Business Associate Agreement: Explained

October 26th, 2020

If your organization collects, stores or processes electronic protected health information (ePHI) it will need a clear understanding of business associate agreements (BAAs). This also applies to businesses that process ePHI on behalf of other organizations.

Business Associate Agreements

Each business associate agreement stipulates how a company will share its ePHI with the respective business associate, and where the responsibilities lie. Unless your organization is a rare breed that has its own web hosting, email service, lawyers, accountants and every other aspect of its business in-house, then it needs to have these agreements in place with every provider that it shares ePHI with.

Why do you need Business Associate Agreements?

Organizations that process ePHI are governed under the HIPAA legislation. While the Act is broad, one of its main focuses is to set out how the personally identifiable information of people will be safeguarded in the healthcare industry.

Organizations need to share their ePHI with other entities, but they also need a way to make sure that the ePHI is still protected appropriately under these arrangements. BAAs fill this role. BAAs set out how each party will meet the obligations of the HIPAA Security and Privacy rules, including that the appropriate administrative, physical and technical standards are met.

Even if two hypothetical organizations were sharing ePHI and followed all of the other HIPAA requirements perfectly, they would not be HIPAA-compliant if they did not have a BAA outlining the arrangement in place. Lack of a BAA is an immediate HIPAA violation. These violations can be incredibly expensive, costing between $100 and $50,000 per record, depending on the severity of the violation.

If your organization shares ePHI with other entities, it needs to have BAAs with each of them.

When do you need a BAA?

BAAs are required if:

  • Your organization is a covered entity. Covered entities are organizations that:
    • Provide services or supplies related to physical or mental health care,
    • Furnish medical or health services, or are paid by health care services, or
    • Are health care clearinghouses, or insurance plans.
  • Your company provides services to a covered entity that involves the covered entity’s ePHI.
  • Your company provides services that involve ePHI to a business associate.

If your organization meets any of the above criteria, it will need BAAs in place with vendors whenever:

  • It creates, sends, receives, stores or processes ePHI on another entity’s behalf,
  • The services offered involve the disclosure of ePHI, or
  • The vendor will be able to access ePHI on a routine basis.

Note that your company’s employees are not considered business associates under the legislation.

Entering into a Business Associate Agreement

If your organization meets the above requirements and is a covered entity, it will need to enter into a business associate agreement with the other party. The BAA will set out how both parties cooperate, where the responsibilities lie, what the business associate is permitted to do, how it will protect the ePHI, and the steps that it will take to prevent its disclosure.

Note that this last point is critical.  An organization may not cover all uses of its services under its BAA, and thus some uses may not actually be HIPAA compliant, even with a signed BAA.  You need to carefully review the business associate agreement to be sure that your intended uses will be covered.  For more details on this thorny issue, see Quasi-HIPAA compliance.

These agreements also stipulate that business associates must give their employees adequate training on protecting ePHI. Logs of this training should be provided whenever a covered entity requests them.

The BAA also needs to describe how the business associate will report any potential breaches of ePHI. These reporting stipulations are critical, because if your business associate breaches ePHI but reports it within 10 to 15 days, your organization may still be able to meet its obligations and notify the HHS within the allotted 60 day period. Following the appropriate process can limit any potential penalties, as well as any harm to your company’s reputation.

No company is an island, so they tend to rely on the services of others. Your organization might have a BAA with its web host, which has one with its legal firm, which has one with its email provider, and so on. This leads to chains of BAAs developing, protecting the PHI from one firm to the next.

Covered entities must sign BAAs with their business associates, but there is no requirement for them to do so with the subcontractors of their business associates. Agreements with subcontractors are the responsibility of the business associate. However, all of the entities down the chain are still required to protect the data inline with the obligations of the original covered entity.

When drafting the BAA, note that state law tends to supersede federal law when it is deemed more protective to the patient. In these cases, you should follow state law.

Cloud Service Providers

The Office of Civil Rights has determined that cloud service providers are considered business associates, even if they only store encrypted data on behalf of the covered entity, and have no access to the encryption keys.

This means that before using a cloud service provider for anything related to ePHI, your organization should take the time to understand the provider’s computing environment, conduct a risk analysis, and sign a BAA that ensures the provider can meet your company’s obligations.

Are Business Associate Agreements Customizable?

Most providers offer standard agreements with little, if any, room for amendments. This is because any variations will force the provider to alter its processes to meet the new stipulations, which could add significantly to its costs. In general, providers will only be willing to alter an agreement if the changes make financial sense to them.

Does your agreement need an indemnification clause?

BAAs often include indemnification clauses that stipulate that business associates are responsible to reimburse or cover the other party for any privacy or security incidents caused by the business associate. However, these can be unnecessary, because the Omnibus Rule already makes business associates directly liable for HIPAA violations that are “their fault.”

Finding the right business associate to meet your company’s needs

A business associate agreement can be complicated, and it may be difficult to find a service provider that suits all of your organization’s requirements. But, if you are looking for a HIPAA-compliant email provider, hosting provider, or for a range of other communications services, LuxSci should tick all of the boxes.

We are HITRUST-certified HIPAA specialists that focus on security and compliance from the ground up when designing all of our services. This results in products that are effective, convenient, and easy to use, while still meeting your regulatory obligations.

You can check out our BAA to see if we align with your needs, or contact us now for more information.