This week we are dealing with contract employees or independent contractors, either of which are usually paid by 1099. (Note: this does not mean that if they are given a 1099, they are an independent contractor – that is a whole different discussion.)
One of our clients asked how HIPAA applies to their contractors. In this case the business – an insurance agency – has two subcontractor agents that routinely handle new customer leads. One comes into the office one day a week; the other predominantly works from home.
Well, where they do the work or even what the work is doesn’t matter. Under HIPAA, these folks are considered Subcontractors. This means before you allow any Subcontractor to do any work for you, they need to sign a Subcontractor Business Associate Agreement. In addition you need to ask to see their Privacy and Security Policies and Procedures.
“Jason, this seems like overkill. I mean my guy only works one day a week, and doesn’t work on that many clients.”
Well, what happens if he has a violation with one of those clients Remember, the common agency provision of HIPAA in the Omnibus ruling states that you are now responsible for your subcontractor’s compliance. Check it out at 160.402(c)2 in the Omnibus ruling. It’s quoted below for those of you who would like to read it.
(c) Violation attributed to a covered entity or business associate.
(2) A business associate is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency.
This means if your subcontractor has a violation and you’ve done nothing to ensure that they are following the rules, it will impact your agency. Unfortunately, you can still be fined if you have a proper agreement in place if they have done nothing else to prepare for their responsibilities under the HIPAA Privacy and Security rules.
Now, you don’t have to follow your subcontractors around like little puppies to make sure they are doing everything the way you would, but you do need to make sure that you do your due diligence. If you don’t have a proper BA Subcontractor Agreement in place, and you haven’t reviewed their Privacy and Security Policies and Procedures, you have opened yourself up to an HHS audit, and potential fines.
To take this one step farther, if you’re working for a Covered Entity, like an employer group, this violation could open them up to an audit, too. This audit can easily work its way upstream, and affect everyone who has been handling PHI. So, you are not only protecting yourself by reviewing those Privacy and Security Policies and Procedures, and having properly executed Business Associate Subcontractor Agreements, but you’re also protecting your clients. This means avoiding what is likely to be the highest cost of a violation: the loss of your clients, and your business reputation.
Total HIPAA specializes in HIPAA compliance services, helping businesses adhere to HIPAA guidelines and protect sensitive data. Our experts ensure your organization remains compliant with HIPAA regulations, meaning you can focus on your core operations while we handle documenting the policies and procedures that make up your HIPAA compliance plan. Trust Total HIPAA for comprehensive compliance solutions tailored to your needs. Book a clarity call today.
