HIPAA for Business Associates

Like covered entities, BAs must comply with HIPAA to avoid severe penalties. BAs are required to: 

• Develop and comply with valid BAAs. To comply with HIPAA, covered entities are required to sign a BAA with their BA before sharing any PHI with them for privacy and security reasons.
• Establish legal subcontractor agreements. The BA must require that their subcontractors adhere to HIPAA regulations if they access, transfer, or otherwise encounter PHI.
• Comply with privacy rules. Many of the policies and protections that the Privacy Rule requires for covered entities to establish, such as those that regulate how PHI is used and disclosed and how individuals have rights concerning their PHI, will generally also need to be implemented by BAs.
• Perform a HIPAA Security Rule risk analysis. BAs must perform and document a HIPAA risk assessment of their computer and other information systems to detect potential security risks and take necessary action. 
• Execute Security Rule safeguards. The Security Rules specify administrative, physical, and technical safeguards that BAs must implement.
• Implement written Security Rule policies. BAs must establish and maintain the written procedures required by the Security Rule. 
• Act immediately to a violation or breach. If a BA permits or experiences a PHI breach, they should notify the covered entity immediately.
• Enforce HIPAA training for employees. BA employees should participate in and complete HIPAA training to fully comprehend their obligations concerning protecting PHI. 
• Keep required documentation. BAs are required to preserve documents required by the Security Rule for six years following the document’s last effective date. 
• Destroy or return PHI. The BA must agree to return or destroy any PHI they received from the covered entity they are working with once their services are finished. This also includes subcontractors. 
• Examine other federal or state privacy laws. If a state or other federal law has stricter regulations than HIPAA, BAs should abide by that law.

If certain requirements are met, PHI can typically be shared directly from one BA to another BA of the same covered entity without using the covered entity as a conduit or intermediary. The conditions to be met can depend on factors such as: 

• Whether the covered entity directed the BA to make the disclosure
• Whether the BA contract authorized the disclosure
• The purpose of the disclosure

Like covered entities, BAs may be held accountable for PHI exposure. By signing a BAA, BAs are required to follow HIPAA regulations or risk paying penalties for HIPAA noncompliance. 

According to the HHS, if an unsecured PHI breach occurs at or by a BA, the BA must notify the covered entity immediately upon the discovery. HIPAA allows a 60-day window upon discovery to notify the covered entity of a breach. To the extent practicable, the BA should disclose to the covered entity the identification of each person affected by the breach and such additional Information as may be required by the Covered Entity in its notice to the individuals affected by the breach. 

A HIPAA business associate agreement (BAA) is a contract between a covered entity and an organization or individual outlining the duties and responsibilities of that organization as it relates to the protection of any PHI shared between the two parties. HIPAA requires a BAA for covered entities and their BAs with access to PHI as part of their services. 

For more information on HIPAA Business Associates, visit the U.S. Department of Health & Human Services (HHS) website. 

The HIPAA Privacy Rule requires covered entities to enter into written contracts or other arrangements with business associates to protect the privacy of protected health information; however, covered entities are not required to monitor or oversee how their business associates carry out privacy safeguards.

If patient information is compromised, the healthcare industry will ultimately shoulder the burden. As a result, a third-party IT security vendor should have the knowledge and experience to meet the highest HIPAA compliance criteria.