), that included guidance for implementing changes made by the final rule of the Health Information Technology for Economic and Clinical Health Act (HITECH).

Some of these sweeping changes directly affect what business associates are liable for, leading to policyholder inquiries as covered entities work to revise their Business Associate Agreements (BAAs) to reflect some of the new requirements.

If a CPA has a health care client that falls under the category of “covered entities”—meaning the client directly handles protected health information (PHI)—and the CPA has access to the client’s PHI when performing duties and responsibilities, he or she is considered a business associate. This is true whether or not the CPA actually exercises this access.

Moreover, CPAs who have access to protected health information (PHI) are considered business associates regardless of whether that access comes directly from a covered entity, or through another third party of the covered entity. (A business associate may be a CPA’s client in an unrelated engagement.) 

With the revised regulations, HHS clarified that business associates are directly liable under the HIPAA privacy and security rules for:

  • impermissible use or disclosure of PHI,
  • not providing breach notification to the covered entity,
  • not disclosing PHI as necessary to satisfy a covered entity’s obligations related to an individual’s request for an electronic copy of PHI,
  • not disclosing PHI to the Secretary of HHS to investigate or determine the business associate’s compliance with the rules,
  • not complying with minimum necessary standards,
  • not entering into Business Associate Agreements with subcontractors that create or receive a covered entity’s PHI on its behalf,
  • not providing an accounting of disclosures, and
  • not complying with the electronic security requirements.

Business associates who violate HIPAA rules are subject to civil and, in some cases, criminal penalties for uses and disclosures not authorized by contract or in accordance with law.

Business associates/subcontractors remain contractually liable under business associate/subcontractor agreements. As such, HIPAA-compliant BAAs are being executed in accordance with the final rule for covered entities to obtain from their business associates satisfactory assurances that the business associate will appropriately safeguard the PHI it receives or creates on behalf of the covered entity.

Managing risks
Before contractually binding the CPA firm to the terms and conditions of a BAA, take the time to understand all the implications of the agreement’s legal terminology. The terms and conditions should not contractually expose the firm or its partners to standards higher than those to which they are already held as business associates under the new regulations. Many of the BAAs contractually shift liability and obligations from the covered entity to the CPA firm.

For example, HIPAA does not require the business associate to accept the responsibilities and duties of the covered entity with respect to required notifications to the affected individuals in the event of a breach. Nor does HIPAA require the business associate to indemnify the covered entity.
Many BAAs with indemnification clauses would put the firm at great risk. It is therefore important to review the BAA, accept only the terms required by HIPAA, and not contractually agree to terms that would expand exposure to the firm.

Suzanne M. Holl, CPA, is senior vice president of loss prevention services at Camico (www.camico.com). With more than 18 years of experience, she draws on her Big Four public accounting and private industry background to provide Camico policyholders with information on a wide variety of loss prevention and accounting issues.

For information on the Camico program, call Camico directly at 800-652-1772, or contact:
(Upstate) Reggie DeJean, Lawley Service, Inc., 716-849-8618, and (Downstate) Dan Hudson, Chesapeake Professional Liability Brokers, Inc., 410-757-1932.

Click here to see more of the latest news from the NYSSCPA.

Trending Articles