Business Associate Agreement
A HIPAA Business Associate Agreement (BAA) is a legally mandated contract that establishes the responsibilities and requirements for protecting the confidentiality, integrity, and availability of protected health information (PHI) when a HIPAA-covered entity (such as hospitals, doctors, health insurers, and other healthcare providers) engages the services of a business associate (an external company or individual). This external party may come into contact with or manage PHI on behalf of the covered entity. Examples of business associates can range from electronic health record providers and third-party billing companies to IT service providers and cloud storage vendors. The BAA outlines the specific security and privacy provisions that the business associate must uphold to be compliant with the Health Insurance Portability and Accountability Act (HIPAA) regulations. It also defines the consequences and potential penalties for breaches or unauthorized disclosures of PHI.
This agreement is essential to ensure both entities are aligned in their commitment to protect patient information and to delineate their respective roles and responsibilities in the case of a data breach or other security incidents. This article covers the following topics on the content of a Business Associate Agreement:
What are the Essential Elements of a Business Associate Agreement?
What is a Business Associate Agreement?
A Business Associate Agreement is a written contract required by HIPAA when a business associate performs a function or provides a service for or on behalf of a HIPAA covered entity or another business associate that involves the creation, receipt, storage, or transmission of Protected Health Information (PHI).
The purpose of the contract is to stipulate the permitted uses of PHI by the business associate, establish when the business associate is allowed to disclose PHI to other entities, determine the responsibilities of both parties, and ensure safeguards are in place to protect the confidentiality, integrity, and availability of PHI.
The contract should also cover the applicability of the Agreement, explain the circumstances in which the contract can be terminated, and how (and when) business associates should report security incidents to the covered entity. Contracts can be – and often are – customized to meet the requirements of one or both parties.
What Essential Elements Must be Included?
Permitted Uses of PHI
Allowed Disclosures of PHI
Responsibilities of Business Associate
Responsibilities of Covered Entity
Implementation of Safeguards
Applicability of Contract and Definitions
Termination of Contract
Return or Destruction of PHI
Notification of Security Incidents
Miscellaneous Terms and Signatures
Miscellaneous terms can include how modifications to the contract will be agreed upon, how frequently the contract will be reviewed, or any other term required to meet the requirements of the covered entity. Representatives of both parties should sign the contract.
It should be noted that variations of the above essential elements are permitted in a Business Associate Agreement. For example, some cloud service providers automatically enter into a Business Associate Agreement when a healthcare provider subscribes to a business plan and therefore the contract becomes part of the service agreement (i.e., Google Workspace for Healthcare).
Variations of the above essential elements may also be attributable to state or federal laws that preempt HIPAA. For example, in Texas, a Business Associate Agreement should stipulate that deidentified PHI shared with a subcontractor for research purposes cannot be re-identified without a signed authorization from the subject(s) of the deidentified PHI.
What Optional Clauses Can be Added?
Any number of optional clauses can be added to a Business Associate Agreement in order to clarify specific essential elements or add further terms to the contract. For example, a covered entity may require a business associate to notify them of a security incident within a shorter period of time than stipulated by HIPAA.
It may also be the case that a covered entity requires a business associate to implement more stringent security measures than required by HIPAA or that – due to nature of the function(s) being provided – the covered entity adds a clause requiring members of a business associate´s workforce to undergo Privacy Rule training.
Some “one-size-fits-all” Business Associate Agreements prepared for customers of large cloud service providers include a clause releasing the business associate from responding to patient access requests and PHI amendment requests because PHI is not stored (by the business associate) in designated record sets.
Other optional clauses can cover the liability for the costs of responding to and recovering from a data breach, and can even include a requirement for a business associate to have insurance in case a data breach occurs. Effectively, a Business Associate Agreement can state anything, provided the essential elements are included.
Why Might an Agreement be Non-Compliant?
An Agreement can be non-compliant if any of the essential elements are excluded from the Agreement without an explanation – for example, if a business associate is released from responding to patient access requests because PHI is not stored (by the business associate) in designated records sets, the Agreement is still compliant.
However, an Agreement would be non-compliant if it did not allow disclosures of PHI “as required by law”, if it did not require the implementation of security safeguards, or if it did not require that a business associate obtain “documented assurances” (i.e., a further Business Associate Agreement) before disclosing PHI to a subcontractor.
An Agreement can also be non-compliant if it is not periodically reviewed by the covered entity. In 2016, a covered entity who had not reviewed and updated their Business Associate Agreement for ten years was fined $400,000 by HHS’ Office for Civil Rights after their business associate mislaid backup tapes containing unencrypted PHI.
One further event that can result in non-compliance is when a Business Associate Agreement from a cloud services provider only covers “in-scope” services. If a member of the workforce assumes the Agreement applies to all services and (for example) sends an email via an out-of-scope service, this would constitute a HIPAA violation.
In What Scenarios are Agreements Unnecessary?
There are many examples of covered entities requiring service providers to sign Business Associate Agreements unnecessarily because the service provider may have incidental or accidental access to PHI (i.e., environmental services, landscape services, etc.).
While many covered entities will be aware that Agreements are not necessary in these circumstances, there are some scenarios in which covered entities still spend time (and money) entering into business arrangements permitted by HIPAA. These include:
- When a hospital discloses PHI to an external healthcare professional to treat a referred patient.
- When PHI is disclosed to an external laboratory when the purpose of the disclosure is to treat a patient.
- When a healthcare provider discloses PHI to a health plan to support a Part 162 transaction.
- When a “conduit” such as the U.S. Postal Service, DHL, or FedEx has access to PHI in the delivery of a service.
- When a financial institution processes a payment relating to healthcare or health insurance premiums.
- When PHI is disclosed for research purposes – either as a limited data set or with patient authorization.
Units of an Organized Health Care Arrangement (OHCA) are also not required to enter into a Business Associate Agreement with each other – for example, when covered entities who participate in the same OHCA make disclosures that relate to the joint health care activities of the OHCA or when a group health plan purchases insurance from a health insurance issuer or HMO.
Conclusion: Why are Compliant Business Associate Agreements Important?
Compliant Business Associate Agreements are important because the failure to enter into a compliant contract between a covered entity and a business associate can result in avoidable HIPAA violations, which in turn can contribute to the sanctions imposed by HHS’ Office for Civil Rights being extended in time or increased in value.
There are many examples of covered entities and business associates being required to comply with Corrective Action Plans for extended periods due to the failure to have a compliant Business Associate Agreement in place, or having the amount of a civil monetary penalty increased. In one case, a covered entity in Illinois was fined $31,000 for the failure to enter into a contract with a business associate, even though no other violation of HIPAA had occurred.
Therefore, if your organization is a HIPAA covered entity or a business associate, and you are unsure of when an Agreement is necessary, what essential elements must be included, what optional clauses can be added, or why might an Agreement be non-compliant, it is recommended you seek advice from a HIPAA compliance professional.