If you work in the health care field, in any capacity, you have surely heard of the Health Insurance Portability and Accountability Act, or “HIPAA;” and if you or your business create, use, disclose or accept protected health information (“PHI”), you are likely a covered entity or a business associate under the law, and subject to some strict requirements. One of those requirements, which is sometimes overlooked or not given the attention it should, is the requirement for a business associate agreement or a “BAA.” However, the importance of a well drafted BAA cannot be understated.
The reason BAAs deserve attention is because for one, they are required by HIPAA, and second, the Office of Civil Rights (“ORC”) in the Department of Health and Human Services conducts periodic, comprehensive and desk audits based on audit protocols that include assessments of compliance with requirements related to BAAs.
The Business Associate Agreement
HIPAA requires covered entities to obtain satisfactory assurances from business associates that they will appropriately safeguard PHI and electronic PHI (“ePHI”), and those assurances must be documented in a written contract that meets certain requirements – the BAA.
The BAA also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by the business associate, based on the relationship and the activities or services performed by the business associate.
According to HIPAA, the BAA must:
1. establish the permitted and required uses and disclosures of PHI by the business associate;
2. provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
3. require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to ePHI;
4. require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured PHI;
5. require the business associate to disclose PHI as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their PHI;
6. require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
7. at termination of the contract, if feasible, require the business associate to return or destroy all PHI received from, or created or received by the business associate on behalf of, the covered entity; and
8. require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the business associate with respect to such information; and authorize termination of the BAA by the covered entity if the business associate violates a material term of the contract.
Both covered entities and business associates are directly liable under HIPAA for their noncompliance and the failure to protect PHI, including civil and, in some cases, criminal penalties. However, a failure to comply will likely have additional negative impacts. The covered entity’s and business associate’s reputation; patients’, plan members’, customers’, and clients’ trust; and operational costs are all negatively affected by a failure to comply.
Covered entities and business associates should implement an assessment process for determining whether a BAA is required. Such a process may be conducted electronically, as a default setting through technical controls in a contract management and storage system; or, in the absence of an electronic contract management system, an initial, required step for personnel before any further sourcing can be completed.
If a contract management system is used, the system should prohibit the finalization of a business associate arrangement without the appropriate agreement in place. For example, when sourcing or contracting staff input a new vendor into the system, the system can prohibit staff from finalizing the arrangement without including a BAA, if the answers to a series of questions indicate that a BAA is required.
If an organization does not have an electronic contract management system that can be programmed to prohibit engagements from finalization without a BAA, the organization will need to rely on staff to execute a BAA when necessary. This can be accomplished through contracting policies and procedures and training for staff.
Entities in the health care industry must know whether they are a covered entity or a business association (or both) and emphasize to all staff the importance of a BAA. Form documents used by an entity or presented to an entity for signature should be subject to careful review. Consult with a professional experienced with HIPAA if you question whether you need a BAA, and do not sign or use a BAA unless you understand the obligations it imposes upon you or your organization and you know it is compliant.