Your mother was right, you are known by the company you keep.

Growing up my mother told me over and over that I needed to be aware of the company I kept, because you are only as good as they company you keep.?She taught me that others judge as in accordance with who we keep as friends.?The type of people you surround yourself with conveys your values and what you stand for.?As you act and conduct yourself, so do you become.?

So what does this have to do with HIPAA??Well think Business Associate.

Consider this:

·??????1A debt collection agency that contracted with University of Chicago Physicians Group had to notify nearly 1,400 patients that their protected health information, insurance data and Social Security numbers had been compromised after being accessible to viewers on the Internet.?

?·??????2the Indiana Family and Social Services Administration had a 187,533 breach of PHI, which resulted in clients receiving personal and private documents belonging to other clients.?The cause??Their contractor, RCR Technology Corporation, who made a computer programming error to a document management system.

?·??????3 Some 277,000 Texas Health, of Fort Worth Texas, patient records containing patient names, addresses, dates of birth, medical record numbers, clinical information, health insurance information and in some cases Social Security numbers were found in various public locations

?Texas Health, Fort Worth had contracted with Toronto-based Shred-it to destroy the confidential patient information, but the microfilms containing the information were not actually destroyed, as had been agreed upon in the contract.?Instead, a local resident found a portion of the microfiche in a nearby park in May. Additionally, three other sheets of microfiche were found in two other public areas.

?Overall Business Associates have been involved in about 22% of the more than 600 breaches that have been reported on the Department of Health and Human Services website from September 2009 through August 2013 affecting a total of about 22.5 million individuals, according to a health data breach trends analysis by 4HealthcareInfoSecurity.?For this year the percentage of breaches involving Business Associates has risen to almost 30% of the total of breaches reported to HHS.

So why should you care? Well aside from having your name (and reputation) being associated with a major breach, more importantly a big and largely unnoticed change occurred with the implementation of the Final Omnibus Rules.?Now, as of September 23, 2013, you as a Covered Entity may be on the hook for liabilities, such as fines and penalties, and all Civil liabilities for the action your Business Associates.

Prior to the Final Omnibus Rules, the Regulations explicitly exempted a Covered Entity from the liability of actions of their Business Associates.?In the final rule, this exemption was eliminated.

CFR 160.402(c) used to read:

(c) Violation attributed to a covered entity or business associate.

“A covered entity is liable, in accordance with the federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member, acting within the scope of the agency, unless

?(1) The agent is a business associate of the covered entity;

(2) The covered entity has complied, with respect to such business associate, with the applicable requirements

of §§164.308(b) and §164.502(e) of this subchapter; and

(3) The covered entity did not:

(i) Know of a pattern of activity or practice of the business associate, and

(ii) Fail to act as required by §§164.314(a)(1)(ii) and 164.504(e)(1)(ii) of this subchapter, as applicable.”

?Now Reads:

(c) Violation attributed to a covered entity or business associate.

(1) A covered entity is liable, in accordance with the federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member or business associate, acting within the scope of the agency.

(2) A business associate is liable, in accordance with the federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency.”

The final rule has adopted the Federal common law of agency, and eliminates the exception excusing covered entities for liability based on actions of their agents who are business associates. Under the new rules, covered entities may, in certain circumstances, be held liable for actions of business associate agents.

Whether you as a covered entity will be liable for your business associate’s actions, or whether your business associate is liable for the actions of its agents, will be now be determined on a fact-specific basis.

Now factors such as 5“the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity.” ?Other factors ?include:

5“(1) time, place, and purpose of a business associate agent’s conduct;

(2) whether a business associate agent engaged in a course of conduct subject to a covered entity’s control;

(3) whether a business associate agent’s conduct is commonly done by a business associate to accomplish the service performed on behalf of a covered entity; and

(4) whether or not the covered entity reasonably expected that a business associate agent would engage in the conduct in question.”

This new wording significantly limits your ability to insulate yourself from the actions of your Business Associates, and incidentally also, their sub-contractors.?With this new language, now, what are you to do??As the title of this article suggests, you need to cast a watchful eye to who you associate yourself with.?It is no longer sufficient to go through the motions of signing a Business Associate’s Agreement.?By the way, as of September 23rd, you should have updated your BAA’s to accommodate changes required by the Final Omnibus Rules.?

?

Now, to protect yourself, you should (that is need to), conduct due diligence on your Business Associates.?The recommendation we make to our clients, actually it is a service we provide, is to begin to manage your Business Associate relationships.?Request to see a copy of their most current Security Risk Assessment as well as their Remediation Plan.?If these are available, and in good order, then you can have a good level of confidence that you will not be surprised by the actions of your BA. As importantly, in the event of a breach you will be able to make an affirmative defense to mitigate your potential liability.

?

With the implementation of the Final Omnibus Rules, don’t let this little noticed change slip by your HIPAA compliance plan.?Failure to take your Business Associate relationships seriously, making them more than a rote signing of the BA Agreement, may come back with an expensive surprise.?Just ask University of Chicago Physicians Group, the Indiana Family and Social Services Administration or Texas Health Fort Worth.??You will experience guilt by association; defined by the company you keep. My mother was right!