By Jack Anderson
March 3, 2014
First disclaimer, I am not an attorney nor do I play one of TV so please consult with your attorney for legal advice. I am however a close observer of the HIPAA HITECH Omnibus Rule arena and as such am seeing some interesting developments.
I just got off the phone with a lady that has a janitorial service with a new client that is a medical practice. They sent her a business associate agreement to sign supposedly based on a risk assessment done to comply with the HIPAA Omnibus Rule. Being a smart lady with some legl experience she started researching the qualifications for being a business associate. In her research she came across one of my blogs on the subject and gave me a call. I don’t think she is really a business associate (remember my disclaimer) but told her that she should be careful about signing an agreement that states that she is HIPAA compliant if indeed she is not.
In one of my HIPAA discussion groups a real attorney talked about reviewing a BA agreement for a client that effectively shifted full responsiblity to the BA, no matter who was at fault. While he managed to talk the opposing attorney out of that position I know many business associates who will blithely sign any BA agreement that they get with the assumpltion that no one will ever check and that they will never cause a breach. My father used to call this sort of attitude “whistling past the graveyard”.
If you sign a BA agreement and do not live up to the terms of the agreement you are already in breach of that agreement. If the organization that sent you that agreement checks to see if you are compliant and discovers that you are not compliant they must require you to become compliant or they must sever the business relationship.
Check your existing business associate agreements and review new business associate agreements to make sure that you can prove compliance. Don’t pretend that everything is OK and no one will ever check.