Business Associate Agreement

A HIPAA Business Associate Agreement (BAA) is a legally mandated contract that establishes the responsibilities and requirements for protecting the confidentiality, integrity, and availability of protected health information (PHI) when a HIPAA-covered entity (such as hospitals, doctors, health insurers, and other healthcare providers) engages the services of a business associate (an external company or individual). This external party may come into contact with or manage PHI on behalf of the covered entity. Examples of business associates can range from electronic health record providers and third-party billing companies to IT service providers and cloud storage vendors. The BAA outlines the specific security and privacy provisions that the business associate must uphold to be compliant with the Health Insurance Portability and Accountability Act (HIPAA) regulations. It also defines the consequences and potential penalties for breaches or unauthorized disclosures of PHI.

This agreement is essential to ensure both entities are aligned in their commitment to protect patient information and to delineate their respective roles and responsibilities in the case of a data breach or other security incidents. This article covers the following topics on the content of a Business Associate Agreement:

What are the Essential Elements of a Business Associate Agreement?

The essential elements of a Business Associate Agreement can be located throughout the HIPAA Administrative Simplification Regulations. However, because the relevant text can be found in several different sections, because optional clauses can be added to an Agreement, and because there are many scenarios in which Agreements are not required, there is plenty of potential for Business Associate Agreements to be non-compliant or unnecessary.

What is a Business Associate Agreement?

A Business Associate Agreement is a written contract required by HIPAA when a business associate performs a function or provides a service for or on behalf of a HIPAA covered entity or another business associate that involves the creation, receipt, storage, or transmission of Protected Health Information (PHI).

The purpose of the contract is to stipulate the permitted uses of PHI by the business associate, establish when the business associate is allowed to disclose PHI to other entities, determine the responsibilities of both parties, and ensure safeguards are in place to protect the confidentiality, integrity, and availability of PHI.

The contract should also cover the applicability of the Agreement, explain the circumstances in which the contract can be terminated, and how (and when) business associates should report security incidents to the covered entity. Contracts can be – and often are – customized to meet the requirements of one or both parties.

What Essential Elements Must be Included?

Subject to state contract law, the essential elements of a Business Associate Agreement (not necessarily in order) are:

Permitted Uses of PHI

The permitted uses of PHI should align with the function(s) being performed or service(s) being provided by the business associate. While it is possible to list each function or service in the Business Associate Agreement, it is more common to refer to a separate Service Agreement.

Allowed Disclosures of PHI

Allowed disclosures of PHI include disclosures to subcontractors (subject to a further Business Associate Agreement), to HHS’ Office for Civil Rights when required, for internal management and administration purposes, and when required by state or federal law.

Responsibilities of Business Associate

Business associates must support compliance with the patients’ rights provisions of the Privacy Rule. This means business associates may have to respond to patients requests to access or amend PHI, or provide an accounting of disclosures.

Responsibilities of Covered Entity

Covered entities must alert business associates to any provisions of their Notices of Privacy Practices that apply to the function(s) or service(s) being provided, and to any patient requests to restrict disclosures of PHI or withdraw an authorization.

Implementation of Safeguards

Business associates must be required to implement safeguards against unauthorized uses or disclosures of PHI. This not only means implementing Security Rule safeguards, but also any safeguards identified as necessary in a risk analysis.

Applicability of Contract and Definitions

Most contracts start with an introduction in which the names of the parties are entered, the date of the Agreement is entered, and the purpose of the Agreement is established. This section is usually accompanied with – or followed by – a list of definitions.

Termination of Contract

In most cases, a Business Associate Agreement states the contract will be terminated in the event of a violation unless the violation is remedied within a specified number of days. The non-violating party also has the right to report the violation to HHS.

Return or Destruction of PHI

Regardless of whether a contract terminates because of a violation or because a service is no longer provided, the Business Associate Agreement must require the business associate and any subcontractors to return or distroy PHI in their possession.

Notification of Security Incidents

All Business Associate Agreements must require the business associate to notify the covered entity of any security incident – successful or unsuccessful – even if the incident does not result in the disclosure of unsecured PHI.

Miscellaneous Terms and Signatures

Miscellaneous terms can include how modifications to the contract will be agreed upon, how frequently the contract will be reviewed, or any other term required to meet the requirements of the covered entity. Representatives of both parties should sign the contract.

It should be noted that variations of the above essential elements are permitted in a Business Associate Agreement. For example, some cloud service providers automatically enter into a Business Associate Agreement when a healthcare provider subscribes to a business plan and therefore the contract becomes part of the service agreement (i.e., Google Workspace for Healthcare).

Variations of the above essential elements may also be attributable to state or federal laws that preempt HIPAA. For example, in Texas, a Business Associate Agreement should stipulate that deidentified PHI shared with a subcontractor for research purposes cannot be re-identified without a signed authorization from the subject(s) of the deidentified PHI.

What Optional Clauses Can be Added?

Any number of optional clauses can be added to a Business Associate Agreement in order to clarify specific essential elements or add further terms to the contract. For example, a covered entity may require a business associate to notify them of a security incident within a shorter period of time than stipulated by HIPAA.

It may also be the case that a covered entity requires a business associate to implement more stringent security measures than required by HIPAA or that – due to nature of the function(s) being provided – the covered entity adds a clause requiring members of a business associate´s workforce to undergo Privacy Rule training.

Some “one-size-fits-all” Business Associate Agreements prepared for customers of large cloud service providers include a clause releasing the business associate from responding to patient access requests and PHI amendment requests because PHI is not stored (by the business associate) in designated record sets.

Other optional clauses can cover the liability for the costs of responding to and recovering from a data breach, and can even include a requirement for a business associate to have insurance in case a data breach occurs. Effectively, a Business Associate Agreement can state anything, provided the essential elements are included.

Why Might an Agreement be Non-Compliant?

An Agreement can be non-compliant if any of the essential elements are excluded from the Agreement without an explanation – for example, if a business associate is released from responding to patient access requests because PHI is not stored (by the business associate) in designated records sets, the Agreement is still compliant.

However, an Agreement would be non-compliant if it did not allow disclosures of PHI “as required by law”, if it did not require the implementation of security safeguards, or if it did not require that a business associate obtain “documented assurances” (i.e., a further Business Associate Agreement) before disclosing PHI to a subcontractor.

An Agreement can also be non-compliant if it is not periodically reviewed by the covered entity. In 2016, a covered entity who had not reviewed and updated their Business Associate Agreement for ten years was fined $400,000 by HHS’ Office for Civil Rights after their business associate mislaid backup tapes containing unencrypted PHI.

One further event that can result in non-compliance is when a Business Associate Agreement from a cloud services provider only covers “in-scope” services. If a member of the workforce assumes the Agreement applies to all services and (for example) sends an email via an out-of-scope service, this would constitute a HIPAA violation.

In What Scenarios are Agreements Unnecessary?

There are many examples of covered entities requiring service providers to sign Business Associate Agreements unnecessarily because the service provider may have incidental or accidental access to PHI (i.e., environmental services, landscape services, etc.).

While many covered entities will be aware that Agreements are not necessary in these circumstances, there are some scenarios in which covered entities still spend time (and money) entering into business arrangements permitted by HIPAA. These include:

When a hospital discloses PHI to an external healthcare professional to treat a referred patient.
When PHI is disclosed to an external laboratory when the purpose of the disclosure is to treat a patient.
When a healthcare provider discloses PHI to a health plan to support a Part 162 transaction.
When a “conduit” such as the U.S. Postal Service, DHL, or FedEx has access to PHI in the delivery of a service.
When a financial institution processes a payment relating to healthcare or health insurance premiums.
When PHI is disclosed for research purposes – either as a limited data set or with patient authorization.

Units of an Organized Health Care Arrangement (OHCA) are also not required to enter into a Business Associate Agreement with each other – for example, when covered entities who participate in the same OHCA make disclosures that relate to the joint health care activities of the OHCA or when a group health plan purchases insurance from a health insurance issuer or HMO.

Conclusion: Why are Compliant Business Associate Agreements Important?

Compliant Business Associate Agreements are important because the failure to enter into a compliant contract between a covered entity and a business associate can result in avoidable HIPAA violations, which in turn can contribute to the sanctions imposed by HHS’ Office for Civil Rights being extended in time or increased in value.

There are many examples of covered entities and business associates being required to comply with Corrective Action Plans for extended periods due to the failure to have a compliant Business Associate Agreement in place, or having the amount of a civil monetary penalty increased. In one case, a covered entity in Illinois was fined $31,000 for the failure to enter into a contract with a business associate, even though no other violation of HIPAA had occurred.

Therefore, if your organization is a HIPAA covered entity or a business associate, and you are unsure of when an Agreement is necessary, what essential elements must be included, what optional clauses can be added, or why might an Agreement be non-compliant, it is recommended you seek advice from a HIPAA compliance professional.