Business Associate Agreement HIPAA

To ensure the privacy of sensitive health documents, the Health Insurance Portability and Accountability Act was created in 1996. HIPAA protects individuals from having their protected health information open to anyone besides their healthcare providers. However, because many covered entities cannot handle all of the associated processes when it comes to healthcare data, they may use outside companies or consultants in a business associate agreement (the subtype of a nda agreement). HIPAA rules dictate that these business associates are required by law to still protect and hide the health data that they have access to. They cannot simply disclose protected health information.

What is a Business Associate?

According to the US Department of Health and Human Services (HHS), a “business associate” is any organization or entity that accesses protected health information to provide functions or activities to a covered entity. A business associate’s service involves access to PHI and performs functions or activities ranging from processing health insurance claims to transcription. Other examples of business associates can include CPAs that require access to protected healthcare information to provide accounting services, consultants, benefits managers at pharmacies, or other subcontractors that need to access health information to perform their functions.

It should be noted that there are some legal exceptions that do not require a business associate agreement. Healthcare entities that need PHI to treat individuals do not have to sign a business associate agreement. For example, healthcare specialists do not need a business associate agreement to be referred to patients from a hospital. Workers who simply carry medical information (such as postal workers) do not need a business associate HIPAA agreement to do their jobs.

Every person or entity that is considered a business associate is required to still provide the necessary protection when it comes to PHI. They must have a specific, defined purpose for the health information in question, and prove that they have a secure system to store that information. Business associates are required to provide a statement declaring that they will not disclose any protected information, other than what is required by the law. Also, business associates need a plan of action in the event of a breach to maintain their HIPAA compliance.

What is a Covered Entity?

Covered entities are individuals, organizations, and agencies that have access to protected health information to provide a healthcare service. These fall into three main categories:

  • Health care providers
  • Health plans
  • Health care clearinghouses

Each covered entity must fulfill the privacy requirements under HIPAA. They must disclose how PHI is being used, and do everything they can to keep their data secure. When they coordinate with a business associate of some kind, there must be a business associate agreement between the covered entities and the business associates to ensure the associate will not use sensitive health information incorrectly.

Why is HIPAA Business Associate Agreement Needed?

To protect the health information of an individual, HIPAA outlines appropriate protections and procedures that must be taken by covered entities. However, covered entities will often use subcontractors to fulfill business purposes that they are not equipped to carry out. In this case, PHI must still be protected from outside forces to ensure the privacy of clients. HHS has set business associate agreements in place as a legal way to allow business associates to fulfill their business obligations to the covered entities without compromising the privacy of PHI being exchanged between the two parties.

Is it Legally Binding?

HIPAA agreements of any kind are enforced by the law. By breaking the policies and procedures of a business associate agreement, the entity in question will be subject to civil penalties under the law. HHS does not allow health information to be misappropriated and expects its firm privacy rule to be followed. A HIPAA compliant can end up costing the offending party big money.

What Should Be Included in the Agreement?

There are strict rules for what must be included within the business associate agreement itself. The focus of each agreement must be to only use health information for necessary purposes and to protect it from parties that do not need access to the information to fulfill their jobs. A business associate agreement must contain:

  • the specifications of information required by the business associate
  • a statement from the business associate that says they will not use the information disclosed except for the agreed upon purpose
  • a requirement of the business associate to protect the health information they are privy to with appropriate safeguards
  • a requirement for the business associate to report any kind of access to the data not specified by the agreement (such as a security breach)
  • a requirement for the business associate to make available their health information to the clients of the covered entity that it is pertinent to (to allow individuals to request copies of their medical information)
  • the extent of which a business associate’s actions will apply to the Privacy Rule in regards to the covered entity
  • a requirement of the business associate to be completely transparent with HSS itself, allowing investigation and providing information about all internal processes
  • a requirement of the business associate to destroy any health information at the end of this contract (if possible)
  • a requirement that any subcontractors the business associate may use will also be subject to the same rules and restrictions as the business associate
  • allowance of termination of the contract if any of the terms are broken

By including these stipulations, the agreement is meant to abide by the Privacy Rule created to safeguard individuals. Both parties must follow the rules required by the contract.

Common Mistakes

When creating the non disclosure agreement template, it is imperative to avoid these common pitfalls to stay on the good side of HIPAA regulations in 2021.

Not Having an Agreement

Unfortunately, it is occasionally believed that business associates do not require a rigorous agreement like the ones required by HHS. While there are certainly exceptions to this rule, the vast majority of cases will need a proper business associate agreement or they are open to prosecution.

Liability Only Applies to the Business Associate

A business associate agreement does not remove any culpability from a covered entity. Both the covered entity and the business associate are required to abide by HIPAA, and if the business associate is found to have broken the privacy rule, the covered entity they have a contract with may also be held responsible.

What Kind of Information is PHI

While a patient’s name or phone number may not seem like protected health information, it certainly can be. Any information that has been considered PHI in the past needs to be safeguarded. On the other hand, the release of information in critical situations (like a drug overdose) to family members is permitted and required in certain situations.

What Are the Financial Penalties for HIPAA Violations?

An individual or entity that breaks HIPAA will be required to pay hefty fines. North Memorial Health Care was recently fined $1.55 million for not having a business associate agreement. The HHS Office for Civil Rights (OCR) takes each HIPAA case very seriously and will prosecute any wrongdoing it may find. In addition, future clients may decide to go with companies that have not breached HIPAA privacy, causing a loss of potential profit.

Template Preview
Download your fillable Business Associate Agreement HIPAA template in PDF format.

Filling Out the Business Associate (HIPAA) Agreement

Creating an accurate BAA is necessary to be HIPAA compliant. To fill out a BAA correctly, these steps must be followed:

Designate Parties

The covered entity must first name themselves within the contract, as well as the business associate. All terms must be properly defined to avoid any confusion.

Assign Obligations and Activities of Business Associate

Exactly what the business associate is required to do with the health data must be clearly defined. This includes the requirements listed above. They must provide satisfactory assurances that health information will be protected, and provide breach notification to the covered entity when data has been compromised.

Permitted Uses and Disclosures

The exact use of data within the relationship between the covered entity and the business associate must be laid out. This includes any special use or disclosure of PHI that is not included in a basic BAA.

Permissible Requests

Also outlined within the document must be the permissible requests from the covered entity. This helps protect the business associate from being subject to unreasonable requests that will conflict with other HIPAA rules.

Set Terms for Termination

The document needs to have a clause that specifies when the business associate agreement will be terminated. This can be a period of time, until a specific task is completed, or upon breach of the terms agreed upon.

General Provisions

Lastly, the business associate and the covered entity must agree to only amend the document in writing with signatures from both parties. Any other provisions must be decided upon as well.

Published: Jul 20, 2022