Healthcare organizations rely on a wide range of partners to manage operations, from IT services to billing companies. When these partners have access to sensitive patient data, they must adhere to strict privacy rules outlined in a HIPAA Business Associate Agreement (BAA). But what is a BAA, and who needs one? In this blog, we’ll explore the role of BAAs, why they’re critical for compliance, and what should be included in these agreements.
Outline
- Who is a Business Associate?
- What are examples of a Business Associate
- What is a Business Associate Agreement?
- Key Components of a HIPAA BA Agreement
- Three Common Misconceptions about HIPAA BA Agreement
- This Course Helps You Develop a Fail-Proof Business Associate Agreement
Key Takeaways
- A business associate (BA) is a person or entity who performs functions or activates on behalf of a covered entity.
- A business associate agreement is a legal document that describes the relationship between HIPAA-covered entities and their business associates.
- The objective of a BA agreement is to safeguard the integrity and privacy of PHI.
- A solid BA agreement must outline all the requirements of expectations of the contract, including consequences for non-compliance and breach.
Who Is a Business Associate?
The Department of Health and Human Services (HHS) defines a business associate (BA) as a person or entity who performs functions or activates on behalf of a covered entity. These services typically involve access to Protected Health Information (PHI). A business associate can also be a subcontractor who creates, receives, maintains, or transmits PHI on behalf of another BA. A business associate is not a member of the workforce of the covered entities. Under HIPAA, there are two different entities accountable for protecting PHI:
- Covered Entities
- Business Associates
Most covered entities are businesses that interact directly with patients, such as hospitals, doctors' offices, and clinics, or that have access to their data, like insurance providers. Although BAs don't interact with patients, they may administer or have access to their medical records. PHI is present in many organizations besides hospitals and doctor's offices because of the scale and complexity of modern healthcare. For example, this data can be found in:
- Physical copies of medical records may be managed offsite in storage
- Data can be sent between locations, via mail or electronically
- Financial data can be used by third-party billing companies
- Patient data can be stored on a cloud-based server maintained by a third-party
What are Examples of a Business Associate?
Examples of businesses that would be considered BAs when working with covered entities include:
- Pharmacy benefit managers
- Patient safety or accreditation organizations
- Medical transcription companies
- Accreditation companies
- Software companies with access to PHI
- Companies in claims processing or collections
- Third-party administrators
- Answering services
- Lawyers
- Accountants
- Professional translators
- Data processing firms or software companies that may be exposed to PHI
- Medical equipment services businesses that maintain equipment containing PHI
Some businesses that can also be considered BAs depending upon the data they access to as part of their service agreement are:
- Financial firms
- Auditors
- Accounting firms
- Law firms
Keep in mind that even organizations outside the United States can be classified as BAs if any of the information they receive, transmit, or maintain can be potentially used to identify a patient in the US.
What Is a Business Associate Agreement?
A business associate agreement is a legal document that describes the relationship between HIPAA-covered entities and their business associates. The objective of this agreement is to safeguard the integrity and privacy of PHI. A solid BA agreement must outline all the requirements of expectations of the contract, including consequences for non-compliance and breach. According to HHS, a BA who breaches any HIPAA regulations is liable to civil/criminal penalties. In some cases, both the covered entity and BA are liable for such penalties.
Key Components of a HIPAA BA Agreement
A well-written BA agreement is the first step in reducing the risk of non-compliance penalties. The following are the legal requirements for a well-written BA.
- Basic information
Like other legally binding documents, a business associate agreement must have a date at the top of the document and at the bottom. The top date indicates when the agreement was created, while the bottom date indicates when the document was signed. The agreement must also have the names of the parties involved. You should write these names in full and exactly as they appear on official ID cards.
- Scope of the agreement
The contract should ideally begin with a detailed explanation of the importance of HIPAA compliance to both the business associate and the covered entity. It should also contain a clear description of the business associate's duties and the covered entities' responsibilities to the business associate. Next, describe the nature and extent of PHI accessible to the business associate and their subcontractors. You should define what access/use is permissible and impermissible as established by existing laws and regulations.
- Safeguarding measures
This should be a detailed outline/ compliance checklist of physical, technical, and administrative measures the business associate must take to safeguard the integrity and confidentiality of PHI.
- Workforce HIPAA training
The contract must also include a protocol for training all workforce members on HIPAA compliance. This includes training for both the business associate and the covered entity.
- Remedies for breach
This section should outline the protocol in the event of a breach. For example, this might include risk assessment, risk control, and other best practices to contain the breach and prevent spread.
- Terms and termination
In this section, describe in detail the consequences of non-compliance to HIPAA regulations. Also, outline the consequences of breaching the contract requirements.
Three Common Misconceptions about HIPAA BA Agreement
Misconceptions about HIPAA BA agreements increase the risk of non-compliance. To protect your business from costs and losses associated with non-compliance, stay informed on the latest information on HIPAA-BA agreements. Here are some common misconceptions that increase the risk of non-compliance.
- All vendors are automatically BAs
Not every vendor is a business associate to a covered entity. As earlier defined, a business associate must have access to PHI and not be an employee of the covered entity.
- Subcontractors don't need BA agreements
This is a common misconception with great risk for non-compliance. Subcontractors of business associates must sign contracts with their covered entities. Doing so protects the covered entities and their business associates from risk. If there is a data breach on the part of the subcontractor, the subcontractor is liable for their actions.
- HIPAA BA agreements are only for healthcare providers
This is far from the truth. HIPAA BA agreements are not just for healthcare providers; they are for anyone who handles/ has access to PHI.
Start With HIPAA Exams Today
The HIPPA for Business Associate Course gives you all the information you need to create a fail-proof contract for business associates, subcontractors, and vendors. For example, the course clearly describes how the Omnibus Rule affects covered entities, business associates, and subcontractors. You also learn about the different HIPPA rules and regulations, and how they apply to covered entities, business associates, and their contractors.
This 90-minute course is designed for the busy business associate. It is also accredited by the IACET to offer 0.2 continuing education units. To learn more about the course, visit our website today.
1. US Department of Health and Human Services (2024). Omnibus HIPAA Rulemaking
2. US Department of Health and Human Services (2024). Business Associates
3. US Department of Health and Human Services (2024). Business Associates Contracts
