Business Associate Agreement
What are the Essential Elements of a Business Associate Agreement?
What is a Business Associate Agreement?
A Business Associate Agreement is a written contract required by HIPAA when a business associate performs a function or provides a service for or on behalf of a HIPAA covered entity or another business associate that involves the creation, receipt, storage, or transmission of Protected Health Information (PHI).
The purpose of the contract is to stipulate the permitted uses of PHI by the business associate, establish when the business associate is allowed to disclose PHI to other entities, determine the responsibilities of both parties, and ensure safeguards are in place to protect the confidentiality, integrity, and availability of PHI.
The contract should also cover the applicability of the Agreement, explain the circumstances in which the contract can be terminated, and how (and when) business associates should report security incidents to the covered entity. Contracts can be – and often are – customized to meet the requirements of one or both parties.
What Essential Elements Must be Included?
Permitted Uses of PHI
Allowed Disclosures of PHI
Responsibilities of Business Associate
Responsibilities of Covered Entity
Implementation of Safeguards
Applicability of Contract and Definitions
Termination of Contract
Return or Destruction of PHI
Notification of Security Incidents
Miscellaneous Terms and Signatures
Miscellaneous terms can include how modifications to the contract will be agreed upon, how frequently the contract will be reviewed, or any other term required to meet the requirements of the covered entity. Representatives of both parties should sign the contract.
It should be noted that variations of the above essential elements are permitted in a Business Associate Agreement. For example, some cloud service providers automatically enter into a Business Associate Agreement when a healthcare provider subscribes to a business plan and therefore the contract becomes part of the service agreement (i.e., Google Workspace for Healthcare).
Variations of the above essential elements may also be attributable to state or federal laws that preempt HIPAA. For example, in Texas, a Business Associate Agreement should stipulate that deidentified PHI shared with a subcontractor for research purposes cannot be re-identified without a signed authorization from the subject(s) of the deidentified PHI.
What Optional Clauses Can be Added?
Any number of optional clauses can be added to a Business Associate Agreement in order to clarify specific essential elements or add further terms to the contract. For example, a covered entity may require a business associate to notify them of a security incident within a shorter period of time than stipulated by HIPAA.
It may also be the case that a covered entity requires a business associate to implement more stringent security measures than required by HIPAA or that – due to nature of the function(s) being provided – the covered entity adds a clause requiring members of a business associate´s workforce to undergo Privacy Rule training.
Some “one-size-fits-all” Business Associate Agreements prepared for customers of large cloud service providers include a clause releasing the business associate from responding to patient access requests and PHI amendment requests because PHI is not stored (by the business associate) in designated record sets.
Other optional clauses can cover the liability for the costs of responding to and recovering from a data breach, and can even include a requirement for a business associate to have insurance in case a data breach occurs. Effectively, a Business Associate Agreement can state anything, provided the essential elements are included.
Why Might an Agreement be Non-Compliant?
An Agreement can be non-compliant if any of the essential elements are excluded from the Agreement without an explanation – for example, if a business associate is released from responding to patient access requests because PHI is not stored (by the business associate) in designated records sets, the Agreement is still compliant.
However, an Agreement would be non-compliant if it did not allow disclosures of PHI “as required by law”, if it did not require the implementation of security safeguards, or if it did not require that a business associate obtain “documented assurances” (i.e., a further Business Associate Agreement) before disclosing PHI to a subcontractor.
An Agreement can also be non-compliant if it is not periodically reviewed by the covered entity. In 2016, a covered entity who had not reviewed and updated their Business Associate Agreement for ten years was fined $400,000 by HHS’ Office for Civil Rights after their business associate mislaid backup tapes containing unencrypted PHI.
One further event that can result in non-compliance is when a Business Associate Agreement from a cloud services provider only covers “in-scope” services. If a member of the workforce assumes the Agreement applies to all services and (for example) sends an email via an out-of-scope service, this would constitute a HIPAA violation.
In What Scenarios are Agreements Unnecessary?
There are many examples of covered entities requiring service providers to sign Business Associate Agreements unnecessarily because the service provider may have incidental or accidental access to PHI (i.e., environmental services, landscape services, etc.).
While many covered entities will be aware that Agreements are not necessary in these circumstances, there are some scenarios in which covered entities still spend time (and money) entering into business arrangements permitted by HIPAA. These include:
- When a hospital discloses PHI to an external healthcare professional to treat a referred patient.
- When PHI is disclosed to an external laboratory when the purpose of the disclosure is to treat a patient.
- When a healthcare provider discloses PHI to a health plan to support a Part 162 transaction.
- When a “conduit” such as the U.S. Postal Service, DHL, or FedEx has access to PHI in the delivery of a service.
- When a financial institution processes a payment relating to healthcare or health insurance premiums.
- When PHI is disclosed for research purposes – either as a limited data set or with patient authorization.
Units of an Organized Health Care Arrangement (OHCA) are also not required to enter into a Business Associate Agreement with each other – for example, when covered entities who participate in the same OHCA make disclosures that relate to the joint health care activities of the OHCA or when a group health plan purchases insurance from a health insurance issuer or HMO.
Conclusion: Why are Compliant Business Associate Agreements Important?
Compliant Business Associate Agreements are important because the failure to enter into a compliant contract between a covered entity and a business associate can result in avoidable HIPAA violations, which in turn can contribute to the sanctions imposed by HHS’ Office for Civil Rights being extended in time or increased in value.
There are many examples of covered entities and business associates being required to comply with Corrective Action Plans for extended periods due to the failure to have a compliant Business Associate Agreement in place, or having the amount of a civil monetary penalty increased. In one case, a covered entity in Illinois was fined $31,000 for the failure to enter into a contract with a business associate, even though no other violation of HIPAA had occurred.
Therefore, if your organization is a HIPAA covered entity or a business associate, and you are unsure of when an Agreement is necessary, what essential elements must be included, what optional clauses can be added, or why might an Agreement be non-compliant, it is recommended you seek advice from a HIPAA compliance professional.