This law states that any third party (insurance agent, broker or consultant) who assists with claim problems or handles protected health information is considered a business associate and must be in compliance with the regulations of HIPAA.
Your agent's helping hand may land you in court if any of your employees or ex-employees (COBRA) experience a problem with your agent. Having your agent sign a Business Associate Agreement is the first step in confirming that your agent is in compliance.
If your agent is in full HIPAA compliance but simply made a mistake, you may come away with just a slap on the wrist. But if your agent is not in HIPAA compliance and/or has no signed Business Associate Agreement, you may be in jeopardy of a large fine or even jail time.
The responsibilities of a business associate can be found in any correctly written Business Associate Agreement. A sample agreement can be found at www.kybabenefits.com (Click on Resources, then Helpful Links.)
Just getting your agent to sign a correctly written Business Associate Agreement will not completely eliminate your liability. As the employer (covered entity) you have a responsibility to "audit" your agents' compliance. The best audit is a physical audit.
If you are unable to conduct a site visit audit, at least ask your agent to provide you a copy of its HIPAA Policy & Procedures Manual. Most are in excess of 200 pages.
The following responsibilities of a business associate should be included in any agreement.
* Business associate will not use or further disclose protected information for any purposes other than as permitted or required in the business agreement or as otherwise required by law.
* Business associate will use appropriate safeguards to prevent use or disclosure of protected information other than as provided in this agreement.
* Business associate will report to covered entity any use or disclosure of protected information for a purpose other than as provided in this agreement, within a reasonable time after which business associate becomes aware of such use or disclosure.
* Business associate agrees to mitigate any harmful effect from a use or disclosure of protected information outside of the scope of this agreement.
* Business associate will ensure that any subcontractors and agents to whom it provides protected information agree to the same restrictions and conditions to which business associate is bound pursuant to this agreement.
* Business associate will make available protected information in accordance with applicable law. To the extent required by such law and regulations, business associate will make available protected information for purposes of allowing access to the protected information by the individual to which such protected information pertains or his or her duly appointed personal representative; amending protected information; and providing an accounting of disclosures of such protected information.
* Business associate will incorporate amendments to protected information as required by applicable law and regulations promulgated under HIPAA.
* With reasonable notice, covered entity may audit business associate to monitor compliance with this agreement. Business associate will make its internal practices, books, records, and policies and procedures relating to the use and disclosure of protected health information received from, or created or received by business associate on behalf of covered entity, available to the U.S. Department of Health and Human Services, the Office for Civil Rights, or their agents or to covered entity for purposes of monitoring compliance with the law.
Employers will continue to rely on their agent's help in handling claim problems, so agents who do not take the necessary steps to meet HIPAA requirements will find themselves either out of a job or in court on shaky ground.
Bruce W. Bishop is the director of marketing and managing partner of KYBA Benefits. KYBA Benefits provides consulting and administrative services to more than 400 corporate accounts ranging in size from 20 employees to more than 7,000. Reach him at (770) 425-6700, (800) 874-2244, ext. 205, or firstname.lastname@example.org