A: Any failure to safeguard protected health information while it is in the business associate's possession, custody or control (e.g., a failure to maintain a secure server or file room) can make the organization a direct target of individual claims or a federal investigation and disciplinary action should a breach occur. Monetary penalties previously only recoverable against a covered entity are now directly recoverable from the business associate.
Q: What should business associates do to prepare for these expanded obligations?
A: Business associates need to have an up-to-date business associate agreement with the covered entity for whom they provide services. Additionally, a business associate will need a second-tier agreement for any downstream entities to whom the business associate discloses the protected health information (e.g., a medical billing company that provides protected health information to an outside consulting firm as part of an audit). Beyond that, business associates need to have written policies and procedures governing how they will receive, store, transmit, and ultimately destroy protected health information received from a covered entity. As a comparison of the Cedars-Sinai and UCLA Health System situations makes clear, covered entities and business associates who are proactive will fare much better than those who wait too late to act.
PAULA BURKES, BUSINESS WRITER