HIPAA Business Associate Agreement – Complete Guide

HIPAA requires all covered entities to protect the integrity and confidentiality of patient information. With the rapidly evolving global cyber threat landscape, it is virtually impossible for businesses (covered entities) to not rely on third-party service providers to secure PHI (Protected Health Information) in a manner that is easy, efficient, and scalable.

When covered entities share access to PHI with third parties, how can they ensure that the third-party service provider upholds the same level of integrity, confidentiality, and security towards PHI as they do? The answer – Business Associate Agreements (BAA)

This article is for you if you get access to PHI when working with covered entities. Here you gain more insights into how BAAs work and to protect your organization from the ramifications of HIPAA. Here, we will also talk about BAA exceptions, how BAA for HIPAA compliance works, and what happens when a BAA is breached.

Towards the end of the article, we’ve also included a sample HIPAA Business Associate Agreement for you to download for reference.

Who is a Business Associate under HIPAA?

A business associate is a party that provides services to a covered entity or performs certain functions directly or indirectly on behalf of the covered entity that involves the usage or disclosure of Protected Health Information (PHI).
A covered entity under the Health Insurance Portability and Accountability Act is any healthcare provider, health plan or health care clearinghouse. A member of the covered entity’s workforce is however not a business associate. A covered healthcare provider, health plan, or healthcare clearinghouse can be a business associate of another covered entity.

The HIPAA Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a Business Associate if the activity or service involves the use or disclosure of protected health information. The functions or activities that may make a person or entity a business associate include billing services or health care operations functions and other activities regulated by the Administrative Simplification Rules

Roles and Responsibilities of a Business Associate

A business associate is entrusted with the responsibility of ensuring the security and privacy of PHI while providing quality service to its customers ie. covered entities. While performing its duties, the BA must implement robust safeguards, promptly report breaches and train its employees.

There are the roles and responsibilities of a Business Associate  within the scope of HIPAA:

Entering into BAA

The business associate must enter into a business associate agreement with the covered entity that clearly outlines the roles and responsibilities of the BA with respect to the protection of PHI.

Safeguarding PHI

The business associate is responsible for ensuring the confidentiality, integrity and availability of PHI by ensuring adherence to HIPAA standards. It must implement technical, administrative and physical safeguards to protect PHI from unauthorized access or disclosure.

Arranging HIPAA training

Any employee in the business associate organization that directly or indirectly deals with ePHI must be equipped with HIPAA training. The employees must be aware of the importance of safeguarding sensitive information and the obligations under the BAA.

Breach notification

A business associate must abide by the breach notification rules laid down under HIPAA. In case of a security incident or breach, it is the responsibility of the business associate to notify the covered entity no later than 60 days after the breach discovery. 

Subcontractors compliance

If a business associate is working with a subcontractor to perform any functions that involve the use or disclosure of PHI, it must ensure that the agent also complies with HIPAA requirements and safeguards PHI.

Documentation and record-keeping

The business associate must maintain documents related to PHI processing and protection to ensure that it is fulfilling all its obligations while maintaining compliance with HIPAA regulations.

Examples of Business Associates

A Business Associate Agreement (BAA) is a legal contract or a written agreement that is signed between a covered entity and a Business Associate or between a Business Associate and a Business Associate Subcontractor that specifies each party’s tasks to protect and secure PHI.

HIPAA mandates covered entities to only work with accountable business associates with whom they have signed agreements towards protecting PHI.

HIPAA audits Covered Entities, Business Associates, and Business Associates’ Subcontractors for compliance. So, if your organization shares PHI with any other organization. Then, it’s best to have Business Associate Agreements in place to ensure that the shared responsibility of protecting PHI is legally documented.

What is a HIPAA Business Associate Agreement?

A Business Associate Agreement (BAA) is a legal contract or a written agreement that is signed between a covered entity and a Business Associate for secure usage, disclosure or processing of PHI. It is also used between a Business Associate & a Business Associate Subcontractor to specify each party’s tasks to protect and secure PHI.

HIPAA certificate mandates covered entities to only work with accountable business associates with whom they have signed agreements towards protecting PHI.

HIPAA audits Covered Entities, Business Associates, and Business Associates’ Subcontractors for compliance. So, if your organization shares PHI with any other organization. Then, it’s best to have Business Associate contracts in place to ensure that the shared responsibility of protecting PHI is legally documented.

What is a BAA for Covered Entities?

A BAA should include the following:

• It should describe in detail the particulars of the activities Business Associate or Business Associate Subcontractors can do with the PHI shared with them.
• It should list the necessary security methods and protocols required from Business Associates and Business Associate Subcontractors to ensure the integrity, security, and confidentiality of PHI is not violated
• It should mandate Business Associates and Business Associate Subcontractors to not use the PHI for more than what is permitted by the covered entity and by the law. 

When a covered health care provider becomes aware of a breach or a violation of the business agreement by the BA or BAS, the covered entity must take measures to fix the breach/violation. If the actions taken yield no positive results, the covered entity must end their business Associate agreement with them immediately. When terminating the contract or agreement is impossible, the covered entities must report the breach incident or agreement violation of the BA/BAS to the HHS or OCR (Office of Civil Rights).

If you are a vendor working with a covered entity, it is best to constantly monitor your information security systems and look for potential vulnerabilities. In instances where you are convinced that a breach has occurred, inform the covered entity immediately.

HIPAA transition provisions for existing BAA contracts

According to HHS’ Covered entities (other than small health plans) that have an existing contract (or other written agreement) with a business associate before October 15, 2002, are permitted to continue to operate under that contract for up to one additional year beyond the April 14, 2003 compliance date, provided that the contract is not renewed or modified prior to April 14, 2003.

This transition period applies only to written contracts or other written arrangements. Oral contracts or other arrangements are not eligible for the transition period. Covered entities with contracts that qualify are permitted to continue to operate under those contracts with their business associates until April 14, 2004, or until the contract is renewed or modified, whichever is sooner, regardless of whether the contract meets the Rule’s applicable contract requirements at 45 CFR 164.502(e) and 164.504(e).’

 What is the Difference Between BAA and BASA?

A Business Associate Subcontractor is an entity or person to whom a Business Associate delegates services or work and shares access to PHI.

Examples of Business Associate Subcontractors are:

• Accounting Services
• Law firms
• Backup and disaster management services
• email encryption services
• Shredding services 
• Cloud service providers

The primary differentiating factor between a BBA and a Business Associate Subcontractor Agreement (BASA) is that a BAA agreement is a contract between a covered entity and a Business Associate, while the latter is between a Business Associate and a Business Associate Subcontractor. 

A Business Associate Subcontractor Agreement ensures when a Business Associate shares PHI with a Business Associate Subcontractor, the same standards are upheld towards PHI.

Requirements of HIPAA business associate agreement

A section of the HIPAA Privacy Rule ie. 45 CFR 164.504(e) lays the foundation of applicable requirements of the business associate agreements. The agreement starts with basic details such as name of the parties, the date of agreement and the method of acceptance. Next, it include the following details to ensure that everything under HIPAA with respect to a business associate is covered:

Here are the 7 HIPAA baa requirements you must know:

Permitted use and disclosure

The agreement specifies the legal purposes for which the PHI may be used, accessed or disclosed and also defines any impermissible uses.

Contractual Obligations

BAA specifies the roles and responsibilities of the business associate such as implementation of appropriate safeguards, reporting a breach, arranging for workforce training etc.

Accountability and risk mitigation

The agreement acknowledges the ownership rights of PHI held by covered entities and also specifies their share of responsibility. The business associate’s responsibility and accountability in case of a breach are separately laid out. Both parties must use commercially reasonable efforts to mitigate the risks caused by unauthorized access or disclosure.

Subcontractor compliance

The BAA clarifies that if a subcontractor is engaged to perform certain functions that involve the use or disclosure of PHI then the business associate will further enter into contracts with the third-party to ensure subcontractor compliance.

Duration and termination

The legally binding contract stipulates the duration of the business relationship and the conditions under which it shall be terminated. The termination provisions include the return or destruction of PHI by the business associate.

Indemnification

The written agreement also outlines the responsibilities and the limited liabilities of both parties in case of legal representation or losses arising from the business associate relationship.

Miscellaneous

The agreement has miscellaneous clauses at the end that contain other provisions relevant to specific business context such as things to be done in case of changes in regulatory requirements.

What exceptions are provided by HIPAA to the BAA standards?

There are exceptions where a written, or oral agreement is not warranted between a Covered Entity and its Business Associates, either in written or verbal form. These exceptions are listed in the privacy rule of HIPAA.

The exceptions are:

• Disclosures to a health plan sponsor, such as an employer, by a group health plan, or by the health insurance issuer or HMO that provides the health insurance benefits or coverage for the group health plan, provided that the group health plan’s documents have been amended to limit the disclosures or one of the exceptions at 45 CFR 164.504(f) have been met.  Source
• When PHI is disclosed by a Covered Entity to a healthcare professional for treating an individual. For example,  a hospital will not need to sign a Business Associate Agreement with a doctor when they refer the patient to a specialist for medical care and, in the process, share the patient’s medical history.
  Likewise, a hospital laboratory is exempted from having a BAA for HIPAA compliance when sending secure patient information to another reference hospital laboratory.
• When the activity to collect medical information is authorized by law. For example, collecting medical data for medicare (A public benefit program)

Also check out the other core components of HIPAA

What happens if the BAA or BAAS fails to secure the patient’s information?

“A Business Associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of Protected Health Information that are not authorized by its contract or required by law. A Business Associate/Subcontractor also is directly liable and subject to civil penalties for failing to safeguard electronic Protected Health Information in accordance with the HIPAA Security Rule.” 4 – Source

When a Business Associate or a Business Associate Subcontractor violates the agreement, they violate HIPAA laws and regulations. Therefore, they are subject to the same penalties and face the same ramifications that are applied to Covered Entities.

As discussed earlier, whenever a Covered Entity becomes aware of instances where the BAS or BAA agreement is violating the terms of the agreement, they are to implement measures to fix the violation. However, in instances where the patches applied are not yielding satisfactory results, they must immediately terminate the agreement and, if required, report the BA or BAS or both to the authorities of HHS and OCR.

From where can you download the Business associate agreement?

You can download a sample Business Associate Agreement from the official website of the HHS. We’ve included the link to the page here. However, it does take some looking into.

Alternatively, you can download our free Business Associate Agreement Template here.

Is the Business Associate Agreement Fool-Proof?

Organisations must understand that the HIPAA Business Associate Agreement is a legal agreement rather than a foolproof mechanism to ensure the security and confidentiality of PHI. Therefore, they must have an in-depth vetting mechanism before any vendor is onboarded to their business environment. And depending on the vendor’s level of access to PHI, organizations must include this additional variable in their scope when conducting risk analysis.

While this is applicable to Covered Entities, Business Associates must also do their due diligence. Ensure that you share your security posture with CEs to instill trust on how you handle sensitive information and talk about the policies and security measures you have in place.

Business Agreements are legal contracts and not enforcing mechanisms to ensure that PHI is not misused. As a CE or a BA, having a neutral third-party service access the counterpart before they are onboarded to your business environment is a best practice.

Another industry-wide best practice is to have your Business Associate Subcontractors fill out security questionnaires and have them produce evidence for system updates and security enhancements before the billing cycle begins. This ensures that security is not deprioritized and nothing slips through the cracks.

Another best practice is to have an independent and neutral lawyer or law firm assess your Business Associate Agreements to ensure that the contract is comprehensive and lists the expectations and functions of each party involved towards securing PHI. 

And remember, folks, getting a solid and comprehensive Business Associate Agreement is just one part of solving the HIPAA puzzle. To always be on the right side of HIPAA compliance, ensure that you periodically conduct gap analysis, risk assessments, look for vulnerabilities in your business, and train your employees about the best security practices. 

Doing all of these seamlessly could be a hassle, especially if you do it yourself. 

Now imagine a scenario where all those tasks are automated, and you have complete visibility of your compliance posture. Every time a vulnerability pops up, someone from your team is automatically assigned to fix it, and when the patch is not applied in time, you are altered about it through an escalation matrix.

Employees can now participate in security training they can take from their workstations, and you don’t spend a fortune to get all of this.

What you’ve just imagined is what it feels like to work with a compliance automation expert like Sprinto. Compliance journeys with Sprinto are a breeze. Talk to us to know how we can make your HIPAA journey a breeze.

FAQ

Who qualifies as a BA?

Any entity that provides services to a covered entity by entering into a legally binding contract and complies with HIPAA privacy and security rules is qualified as a business associate.

Are business associates exempt from HIPAA?

No, they are not. Business Associates and Business Associate Subcontractors are held to the same accountability standards as covered entities. That means they will be looking at the same penalties and criminal charges if found non-compliant with HIPAA.

Who needs to sign the business associate agreement?

When a covered entity boards a vendor and if access to PHI is shared with the vendor, then the vendor will have to sign a business associate agreement with the covered entity. For example, a hospital onboards a cyber security vendor, and the vendor will have access to PHI. In that case, a business associate agreement is signed between the hospital and the security vendor.

Can PHI be disclosed by a business associate?

Only when allowed or required by the BAA, a BA is allowed to use or disclose PHI. A BA is required to give the individual or the Covered Entity an electronic copy of PHI as required to fulfill the Covered Entity’s requirements to fulfill an individual’s request for an electronic copy of PHI.

What are business associates not permitted to do?

A BA is not allowed to use or disclose PHI in a way that would be in violation of the Privacy Rule if carried out by the Covered Entity, specifically the Minimum Necessary Standard. A BA is not permitted to use or disclose PHI unless specifically authorized or mandated by the Privacy Rule or the Enforcement Rule.