Business Associate Agreements
At its simplest, a Business Associate Agreement (BAA) is a legal contract between a healthcare provider and an individual or organization that will receive access to, transmit, or store Protected Health Information (PHI) as part of its services for the provider. Whether you prefer to call it a Business Associate Agreement, or, like HIPAA, call it a Business Associate Contract, either way, they are a critical component of any organization's efforts to comply with the Health Insurance Portability and Accountability Act. Below, we’ve compiled the basic components and definitions of a HIPAA Business Associate Agreement template for you to browse. Keep in mind that HIPAA BAA's are legally binding agreements, so it’s best to have a designated security officer, lawyer, or a HIPAA Compliance solution help you navigate these contracts.
Who are Healthcare Business Associates?
The size and complexity of modern healthcare means that PHI can be found in more places than simply your doctor’s office; this data can be found in plenty of businesses: Physical copies of x-rays may be maintained offsite, insurance information can be used by third-party billing companies, health data can be sent to and from locations either via mail or electronically, or prescription information can be stored on a cloud-based server maintained by a third party in a different state.
“[A] person or entity, other than a member of the workforce of a covered entity who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A [BA] also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another [BA].”
Essentially, if an organization is hired to use, store, transmit, or access protected health information in any way, they’re most likely going to qualify as a BA under HIPAA.
What is a Business Associate Agreement?
The HIPAA legislation requires that Covered Entities should only work with Business Associates who can assure that they can safeguard the security and integrity of PHI. These assurances have to come in the form of a contract or other agreement between the Covered Entity and the Business Associate, called A Business Associate Agreement. A BAA is a written contract that specifies each party’s responsibilities when it comes to PHI.
It’s in both the Covered Entities and their Business Associates best interests to have an BAA in place, since both parties are responsible for protecting PHI. A HIPAA Business Associate Agreement is the best way to protect your practice or organization in the event of a breach from your vendor. If that doesn’t convince you, BAA's are mandated by the HIPAA Security Rule. At its most basic, BAA's must contain these provisions:
- Determine what PHI the Business Associate will access
- Require that the Business Associate will use appropriate safeguards to secure PHI
- Provide that the BA will not disclose protected health information save when permitted by the agreement
- Require and log appropriate Employee HIPAA Training
- Outline procedures in the event of a data breach
- Contain necessity subcontractor compliance
- Detail provisions for the termination of the agreement
- Describe process of destruction or return of PHI
Business Associate Agreements consist of information regarding the permissible and impermissible uses of PHI between two HIPAA-beholden organizations. The contract should require that the business associate must implement appropriate administrative, technical, and physical safeguards according to the Security Rule to ensure the confidentiality, integrity, and availability of ePHI. The contracts can also be formatted to detail the relationships between a covered entity and a business associate, as well as relationships between two business associates.
A business associate should also be made aware of the consequences of failing to comply with the requirements of HIPAA. Business associates can be fined directly by regulators for HIPAA violations.
Business Associate Agreements should be compared to the rules and regulations of HIPAA to ensure that they cover every aspect of the working relationship. In our case, the BAAs that Accountable shares in our HIPAA compliance platform are fully vetted and are included as a part of our solution.
Who needs a Business Associate Agreement?
As said above, if a third party organization could potentially access some PHI in the normal course of their delegated work, they are a business associate and need to sign a Business Associate Agreement.
Direct employees of that organization do not need to sign a BAA, because they are part of your organization and aren’t considered as business associates themselves. That said, they still fall under HIPAA laws. As an employer, you’re responsible to train your employees in how to maintain the integrity and sanctity of protected health information.
If you hire a subcontractor, and that contractor will come in contact with any PHI you will need to execute a BAA between the two of you. The Privacy Rule states that all contractors of business associates have to agree to identical restrictions as the original business associate.
Liability for a breach of a BAA
BAAs both satisfy HIPAA regulations and create a bond of liability between the two parties. If one party violates a BAA and discloses PHI, the other has legal recourse. If there’s no BAA or it’s incomplete, or if the agreement gets egregiously violated, then both associates may find themselves in the crosshairs of the Department of Health & Human Services, the Office of Civil Rights, and perhaps even the Department of Justice.
Unlike most contracts, a HIPAA business associate agreement does not necessarily protect a covered entity against financial penalties for a breach of PHI. If a covered entity fails to obtain assurance that a business associate is able to operate within a HIPAA-compliant framework before entering into a contract, and a breach of PHI subsequently occurs, the covered entity may be considered liable for the breach.
However, if the covered entity did its due diligence prior to entering into an agreement, such situations are rare. Assuming the covered entity did its diligence, it isn’t likely that the covered entity would be found at fault if a vendor breaches the BAA and violates HIPAA in some way. When the vendor signs the document, they assume the liability for safeguarding PHI.
In the event that PHI under the care of the business associate is accessed by individuals unauthorized to view the information, the business associate is required to notify the covered entity of the breach and may be required to send notifications to individuals whose PHI has been compromised. The timescale and responsibilities for notifications should be detailed in the agreement. While it may sound reasonable to have a short window to report a breach, consider that the BA might not even know about the breach until several days later after the event.
For this reason, it’s best for BAAs to include language like, “as soon as the breach is discovered or should have been discovered” in the Breach Notification section of the agreement.
Business Associate Agreements in Review
There are many examples of Business Associate Agreements online, but it is important that you take care before using such templates as they may have been designed for a different relationship. Each BAA should be customized for the unique nature of the relationship between the Covered Entity and the respective business associate.
A BAA is a crucial component for any person, company, or other organization that handles PHI that comes from a covered entity. Not only does it outline the relationship between the two parties, but it can also protect one of them in the event of a breach.
Every time a healthcare provider or vendor hires a contractor that handles protected health information as part of their assigned work, both parties must sign a BAA.
Accountable comes ready with multiple Business Associate Agreement templates that are easily customizable for all types of service agreements and will allow the Covered Entity and Business Associate to conduct HIPAA risk assessments to identity potential risks and vulnerabilities, adopt the correct policies and procedures to safeguard the PHI under their care, as well as provide them both a framework to become compliant with HIPAA.