HIPAA Business Associate Agreements (BAA) are legal contracts between HIPAA-covered entities (CEs) and their business associates (BAs) that outline the responsibilities and liabilities of both parties regarding the use, storage, and disclosure of PHI. They are an essential tool for any healthcare organization or business that handles PHI and, indeed, are required by HIPAA whenever a CE shares PHI with a BA.
As healthcare providers and businesses continue to evolve and embrace new technologies, the need for data security and patient privacy becomes increasingly vital. HIPAA compliance regulations dictate how sensitive information should be managed, accessed, and transmitted, and healthcare professionals and businesses are held to high standards regarding patient data. In this comprehensive guide, we’ll explore what a BAA is, with whom it must be entered into, what should be included in the agreement, and best practices for BA management.
DISCLAIMER: The information provided in this blog post is for educational purposes only and should not be construed as legal advice. You should consult with legal counsel regarding any questions or concerns you may have about Business Associate Agreements, as they are legally binding instruments. The author of this post is not a lawyer and does not hold themselves out to be one. The information provided in this post may not reflect the most current legal developments or changes to HIPAA regulations.
Business Associates & Business Associate Agreements
Who is a Business Associate?
Before we dive into the specifics of a BAA, we should first briefly discuss the definition of a business associate. The HHS defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
A few examples of business associates are:
- A third-party administrator who performs claims processing.
- A healthcare clearinghouse that performs translation services between non-standard formats and standard transaction formats for the purposes of sending those transactions to a payer.
- A cloud service provider (such as Microsoft Azure). See our blog post on HIPAA & Cloud Computing for more information on cloud service providers as business associates.
The full legal definition of a business associate (which includes examples of BAs as well as exceptions) can be found at 45 CFR §160.103.
Business Associates’ Direct Liability
Prior to the HITECH Act, business associates were not directly liable for violations of the HIPAA Privacy and Security Rules. Instead, BAs were only liable for compliance with the terms of their BAA with a CE. This meant that if a BA violated HIPAA regulations, only the CE could be held directly liable for the violation, not the BA itself.
The HITECH Act, however, introduced significant modifications to HIPAA, including expanding the direct liability of BAs. Under the HITECH Act, BAs are now directly liable for complying with many of the requirements of the HIPAA Privacy and Security Rules, including the implementation of appropriate safeguards to protect PHI and the reporting of breaches of unsecured PHI to the CE. BAs are also subject to civil and criminal penalties for violations of HIPAA regulations, just like CEs.
These modifications have significantly increased the responsibility and accountability of BAs under HIPAA. BAs must now take proactive measures to ensure compliance with HIPAA regulations and implement appropriate safeguards to protect PHI. Additionally, BAs must work closely with their CE clients to ensure that they are meeting their obligations under the HIPAA Privacy and Security Rules.
Now that we have a better understanding of what a BA is let’s look at what a BAA is (and is not).
Business Associate Agreements are NOT Service Contracts
As with most third-party vendors, organizations typically have some kind of service contract with a BA that sets forth provisions such as price, payment, term of service, etc. It may even have sections that discuss privacy and confidentiality. However, it’s important to note that these service contracts are NOT the same as a BAA, as the BAA must contain specific elements as required by HIPAA. We’ll discuss these elements in more detail in a moment.
Strictly speaking, it is possible for a service contract or some other form of master services agreement to contain a section(s) that addresses the elements of a BAA. However, many CEs & BAs elect to have the BAA exist as a separate, standalone agreement.
Business Associate Agreements ARE Legally Binding
A BAA is just like any other contract or agreement in that it is legally binding upon both the CE and the BA. BAAs should be reviewed by legal counsel knowledgeable in HIPAA and contract law in the state(s) where the CE operates.
Business Associates & Subcontractors MUST Have Their Own BAA
If a BA uses or otherwise subcontracts with another company while meeting their obligations to the CE with whom they are doing business, and if the BA discloses PHI to that company, then the BA is required to have a BAA with that company. For example, if a BA uses a cloud service provider and stores PHI in that cloud environment, then the BA must enter into a BAA with the cloud service provider.
Required Elements of a BAA
There are several elements that HHS requires to be present in any BAA.
Permitted & Required Uses of PHI
The BAA must iterate and describe the required uses and disclosures of PHI by the BA. It must also stipulate that the BA will not use the PHI for any other purpose outside what is stated in the contract or as required by law.
Security Rule Safeguards
BAs must implement appropriate safeguards as per the HIPAA Security Rule designed to prevent the unauthorized use or disclosure of PHI in its possession.
Notification of Breach or Unauthorized Use
If the BA suffers a breach or becomes aware of any use of the CE’s PHI that is not specifically provided for by the contract, the BA must promptly report this to the CE. The CE, upon learning of a breach at the BA, is obligated under HIPAA to cure the breach or end the violation. If this is unsuccessful, the CE must terminate the contract with the BA. However, if termination is not possible, such as when there are no other viable alternatives for the CE, then the CE must report the problem to OCR.
Disclosure of PHI to CE (Right of Access)
The BA must disclose PHI to satisfy a CE’s obligation as it pertains to an individual’s request for copies of their PHI. The BA must also make the PHI available for amendments and, if applicable, incorporate any amendments. This requirement relates directly to an individual’s “Right of Access” to their PHI.
CE Obligations Under the Privacy Rule
If a CE delegates the responsibility of providing individuals with access to their PHI to the BA, the BA must adhere to the requirements of the Privacy Rule, such as providing access within 30 days of a request and charging only reasonable and cost-based fees.
Access by HHS
The BA must make available to HHS its “internal practices, books, and records” relating to PHI use and disclosure, including that which has been created or received by the BA on the CE’s behalf. This is typically done by the HHS to determine the CE’s compliance with the Privacy Rule.
Destruction of PHI
When the BA’s contract is terminated or otherwise ended with the CE, the BA must, to the fullest extent possible, return or destroy all PHI received from or created or received by the BA on behalf of the CE.
As discussed in the previous section, a BA must ensure that any subcontractors it engages on its behalf who will have access to PHI agree to the same restrictions and conditions that apply to the BA regarding the use and disclosure of PHI.
Termination Due to Violation
If the BA violates a material term of the BAA (such as failing to cure a breach), the CE must have the authority to terminate the contract with the BA.
Recommended Sections in the BAA
Although BAA’s will differ from CE to CE and/or BA to BA, there are some sections that every agreement should contain. Here’s a list of sections that should be contained in the BAA, along with a brief explanation for each.
- Definitions. This is standard practice for any contract; any key terms contained in the agreement should have clear definitions. For some terms specific to the HIPAA Rules, it should be explicitly specified that those terms within the BAA have the same meaning as dictated in HIPAA.
- Permitted Uses & Disclosures. As discussed in the previous section, every BAA must have specific information regarding the permitted uses and disclosures of the PHI by the BA. This can be done either by providing a specific list of the permissible purposes in the BAA or by referencing an underlying agreement (e.g., “as necessary to perform the services as set forth in the Service Agreement”).
- Privacy Practices & Restrictions. This optional section could cover provisions for the CE to inform the BA of any limitations contained in their notice of privacy practices pertaining to the use or disclosure of PHI.
- Term & Termination. This section should state the term for which the BAA will be effective and the ability for the CE to terminate for cause their contract with the BA (e.g., in response to a breach). This section could also contain the obligations of each party upon termination of the contract (either for cause or otherwise). Many BAAs state the beginning date of the Agreement but stipulate that the Agreement will be effective indefinitely or when an underlying service agreement is terminated, not reviewed, or otherwise ended.
Best Practices for BA Management
Vendor management is a critical aspect of any organization’s overall operational posture. While not specific to BAs, practicing good vendor management should be part and parcel of a CE’s process. The following are a few examples of best practices for BA management (and vendor management in general).
Conducting due diligence on potential BAs: Before entering into a BAA, you need to conduct due diligence on potential business associates to ensure they are HIPAA compliant. You should assess their security and privacy practices and review their HIPAA compliance program, including their risk management, incident response, and emergency operations plans.
Ensuring ongoing compliance with BAAs: It’s essential to monitor your BAs’ compliance with your BAA regularly. Conduct periodic reviews to make sure your BAs are following HIPAA regulations and the terms of your BAA. Consider placing provisions in the BAA that allow your organization to review recent information security audits or risk assessment reports periodically.
Responding to BA breaches and incidents: You need to have a plan in place to respond to BA breaches and incidents. Make sure your BAs report any potential breaches to you immediately. Responding to breaches quickly can help minimize the damage and potential liability. The processes and procedures for responding to a BA breach should be incorporated into your organization’s incident response plan.
Communication is critical to managing your BAs. Make sure you have a clear communication plan in place so that everyone involved knows their responsibilities and understands how to manage and respond to incidents. Train your staff and your BAs on HIPAA compliance regularly and conduct regular risk assessments to identify areas where your compliance program may need improvement.
In conclusion, HIPAA Business Associate Agreements are crucial for maintaining HIPAA compliance and protecting patient information. By defining the responsibilities of business associates and requiring them to implement safeguards to protect PHI, BAAs play a critical role in protecting patient privacy.
With healthcare data breaches on the rise, now is the time for healthcare organizations to review and update their BA management practices. By taking proactive steps to manage their business associates, organizations can safeguard patient data and minimize the risk of a costly HIPAA violation.
Contact Axeleos today and let us help you conduct a due diligence review of your current BAs.