Business Associate Agreement Under HIPAA: Your Clients Are Protected; Are You?

nat rosasco • August 2, 2018

 Representing healthcare clients is a very involved and complex task for any attorney to handle. This is especially true from a compliance perspective. The Health Insurance Portability & Accountability Act of 1996 (“HIPAA”) provides the requirements for the privacy and security rules regulating protected health information (“PHI”) of individuals and entities.


Additionally, the HIPAA Privacy Rule and Security Rule (the “Rule”) set forth the rules for enforcing HIPAA violations and handling notifications involving any breach involving PHI (a “Breach”). Individuals and organizations required to comply with the Rule are called “Covered Entities.” However, the application of HIPAA does not stop at Covered Entities. HIPAA also applies to the business associates of Covered Entities, a role that is occupied by many attorneys representing Covered Entities.


What is a Business Associate?

On January 25, 2013, the final changes to the Rule were published. Under the Rule, a “business associate” of a Covered Entity can be held directly liable under HIPAA for a Breach. The Rule provides for three types of business associates working with or on behalf of Covered Entities: (1) business associate subcontractors; (2) entities routinely transmitting and accessing PHI; and (3) personal health record vendors.


Generally speaking, attorneys representing Covered Entities or business associates are business associate subcontractors if, in representing a Covered Entity or business associate, the attorney requires access to PHI in order to do their work for their client. If an attorney is a business associate, then a written Business Associate Agreement with their client is required.


Why Should I Enter Into A Business Associate Agreement?

The Rule requires business associates to enter into a written Business Associate Agreement that implements reasonable and appropriate policies in order to comply with the Rule and any Breaches thereunder. Failure to implement a written Business Associate Agreement can result in substantial fines and penalties. Amongst other things, Attorneys who are business associates can be held directly liable under the Rule, just as a Covered Entity would, for Breaches and violations of the Rule.


What is Required Under a Business Associate Agreement?

In order to avoid or reduce the chance of incurring liability for a Breach or other violation of the Rule the acts listed above, it is important to have a detailed and effective Business Associate Agreement. The template for a Business Associate Agreement should begin by incorporating the following requirements set forth under the Rule:

1)  Establish the business associate’s permitted and required uses of PHI by setting forth how and when the business associate will use the PHI;

2)  Provide that the business associate will only disclose PHI other than is set forth in the Business Associate Agreement or is required by law;

3)  Implement appropriate safeguards to prevent the unauthorized use or disclosure of PHI;

4)  Implement the requirements of the HIPAA Security Rule regarding electronic PHI;

5)  Establish the situations and circumstances under which the business associate must disclose PHI to a requesting party;

6)  Require the business associate to comply with all applicable requirements to the extent that the business associate is carrying out an obligation under the Rule on behalf of the covered entity;

7)  Require the business associate’s internal practices, books and records in relation to the use and disclosure of PHI to be made available to the U.S. Department of Health & Human Services so that determinations regarding compliance with the Rule can be made;

8)  To the extent practicable, require the business associate to return or destroy all PHI at the termination of the Business Associate Agreement;

9)  Provide that any subcontractors, as defined by the Rule, business associate will engage with require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and

10)Provide for a termination of the Business Associate Agreement if the business associate violates a material term of the Agreement.


How will a Business Associate Agreement Reduce Attorney Liability?

While no Business Associate Agreement can eliminate an attorney’s liability under the Rule, it can greatly assist the attorney in limiting their liability to the extent possible.


First, while a Business Associate Agreement cannot change the statutory timeframes for providing notice or curing a Breach under the Rule, an attorney can give themselves as much leeway as possible with respect to how and when it must provide notice or cure a Breach by allowing themselves as much time as is permitted under the Rule.


Second, the Business Associate Agreement can provide greater clarity to the parties in detailing what a Breach is and when a Breach a occurs. This will help both parties reduce the probability of a Breach, recognize when a Breach occurs, and address either party’s failure to comply with the notice and cure provisions of the Rule.


Third, the Business Associate Agreement can provide essential guidance in handling a Breach by clearly stating each party’s responsibilities in the event of a Breach and the best and most efficient way to cure a Breach. Having definite and delegated plans of action for each party will provide security to each party in handling a Breach.


Finally, in addition to entering in to a Business Associate Agreement, it is also important to remember take a step back, evaluate your practice and determine the best way to become HIPAA and Rule compliant. This can be done by assessing your current level of compliance with HIPAA, projecting potential future compliance needs as your practice changes or grows and a developing plan of action to address any gaps you may discover or anticipate. 

Employers Can Require COVID-19 Vaccinations For Most Employees

By nat rosasco February 25, 2021
As this relentlessly awful year mercifully draws to a close, a light at the end of our pandemic tunnel is rapidly approaching. COVID-19 vaccines are poised for approval, and it is expected that distribution will begin in earnest shortly. But no matter how much and how confidently the FDA and other health experts proclaim these vaccines to be safe and effective, there are large numbers of Americans who say they won’t get the shot when it becomes available. The most recent Gallup poll found that only 63 percent of Americans say they are willing to be inoculated against the disease. Many of those who don’t want to get vaccinated will soon find out that they work for an employer who feels differently. Those employers may also tell them that they either need to get the vaccine or need to find a new job. And, in most cases, employers may be well within their rights to terminate employees who refuse to take the COVID-19 vaccine. Mandatory Vaccinations Are Not New Companies that have spent the better part of the year – and lots of money - trying to keep their workplaces COVID-free see the vaccine as the apex of those efforts. With a fully vaccinated workforce, business owners can operate without disruption and provide employees, customers, clients, and patients with confidence and peace of mind. But all of those benefits of the vaccine only accrue to fully vaccinated workforces. So, many companies may mandate that employees get their shot as a condition of continued employment. By doing so, they are following a legally sound path that predates the current pandemic. Well before anyone had heard of coronavirus, plenty of employers, primarily in the health care sector, required employees to get the flu vaccine and vaccinations against other infectious diseases. Most public school districts also require proof of vaccinations before a student can enroll and attend classes. Since most employees in Illinois work on an “at-will” basis, they can face termination for almost any reason not expressly prohibited by federal, state, or local laws. Generally, no law stands in the way of an employer requiring the COVID-19 vaccine for its workers. ADA and Religious Exceptions However, employers who make vaccines mandatory need to be mindful that employees with legitimate health or religious concerns about the vaccine may be protected from termination and other adverse employment actions if they refuse the shot. But these exceptions don’t necessarily apply just because someone doesn’t believe in vaccines generally (“anti-vaxers”) or thinks that forcing them to get vaccination is an infringement on their liberties. Employees who have a disability recognized under the Americans with Disabilities Act (ADA) that prevents them from taking the coronavirus vaccine cannot be forced to get the vaccine, so long as their exemption does not impose an “undue hardship” on the employer. Such disabilities in this context may include a compromised immune system or an allergy to an ingredient in the vaccine. While there has been no definitive guidance on the subject, one could credibly argue that an employee’s refusal to get vaccinated is an “undue hardship” if it places the health and safety of other employees and visitors at increase risk of infection. Even in such cases, however, an employer may need to make a “reasonable accommodation” for the employee, such as allowing them to work from home. Similarly, the anti-discrimination provisions of Title VII of the Civil Rights Act of 1964 may protect a worker if their “sincerely-held religious beliefs” preclude them from getting a vaccination. Such beliefs do not include political or personal views. The burden is on the employee to demonstrate the legitimacy of their religious objections to the vaccine. More Than Legal Issues To Consider Even when an employer is within their legal rights to require employees to get the COVID-19 vaccine, other considerations may weigh against such a mandate. For example, they may need protection against an employee who has an adverse reaction, even if they signed a waiver upon receiving the shot. A vaccination requirement may also get an adverse reaction from employees generally as well as the general public if it seems heavy-handed and overreaching. Of course, those that decide against a mandate face risks if someone does contract the coronavirus in the workplace and sues. Please Contact Grogan Hesse & Uditsky With All Of Your COVID-Related Employment Questions If you have questions or concerns about how to handle vaccinations or other employment issues related to COVID-19, please call us at (630) 833-5533 or contact us online to arrange for a consultation.

Are You Eligible for the Second Round of PPP Loan Forgiveness?

By nat rosasco January 11, 2021
The Paycheck Protection Program (PPP) is back , offering a second round of loan forgiveness to new borrowers and qualified second-time PPP borrowers. The second round of PPP loans has earmarked up to $284 billion to support business owners' payroll costs and other eligible expenses through March 31, 2021. Loans will be available to first-time participants on Monday, January 11, and existing PPP participants on Wednesday, January 13. First Draw PPP Loan Eligibility Borrowers that did not participate in the first round are generally eligible for a First Draw PPP Loan if they were in operation on February 15, 2020, and fall into one of the following categories: Businesses with 500 or fewer employees that are eligible for other SBA 7(a) loans. Eligible self-employed individuals (including sole proprietors and independent contractors). Non-profit organizations, including churches. Accommodation and food services operations with no more than 500 employees per location. Sec. 501(c)(6) business leagues with no more than 300 employees that do not receive more than 15% of its income from lobbying. Qualifying news organizations with 500 or fewer employees per location. Second Draw PPP Loan Eligibility Existing PPP participants are generally eligible for a Second Draw PPP Loan if the borrower: Used or will have used its First Draw PPP Loan as authorized. Has no more than 300 employees. Can prove it has suffered at least a 25% reduction in gross income between the same quarters in 2019 and 2020. Our team is committed to monitoring new developments with the PPP and providing you with the information you need. It is essential that your small business consults with knowledgeable corporate attorneys , financial advisors, and accountants on your PPP eligibility and forgiveness applications. If you have any questions about the new eligibility requirements or any other issues involving the PPP, please feel free to call or email us.

Amendments to PPP Loan Forgiveness

By nat rosasco June 5, 2020
Many businesses that received Paycheck Protection Program (“PPP”) funds are coming to the end of their respective eight-week time periods (“Expenditure Period”) during which they must use the PPP funds to obtain forgiveness under the CARES Act. Unfortunately, many of these businesses have found it difficult to reopen and remain fully operational throughout the Expenditure Period and consequently to meet spending thresholds necessary to obtain full forgiveness. Luckily for these businesses, some much needed flexibility is on its way. Paycheck Protection Program Flexibility Act On June 5th, the Paycheck Protection Program Flexibility Act (“PPPFA”) was signed into law. The PPPFA made the following changes relevant to PPP loan forgiveness: Extends the Expenditure Period from eight weeks to the earlier of twenty-four weeks from the date of the loan origination or December 31, 2020. Reduces the required payroll spending amount to a minimum of 60% on payroll instead of the current 75% minimum requirement. This would allow businesses to use the remaining 40% of the PPP funds on rent and other operational items as needed. Extends the deadline for workers to be able to be rehired to December 31, 2020 instead of the current cutoff of June 30, 2020. Extends the PPP loan to a five-year term instead of the current two-year term. As any amendments governing the use and repayment of PPP loans may be vital to a small business’ ability to continue to operate and successfully plan for the future, our team will continue to keep you up to date on the on-going developments. As always, it is important to consult with informed attorneys, financial advisors, bankers and accountants on how best to use your PPP funds. Should you have any questions, don’t hesitate to call or email us.
Show More