July 12th, 2018

HIPAA Business Associate Agreement: Do I Need One?

A business associate (BA) is an individual or an entity who could come in contact with protected health information (PHI) by providing services to or performing activities on behalf of covered entities. Your employee is not a business associate, but your web host, email encryption service, billing company and lawyers could be, and these are just four examples. BAs of BAs (BA’s contracting with your vendors) further extend the chain.

Not all entities that access PHI must be business associates. For instance, the cleaning company that disposes trash from your office does not qualify as a business associate even though there is a possibility of the cleaning crew coming in contact with identifying patient information in dustbins or laying on FAX machines or desks (though if they do, then your employees did not manage the PHI properly). However, it is important to have a clear reporting mechanism in place where cleaning company workers can alert a point person in your office when they come across PHI.

Business associate agreement do I need one?

The Omnibus Rule provides multiple categories of business associates, including health information organizations (HIOs), anyone offering personal health records to individuals on behalf of covered entities, and covers a variety of service categories such as data aggregation, accreditation, actuarial and administrative services dispensed to a covered entity provided such services involve the disclosure of patient health information. Use this link for more information on business associates.

Entering into a business associate agreement (BAA)

The HIPAA Privacy Rule mandates a business associate agreement setting out what BAs will and will not be permitted to do with the PHI that they can access, how they will protect PHI, how they will prevent PHI disclosure beyond what is allowable in the contract, and how and when they will report breaches of PHI. If you’re the covered entity in question, you will need to sign a BAA with your business associate but not with the associate’s subcontractors; your business associate must enter into a BAA with the hosting provider, offsite shredding firm or any other subcontractor they engage. Your single BAA with a particular provider will likely involve many companies down the line who all have access to and must protect your PHI.

Every entity in the chain is contractually and legally obligated to protect patient health information and administer it appropriately in alignment with the obligations required of the covered entity at the top of the chain.

When is a BAA required?

 You need a BAA if:

  • You are a “covered entity.” e., (a) you provide services or supplies related to the physical or mental health care of an individual, or (b) you furnish medical or health services and/or you bill or are paid for health care services, or (c) you are a health care clearinghouse or insurance plan.
  • You are a company providing services to a covered entity that involve the covered entity’s PHI
  • You are a company providing services to a BA that involve PHI

A business associate agreement with a vendor is required in those situations in the following cases:

Your vendor creates, sends, receives or stores PHI.

  • Your vendor offers services that involve disclosure of PHI to that vendor
  • Your vendor will be able to access PHI on a routine basis; in the vendor’s control, PHI could be compromised (ex: a document shredding company).

Why is a BAA required?

HIPAA compliance would be incomplete without a business associate agreement. There needs to be a mutual understanding between covered entities, BAs and subcontractors about the risks of a PHI breach and the responsibilities that each of them must fulfill under the administrative, physical and technical standards codified in HIPAA Security Rules as well as certain standards set forth in the Privacy Rule. Covered entities have the right to request BAs to provide them a copy of their HIPAA procedures and policies should be made available by BAs.

The business associate agreement necessitates adequate training on PHI protection for the business associates’ employees. When requested, BAs should provide covered entities employee training logs.

Failure to enter into a business associate agreement with a contractor is a gross violation of the HIPAA Privacy and Security Rules. And HIPAA violations can come at a big price! You can stem losses to finances and reputation arising from an unfortunate breach by ensuring – through the BAA – that your business associate reports suspected breaches within 10-15 days of discovering the incident so you can take appropriate measures and meet your obligation of notifying the HHS about the breach within the stipulated 60 days.

Two key considerations

When developing and negotiating the business associate agreement, ensure that the terms are consistent with your obligations to your customers. The terms that are most likely to have an impact on covered entities, BAs and subcontractors include breach notification and mitigation, indemnification and cooperation, so it makes sense to pay particular attention to these terms.

The BAA should ensure that state law supersedes federal law when it is determined that the state law is more protective of the patient. As a general standard, state laws preempt federal law if state laws are seen as more stringent.


Cloud providers as business associates

A business associate agreement is required for cloud services that could be transmitting or storing PHI on behalf of healthcare providers. Despite the fact that cloud service providers (CSPs) such as Dropbox and Amazon Web Services may not even be aware that they could be maintaining PHI within their customers’ stored data, and that they have no access to this data, the Office for Civil Rights has determined that even when CSPs store only encrypted electronic PHI, their lack of a decryption key does not exempt them from BA status.

Healthcare organizations should understand a CSP’s computing environment to conduct an appropriate risk analysis and set suitable risk management rules. They should also review their use of CSPs and create business agreements aligned to the way the provider interacts with ePHI.

Have questions about a HIPAA business associate agreement? Contact Us

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.