If the subcontractor signs a Business Associate Agreement (BAA) and there is a breach of PHI created by the subcontractor, does that mean the Business Associate has no liability?+
It is the responsibility of the Business Associate not the Covered Entity to make sure that subcontractors are in compliance. If the subcontractor simply signed the BAA and did not implement policies and procedures and training, then the Business Associate may share liability for the breach.
Should business associate and subcontractor agreements be signed by existing clients or only new clients?+
You need to have a signed Business Associate or Business Associate Subcontractor agreement for all existing and new contractors going forward.
Does a Business Associate (an agent) need to report a breach to HHS or should it be reported to the carrier (a covered entity) and the covered entity report to HHS?+
Business Associates are required by law to report breaches over 500 people to HHS immediately; under 500 names affected by a breach must be logged and reported to HHS at the end of the calendar year. The agent/agency may also have contractual commitments to report the breach to the carrier. Some carriers will provide guidance in the event of a breach, and will assist the agent in the breach compliance process. In the end, the Business Associate who is responsible for the breach must make sure the breach is properly reported to HHS, and that the required notification of clients occurs, pay all fines and serve time if the breach is determined to be a felony. All BAs need to know the law and the correct steps to follow if there is a breach under HIPAA. With the new Omnibus Rule, Business Associates and Subcontractors are fully regulated by HHS like covered entities. This information is covered in our Breach Training Section, and there are sample letters and forms for a breach in our compliance forms.
We are a General Agent. Our clients are insurance agents. Would we need to execute a BA with our agents? They don’t seem to meet the definition.+
As a general agent, you are acting on behalf of the insurance company and you are receiving or transmitting PHI to, or from an agent under you, or an insurance company, you more than likely have been named as a business associate. If the carriers have not already named those individuals as business associates, then you need to name them as business associates to avoid any potential liability for their mistakes.