Financial Institutions Offering Value Added Services to Health Care Providers Must Ensure HIPAA Compliance and Update Business Associate Agreements by September 23, 2014
Financial institutions offering services to doctors, hospitals, and health insurers (“covered entities”) that involve access to health information and/or provision of value-added services can be a “business associate” under HIPAA. An example of these arrangements is a “Lock Box” service, in which the financial institution works with a HIPAA covered entity’s billing files, AR or other financial records that contain protected health information. HIPAA requires business associates to have a full HIPAA privacy and security compliance program. Existing privacy and security laws and regulations applicable to financial institutions provide many of the protections required for HIPAA compliance; however, a HIPAA compliance program must be sufficiently documented to clearly demonstrate overall compliance.
In addition to HIPAA’s privacy and security policies, business associates must also have “business associate agreements” with each covered entity customer. The HIPAA Omnibus Rule released in 2013 required covered entities to update their existing business associate agreements, in many cases by September 2013. In some cases, however, covered entities have until September 23, 2014 to update their business associate agreements. With the September 2014 deadline fast approaching, many business associates, including financial institutions, are starting to see an increase in the number of such agreements that they are being asked to sign.
Financial institutions should carefully review any business associate agreement. While business associate agreements all look fairly similar, they are not merely “form” agreements that can be signed without review or negotiation. Three tests should apply: (1) Is the financial institution a business associate? If it is not acting as a business associate, then it should not take on the liability created by a business associate agreement. (2) What are the business associate agreement terms and can the institution comply with those terms? (3) What are the provisions related to timing of required notices, the allocation of risk, indemnification, or limitations on liability?
Financial institutions that are business associates are also required to enter into business associate agreements with any subcontractors they use to provide services where the subcontractor has access to health information. If they have not done so already, they should enter into these agreements as soon as possible, but no later than September 23, 2014.
The Office of Civil Rights (“OCR”) within the Department of Health of Human Services is responsible for HIPAA enforcement. Historically, HIPAA enforcement was fragmented and not very stringent. Recently, however, OCR has increased its enforcement actions resulting in multi-million dollar settlements. While these actions and settlements have been primarily targeted at covered entities, it is foreseeable that OCR will expand enforcement actions against business associates in the near future. As a result, it is critical that financial institutions that are business associates ensure that they are HIPAA compliant as soon as possible.
Troutman Sanders is ready to help Financial Institutions with all of their HIPAA compliance needs. For more information and a complete analysis of the HIPAA Omnibus Rule’s impact on business associates, please refer to our February 2013 e-alert, “ Big Changes for Business Associates” or contact Erin Whaley at erin.whaley@troutmansanders.com, Steve Gravely at steve.gravely@troutmansanders.com, Jake Lutz at jake.lutz@troutmansanders.com or James Stevens at james.stevens@troutmansanders.com.
© TROUTMAN SANDERS LLP. ADVERTISING MATERIAL. These materials are to inform you of developments that may affect your business and are not to be considered legal advice, nor do they create a lawyer-client relationship. Information on previous case results does not guarantee a similar future result.