A Business Associate Agreement (BAA) is a legally binding contract between healthcare providers and entities that access, transmit, or store Protected Health Information (PHI) as part of the provided services. Also known as a Business Associate Contract, it is an integral component of any organization’s efforts to be HIPAA-compliant.
The scale and complexity of the modern healthcare industry mean that PHI can be found in more places than just a doctor’s office. Third parties are often responsible for protected data, such as physical copies of x-rays kept in offsite facilities, insurance information used by outside billing companies, health information sent via providers by mail or electronically, and prescription information stored on servers or in the cloud.
Who needs a Business Associate Agreement (BAA)?
HIPAA defines how Covered Entities (CEs) and Business Associates (BAs) must handle PHI to prevent breaches, leaks, and losses of healthcare data. If organizations fall into those definitions, they have to sign BAAs with their partners and subcontractors to ensure the security of healthcare data. If you’re unsure whether your organization is a covered entity, it’s best to assume that you must comply with HIPAA requirements and that the information you handle is PHI until you know otherwise.
If a third party may access PHI in the normal course of their assigned work, they are defined as a BA and must sign a BAA. Direct employees of an organization do not need to sign the BAA because they are part of the organization and are not considered business associates per se. However, they are still subject to HIPAA laws, and employers are responsible for educating employees on how to maintain the integrity and security of PHI.
Who are Covered Entities?
Covered Entities fall into three categories: health plans, healthcare clearinghouses, or healthcare providers.
Health plans include insurance companies, HMOs, government, and employer health plans.
Healthcare clearinghouses are companies that process non-standard healthcare information into a standardized format and transmit it to other organizations. They usually sit between providers and plans.
Healthcare providers are doctors’ offices, psychologists, physical therapists, family physicians, etc., who submit or transmit any health information for transactions with HHS standards.
Healthcare includes services, care, or supplies related to an individual’s health.
Hybrid entities such as universities with hospitals and academic medical centers that process electronic transactions for which HHS has established standards.
Businesses can use this HHS decision tool to determine if they fall under the definitions of CEs or BAs and, therefore, must comply with HIPAA.
Who are Business Associates?
A Business Associate is an organization hired by a Covered Entity to create, receive, use, store, maintain, or transmit PHI in any way. BAs typically do not come into direct contact with patients but often handle large amounts of health data. Some examples of BAs include:
Translator services
Shredding services
File sharing vendors
Accounting or consulting firms
IT vendors
Cloud vendors
Consultants hired to conduct audits, perform coding reviews, etc.
Lawyers
Medical equipment service companies handling equipment that holds PHI
It’s important to note that business associates must only use PHI provided by covered entities only to help them carry out their healthcare functions. BAs cannot use PHI for their independent use or purposes, such as marketing campaigns or business activities unrelated to their CE.
Who are Business Associate Subcontractors?
HIPAA refers to a Business Associate Subcontractor (BAS) as an entity to which BAs delegate functions, services, or activities. When covered entities delegate services to business associates, BAs can then contract the work out to a subcontractor. Business associates must have a separate Business Associates Subcontractor Agreement for any work they assign to others, but exceptions exist.
For example, contractors who work exclusively for one company, employees hired through a business, and individuals with other clients are not BAs. However, if any of these entities cause a PHI breach, the contracting company will still be responsible.
What is a Business Associate Agreement?
HIPAA requires covered entities to only work with business associates who can ensure the security and integrity of PHI. These pledges must be in the form of a legal contract or other agreement between a CE and a BA setting out the responsibilities of each party concerning PHI.
BAA contains information about the permitted and prohibited uses of PHI between two HIPAA-compliant organizations. Contracts should require BAs to implement appropriate administrative, technical and physical safeguards under the HIPAA Security Rule to ensure the integrity, availability, and confidentiality of ePHI. BAAs can also describe the relationship between a CE and a BA, as well as two BAs.
Establishing a BAA is in the best interest of the affected companies and their business partners, as both parties must protect PHI. A HIPAA BAA is the best way to protect your organization or practice should either counterparty violate it. BAA under HIPAA Security Rule should include the following clauses at the very least:
Determine what PHI the BA will access
Require that the BA will use appropriate safeguards to secure PHI
Provide that the BA will not disclose PHI save when permitted by the agreement
Require and log proper HIPAA Training for employees
Determine procedures in the event of a data breach
Contain subcontractor compliance
Outline provisions for the termination of the agreement
Describe the process of destruction or return of PHI
Business associates should be made aware of the consequences of not complying with HIPAA requirements. Regulators can fine BAs directly for HIPAA violations. Therefore it’s vital to ensure that a BAAs covers all aspects of the working relationship under HIPAA rules and regulations before signing.
What happens when a Business Associate Agreement is violated?
BAAs help ensure HIPAA compliance and create a liability bond between contracting entities. If one party discloses PHI in violation of the BAA, the other party will have legal recourse. If there is no BAA, it is incomplete, or if the agreement is seriously violated, both entities can find themselves in the crosshairs of the Department of Health and Human Services, the Office of Civil Rights, and even the Department of Justice.
Unlike most contracts, a HIPAA BAA does not necessarily protect covered entities from fines for PHI violations. Suppose a CE does not receive assurances that a business associate can operate within a HIPAA-compliant framework before entering into a contract, and a subsequent PHI violation occurs. In that case, the covered entity may be liable for the breach. CEs should perform thorough due diligence before entering into a BAA to minimize the chances of being found guilty if their contracted BA violates the agreement or HIPAA in any way.
If someone without authorization accesses PHI in a business associate’s custody, then the BA must notify the covered entity of the breach and may be required to notify individuals whose PHI has been compromised. The schedule and responsibilities for notification in case of a violation should be detailed in the BAA. While it sounds reasonable to have a short window of opportunity to report a breach, BAs may not be aware of the violation for days after the incident.
Conclusion
As the cyber threat landscape evolves and the privacy and security of data concerning patients become more critical, healthcare organizations are increasingly turning to third parties to manage large amounts of PHI. A comprehensive BAA is essential to compliance, security, and privacy for any individual, company, or other organization with PHI that comes from a covered entity. It describes the relationship between the parties and protects them in the event of a violation.
HIPAA has significant implications for Covered Entities and Business Associates, but by staying compliant with software security standards, healthcare providers can reduce internal and external threats to their PHI. However, lack of encryption, insecure communication channels, and inconsistent access controls are common problems with medical software. Even something as trivial as a push notification can result in a HIPAA violation, and developing secure and HIPAA-compliant software is always a challenge.
At Itirra, we know how to create secure software for healthcare businesses that need it. Our team has extensive experience building comprehensive healthcare solutions. Contact us today to learn how to achieve and maintain HIPAA compliance while developing software for your business.