HIPAA Business Associate Agreement – Complete Guide

HIPAA requires all covered entities to protect the integrity and confidentiality of patient information. With the rapidly evolving global cyber threat landscape, it is virtually impossible for businesses (covered entities) to not rely on third-party service providers to secure PHI (Protected Health Information) in a manner that is easy, efficient, and scalable.

When covered entities share access to PHI with third parties, how can they ensure that the third-party service provider upholds the same level of integrity, confidentiality, and security towards PHI as they do? The answer – Business Associate Agreements (BAA)

This article is for you if you get access to PHI when working with covered entities. Here you gain more insights into how BAAs work and to protect your organization from the ramifications of HIPAA. Here, we will also talk about BAA exceptions, how BAA for HIPAA compliance works, and what happens when a BAA is breached.

Towards the end of the article, we’ve also included a sample HIPAA Business Associate Agreement for you to download for reference.

Who is a Business Associate?

According to the United States Department of Health and Human Services (HHS), “A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to a covered entity.

A member of the covered entity’s workforce is not a business associate. A covered healthcare provider, health plan, or healthcare clearinghouse can be a business associate of another covered entity.

The HIPAA Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a Business Associate if the activity or service involves the use or disclosure of protected health information. The functions or activities that may make a person or entity a business associate include payment or healthcare operations and other functions or activities regulated by the Administrative Simplification Rules.

In simpler terms, a HIPAA Business Associate (BA) is any third-party service provider engaged by covered entities with access to patient data or PHI.

Examples of Business Associates

A Business Associate Agreement (BAA) is a legal contract or a written agreement that is signed between a covered entity and a Business Associate or between a Business Associate and a Business Associate Subcontractor that specifies each party’s tasks to protect and secure PHI.

HIPAA mandates covered entities to only work with accountable business associates with whom they have signed agreements towards protecting PHI.

HIPAA audits Covered Entities, Business Associates, and Business Associates’ Subcontractors for compliance. So, if your organization shares PHI with any other organization. Then, it’s best to have Business Associate Agreements in place to ensure that the shared responsibility of protecting PHI is legally documented.

What is a HIPAA Business Associate Agreement?

A Business Associate Agreement (BAA) is a legal contract or a written agreement that is signed between a covered entity and a Business Associate. It is also used between a Business Associate & a Business Associate Subcontractor to specify each party’s tasks to protect and secure PHI.

HIPAA mandates covered entities to only work with accountable business associates with whom they have signed agreements towards protecting PHI.

HIPAA audits Covered Entities, Business Associates, and Business Associates’ Subcontractors for compliance. So, if your organization shares PHI with any other organization. Then, it’s best to have Business Associate Agreements in place to ensure that the shared responsibility of protecting PHI is legally documented.

What is a BAA for Covered Entities?

A BAA should include the following:

• It should describe in detail the particulars of the activities Business Associate or Business Associate Subcontractors can do with the PHI shared with them.
• It should list the necessary security methods and protocols required from Business Associates and Business Associate Subcontractors to ensure the integrity, security, and confidentiality of PHI is not violated
• It should mandate Business Associates and Business Associate Subcontractors to not use the PHI for more than what is permitted by the covered entity and by the law. 

When a covered entity becomes aware of a breach or a violation of the business agreement by the BA or BAS, the covered entity must take measures to fix the breach/violation. If the actions taken yield no positive results, the covered entity must end their business Associate agreement with them immediately. When terminating the contract or agreement is impossible, the covered entities must report the breach incident or agreement violation of the BA/BAS to the HHS or OCR (Office of Civil Rights).

If you are a vendor working with a covered entity, it is best to constantly monitor your information security systems and look for potential vulnerabilities. In instances where you are convinced that a breach has occurred, inform the covered entity immediately.

HIPAA transition provisions for existing BAA contracts

According to HHS’ Covered entities (other than small health plans) that have an existing contract (or other written agreement) with a business associate before October 15, 2002, are permitted to continue to operate under that contract for up to one additional year beyond the April 14, 2003 compliance date, provided that the contract is not renewed or modified prior to April 14, 2003.

This transition period applies only to written contracts or other written arrangements. Oral contracts or other arrangements are not eligible for the transition period. Covered entities with contracts that qualify are permitted to continue to operate under those contracts with their business associates until April 14, 2004, or until the contract is renewed or modified, whichever is sooner, regardless of whether the contract meets the Rule’s applicable contract requirements at 45 CFR 164.502(e) and 164.504(e).’

 What is the Difference Between BAA and BASA?

A Business Associate Subcontractor is an entity or person to whom a Business Associate delegates services or work and shares access to PHI.

Examples of Business Associate Subcontractors are:

• Accounting Services
• Law firms
• Backup and disaster management services
• email encryption services
• Shredding services 

The primary differentiating factor between a BBA and a Business Associate Subcontractor Agreement (BASA) is that a BAA agreement is a contract between a covered entity and a Business Associate, while the latter is between a Business Associate and a Business Associate Subcontractor. 

A Business Associate Subcontractor Agreement ensures when a Business Associate shares PHI with a Business Associate Subcontractor, the same standards are upheld towards PHI.

What exceptions are provided by HIPAA to the BAA standards?

There are exceptions where a written, or oral agreement is not warranted between a Covered Entity and its Business Associates, either in written or verbal form. These exceptions are listed in the privacy rule of HIPAA.

The exceptions are:

• Disclosures to a health plan sponsor, such as an employer, by a group health plan, or by the health insurance issuer or HMO that provides the health insurance benefits or coverage for the group health plan, provided that the group health plan’s documents have been amended to limit the disclosures or one of the exceptions at 45 CFR 164.504(f) have been met.  Source
• When PHI is disclosed by a Covered Entity to a healthcare professional for treating an individual. For example,  a hospital will not need to sign a Business Associate Agreement with a doctor when they refer the patient to a specialist for medical care and, in the process, share the patient’s medical history.
  Likewise, a hospital laboratory is exempted from having a BAA for HIPAA compliance when sending secure patient information to another reference hospital laboratory.
• When the activity to collect medical information is authorized by law. For example, collecting medical data for medicare (A public benefit program)

Also check out the other core components of HIPAA

What happens if the BAA or BAAS fails to secure the patient’s information?

“A Business Associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of Protected Health Information that are not authorized by its contract or required by law. A Business Associate/Subcontractor also is directly liable and subject to civil penalties for failing to safeguard electronic Protected Health Information in accordance with the HIPAA Security Rule.” 4 – Source

When a Business Associate or a Business Associate Subcontractor violates the agreement, they violate HIPAA laws and regulations. Therefore, they are subject to the same penalties and face the same ramifications that are applied to Covered Entities.

As discussed earlier, whenever a Covered Entity becomes aware of instances where the BAS or BAA agreement is violating the terms of the agreement, they are to implement measures to fix the violation. However, in instances where the patches applied are not yielding satisfactory results, they must immediately terminate the agreement and, if required, report the BA or BAS or both to the authorities of HHS and OCR.

From where can you download the Business associate agreement?

You can download a sample Business Associate Agreement from the official website of the HHS. We’ve included the link to the page here. However, it does take some looking into.

Alternatively, you can download our free Business Associate Agreement Template here.

Is the Business Associate Agreement Fool-Proof?

Organisations must understand that the HIPAA Business Associate Agreement is a legal agreement rather than a foolproof mechanism to ensure the security and confidentiality of PHI. Therefore, they must have an in-depth vetting mechanism before any vendor is onboarded to their business environment. And depending on the vendor’s level of access to PHI, organizations must include this additional variable in their scope when conducting risk assessments.

While this is applicable to Covered Entities, Business Associates must also do their due diligence. Ensure that you share your security posture with CEs to instill trust on how you handle sensitive information and talk about the policies and security measures you have in place.

Business Agreements are legal contracts and not enforcing mechanisms to ensure that PHI is not misused. As a CE or a BA, having a neutral third-party service access the counterpart before they are onboarded to your business environment is a best practice.

Another industry-wide best practice is to have your Business Associate Subcontractors fill out security questionnaires and have them produce evidence for system updates and security enhancements before the billing cycle begins. This ensures that security is not deprioritized and nothing slips through the cracks.

Another best practice is to have an independent and neutral lawyer or law firm assess your Business Associate Agreements to ensure that the contract is comprehensive and lists the expectations and functions of each party involved towards securing PHI. 

And remember, folks, getting a solid and comprehensive Business Associate Agreement is just one part of solving the HIPAA puzzle. To always be on the right side of HIPAA compliance, ensure that you periodically conduct gap analysis, risk assessments, look for vulnerabilities in your business, and train your employees about the best security practices. 

Doing all of these seamlessly could be a hassle, especially if you do it yourself. 

Now imagine a scenario where all those tasks are automated, and you have complete visibility of your compliance posture. Every time a vulnerability pops up, someone from your team is automatically assigned to fix it, and when the patch is not applied in time, you are altered about it through an escalation matrix.

Employees can now participate in security training they can take from their workstations, and you don’t spend a fortune to get all of this.

What you’ve just imagined is what it feels like to work with a compliance automation expert like Sprinto. Compliance journeys with Sprinto are a breeze. Talk to us to know how we can make your HIPAA journey a breeze.

FAQ

Are business associates exempt from HIPAA?

No, they are not. Business Associates and Business Associate Subcontractors are held to the same accountability standards as covered entities. That means they will be looking at the same penalties and criminal charges if found non-compliant with HIPAA.

Who needs to sign the business associate agreement?

When a covered entity boards a vendor and if access to PHI is shared with the vendor, then the vendor will have to sign a business associate agreement with the covered entity. For example, a hospital onboards a cyber security vendor, and the vendor will have access to PHI. In that case, a business associate agreement is signed between the hospital and the security vendor.

Can PHI be disclosed by a business associate?

Only when allowed or required by the BAA, a BA is allowed to use or disclose PHI. A BA is required to give the individual or the Covered Entity an electronic copy of PHI as required to fulfill the Covered Entity’s requirements to fulfill an individual’s request for an electronic copy of PHI.

What are business associates not permitted to do?

A BA is not allowed to use or disclose PHI in a way that would be in violation of the Privacy Rule if carried out by the Covered Entity, specifically the Minimum Necessary Standard. A BA is not permitted to use or disclose PHI unless specifically authorized or mandated by the Privacy Rule or the Enforcement Rule.