To ensure the privacy of sensitive health documents, the Health Insurance Portability and Accountability Act was created in 1996. HIPAA protects individuals from having their protected health information open to anyone besides their healthcare providers. However, because many covered entities cannot handle all of the associated processes when it comes to healthcare data, they may use outside companies or consultants in a business associate agreement (the subtype of a nda agreement). HIPAA rules dictate that these business associates are required by law to still protect and hide the health data that they have access to. They cannot simply disclose protected health information.
According to the US Department of Health and Human Services (HHS), a “business associate” is any organization or entity that accesses protected health information to provide functions or activities to a covered entity. A business associate’s service involves access to PHI and performs functions or activities ranging from processing health insurance claims to transcription. Other examples of business associates can include CPAs that require access to protected healthcare information to provide accounting services, consultants, benefits managers at pharmacies, or other subcontractors that need to access health information to perform their functions.
It should be noted that there are some legal exceptions that do not require a business associate agreement. Healthcare entities that need PHI to treat individuals do not have to sign a business associate agreement. For example, healthcare specialists do not need a business associate agreement to be referred to patients from a hospital. Workers who simply carry medical information (such as postal workers) do not need a business associate HIPAA agreement to do their jobs.
Every person or entity that is considered a business associate is required to still provide the necessary protection when it comes to PHI. They must have a specific, defined purpose for the health information in question, and prove that they have a secure system to store that information. Business associates are required to provide a statement declaring that they will not disclose any protected information, other than what is required by the law. Also, business associates need a plan of action in the event of a breach to maintain their HIPAA compliance.
Covered entities are individuals, organizations, and agencies that have access to protected health information to provide a healthcare service. These fall into three main categories:
Each covered entity must fulfill the privacy requirements under HIPAA. They must disclose how PHI is being used, and do everything they can to keep their data secure. When they coordinate with a business associate of some kind, there must be a business associate agreement between the covered entities and the business associates to ensure the associate will not use sensitive health information incorrectly.
To protect the health information of an individual, HIPAA outlines appropriate protections and procedures that must be taken by covered entities. However, covered entities will often use subcontractors to fulfill business purposes that they are not equipped to carry out. In this case, PHI must still be protected from outside forces to ensure the privacy of clients. HHS has set business associate agreements in place as a legal way to allow business associates to fulfill their business obligations to the covered entities without compromising the privacy of PHI being exchanged between the two parties.
HIPAA agreements of any kind are enforced by the law. By breaking the policies and procedures of a business associate agreement, the entity in question will be subject to civil penalties under the law. HHS does not allow health information to be misappropriated and expects its firm privacy rule to be followed. A HIPAA compliant can end up costing the offending party big money.
There are strict rules for what must be included within the business associate agreement itself. The focus of each agreement must be to only use health information for necessary purposes and to protect it from parties that do not need access to the information to fulfill their jobs. A business associate agreement must contain:
By including these stipulations, the agreement is meant to abide by the Privacy Rule created to safeguard individuals. Both parties must follow the rules required by the contract.
When creating the non disclosure agreement template, it is imperative to avoid these common pitfalls to stay on the good side of HIPAA regulations in 2021.
Unfortunately, it is occasionally believed that business associates do not require a rigorous agreement like the ones required by HHS. While there are certainly exceptions to this rule, the vast majority of cases will need a proper business associate agreement or they are open to prosecution.
A business associate agreement does not remove any culpability from a covered entity. Both the covered entity and the business associate are required to abide by HIPAA, and if the business associate is found to have broken the privacy rule, the covered entity they have a contract with may also be held responsible.
While a patient’s name or phone number may not seem like protected health information, it certainly can be. Any information that has been considered PHI in the past needs to be safeguarded. On the other hand, the release of information in critical situations (like a drug overdose) to family members is permitted and required in certain situations.
An individual or entity that breaks HIPAA will be required to pay hefty fines. North Memorial Health Care was recently fined $1.55 million for not having a business associate agreement. The HHS Office for Civil Rights (OCR) takes each HIPAA case very seriously and will prosecute any wrongdoing it may find. In addition, future clients may decide to go with companies that have not breached HIPAA privacy, causing a loss of potential profit.
Creating an accurate BAA is necessary to be HIPAA compliant. To fill out a BAA correctly, these steps must be followed:
The covered entity must first name themselves within the contract, as well as the business associate. All terms must be properly defined to avoid any confusion.
Assign Obligations and Activities of Business Associate
Exactly what the business associate is required to do with the health data must be clearly defined. This includes the requirements listed above. They must provide satisfactory assurances that health information will be protected, and provide breach notification to the covered entity when data has been compromised.
Permitted Uses and Disclosures
The exact use of data within the relationship between the covered entity and the business associate must be laid out. This includes any special use or disclosure of PHI that is not included in a basic BAA.
Also outlined within the document must be the permissible requests from the covered entity. This helps protect the business associate from being subject to unreasonable requests that will conflict with other HIPAA rules.
Set Terms for Termination
The document needs to have a clause that specifies when the business associate agreement will be terminated. This can be a period of time, until a specific task is completed, or upon breach of the terms agreed upon.
Lastly, the business associate and the covered entity must agree to only amend the document in writing with signatures from both parties. Any other provisions must be decided upon as well.