This is a question that was recently posed to TLD Systems and this is a particularly good question.
When you have a Business Associate Agreement in place you always can send a letter terminating the relationship. When you send that letter, you should instruct the Business Associate to delete all your patient data, and if that is not feasible that they are responsible to protect that data under the HIPAA regulations. It is always best to have an attorney review the letter prior to sending it.
When a Business Associate goes out of business, there is no way to send that letter to terminate the relationship. You may not know where your patient data is or who is responsible to secure that data. There is no way to reach the Business Associate to get answers to these questions or to determine the security status of your data. When in doubt of what to do a good first step is to visit the HHS website and see if there is any guidance available. Visiting https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html is helpful in this case. That page specifically states “ If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).” This situation would appear to fall into the case where termination of the agreement is not feasible.
HHS has much greater resources than you and hopefully they will take this notification seriously. That same Business Associate that had your data also probably had the data of many other medical practices. They are all in the same situation and a huge amount of patient data for many doctors is potentially at risk. Notification of HHS will have the following effects:
If the data that was held by the Business Associate ends up in the wrong hands, you are responsible for that breach. If you have notified HHS of the potential issue and have documentation of that notification it will be extremely helpful in your Breach Mitigation process, in that the part of the Breach Mitigation was done pre-emptively. This will put your practice in a much better situation when the Office for Civil Rights or your State Attorney General investigates the breach.
HHS has significantly more resources than any small practice. They could find where the data is stored and compel the former principles of the now defunct Business Associate to either delete the data or properly protect the data.
At this point it is important to note that the right to terminate a Business Associate Agreement is predicated upon a Business Associate Agreement (BAA) being in place. This document provides you with vital protections. If you do not have the BAA then you can not terminate the BAA, you can not ask the Business Associate to delete your patient data and you are fully responsible for anything that may go wrong.
Now is a good time to review all entities that you share patient data with and make sure that you have Business Associate Agreements in place with all organizations you share data with. Please remember you do NOT need a BAA from other doctors that you share patient information with, they are considered covered entities.
Should you have any questions about Business Associates, BAA’s or other HIPAA related issues you can always reach out to TLD Systems. As part of our services, we are here to help you understand your responsibilities under the HIPAA rules and regulations. You can reach TLD Systems at http://www.tldsystems.com email@example.com or by phone at (631) 403 6687