What is a HIPAA Business Associate Agreement?

It can be challenging, if not impossible, for an organization to operate without the involvement of third parties. A third-party organization may create, receive, maintain, or transmit protected health information (PHI) on your organization’s behalf. A Health Insurance Portability and Accountability Act (HIPAA) business associate agreement (BAA) is the best approach you can take to protect your organization in the event of a violation from your third-party organization. Since both, covered entities, and their business associates (BA) are responsible for keeping PHI safe, it’s in their best interests to have an BAA in place and to maintain a thorough understanding of their relationship and how they expect one another to secure patient, client, or employee data. All covered entities are required by the HIPAA Privacy Rule to have signed BAAs with any BAs they hire who may have access to PHI. In this post, we will go into detail about what a HIPAA Business Associate Agreement is and who is required to have one.

What is a business associate agreement?

A HIPAA Business Associate Agreement is a legal contract between a HIPAA covered entity and an individual or organization that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. BAAs are a crucial part of the process for any company complying with HIPAA. A designated security officer, attorney, or a HIPAA compliance solution is best to help you understand these legally binding contracts.

Business Associate Contracts

HIPAA regulations require that covered entities only partner with BAs who can guarantee the integrity and security of PHI. A BAA is a contract that outlines each party's responsibilities in relation to PHI. Business associate contracts must include the criteria of 45 CFR 164.504(e). This must be incorporated into any contract or other written agreement between a covered entity and its BA. For example, business associate contracts must:

  • Determine what PHI the BA will access
  • Require that the BA will use proper security measure to protect PHI
  • Provide that the BA will not disclose PHI unless permitted by the agreement
  • Require and track necessary HIPAA Training for employees
  • Define procedures in the event of a data breach
  • Contain necessity subcontractor compliance
  • Detail conditions for the termination of the agreement
  • Describe the process of destruction or return of PHI

BAAs explains the authorized and unauthorized uses of PHI between two HIPAA-responsible businesses. To maintain the confidentiality, integrity, and availability of electronic protected health information (ePHI), the contract shall require that the BA establish the proper administrative, technical, and physical safeguards in accordance with the Security Rule. The contracts can also be designed to include information about relationships between a covered entity and a BA, as well as relationships between two BAs. The consequences of disobeying HIPAA regulations should also be explained to a BA. Regulators have the authority to penalize BAs directly for HIPAA violations.

What is a business associate?

According to the Department of Health and Human Services (HHS), a BA is a person or entity, other than a member of the workforce of a covered entity who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to PHI. A BA also is a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another BA. In other words, if a third-party organization could potentially have access to PHI while carrying out their assigned tasks, they are a business associate. Under HIPAA there are two different entities accountable for protecting PHI:

  1. Covered Entities
  2. Business Associates

Most of the covered entities are businesses that interact directly with patients, such as hospitals, doctors' offices, and clinics, or that have access to their data, like insurance providers. Although BAs don't interact with patients, they may administer or have access to their medical records. PHI is present in many organizations besides hospitals and doctors' offices because of the scale and complexity of modern healthcare. For example, this data can be found in:

  • Physical copies of medical records may be managed offsite in storage
  • Data can be sent between locations, via mail or electronically
  • Financial data can be used by third-party billing companies
  • Patient data can be stored on a cloud-based server maintained by a third party

Who can be a business associate?

Examples of businesses that would be considered as BAs when working with covered entities include:

  • Pharmacy benefit managers
  • Patient safety or accreditation organizations
  • Medical transcription companies
  • Accreditation companies
  • Software companies with access to PHI
  • Companies in claims processing or collections
  • Third-party administrators
  • Answering services
  • Lawyers
  • Accountants
  • Professional translators
  • Data processing firms or software companies that may be exposed to PHI
  • Medical equipment services businesses that maintain equipment containing PHI

Some businesses that can also be considered BAs depending upon the data they access to as part of their service agreement are:

  • Financial firms
  • Auditors
  • Accounting firms
  • Law firms

Keep in mind that even organizations outside the United States can be classified as BAs if any of the information they receive, transmit, or maintain can be potentially used to identify a patient in the US.

What happens if my business associate discloses PHI?

A BAs failure to comply with the requirements of a contract could result in substantial consequences. According to HHS, a BA that uses or discloses PHI in violation of its contract or the law is directly accountable under the HIPAA Rules and may face civil and, in some situations, criminal penalties. If a BA violates the HIPAA Security Rule by failing to protect electronic PHI, they are also directly accountable and subject to civil penalties. The covered entity shall use commercially reasonable efforts to cure any breach of or violation of a BAA caused by a BA. According to HHS, if such efforts are unsuccessful, they must revoke the contract or agreement. A covered entity is required to disclose the matter to the HHS Office for Civil Rights if termination of the contract or agreement is not possible. For more information about business associate agreements, visit the Department of Health and Human Services (HHS) website. Need HIPAA certification? Get your online HIPAA Business Associate training today!