business associate agreement, hipaa

HIPAA requires Business Associate Agreements. Learn the who, what, why and how of these important contracts.   

HIPAA, CISSP, HCISPP
By: Ryan Marshall
HIPAA Fulfillment Manager
CISSP, HCISPP
When it comes to patient data protection, covered entities and business associates share a dual responsibility. But each has their respective roles. A business associate agreement (BAA) is a contract required for any business associate that receives patient data from either a covered entity, or from another business associate. Read more to learn the basics and understand the elements of this agreement.

First, the differences between covered entities (CE) and business associates (BA):

What is a covered entity?

    business associate agreement, hipaa
  • Health Plan: health insurance company 
  • Healthcare Clearinghouse: data aggregation companies that take data from a nonstandard format and convert it into a standard format 
  • Healthcare providers: physicians, pharmacies, homeopathic providers, prosthetic/orthotic providers

What is a business associate?

  • A business associate creates, receives, maintains or transmits protected health information (PHI) from or on behalf of a covered entity.
  • “Downstream” entities, i.e., subcontractors of business associates who may deal with patient data, are also technically considered business associates. They have the same liabilities as a BA, and the BA to which they’re subcontracted is responsible for management of their agreement.  
  • There are exceptions: 
    • The transfer of data between two covered entities, each acting in their primary role as a covered entity (for instance, with provider referrals or insurance claims) is not considered a business associate relationship.
    •  Law enforcement and government agencies may request PHI, but they are not considered business associates. 
SEE THIS: Business Associate Decision Tree.


Important to understand: covered entity liability

CEs are responsible for knowing who their business associates are, and having proper agreements in place. They’re responsible for drafting BAAs that meet their own requirements, as well as HIPAA requirements. The business associate responsibility includes adhering to whatever is in the contract, but the CEs must personally take measures to check on their BA’s patient data handling processes and security measures.

Even with the agreement in place, there’s still a shared liability between a covered entity and a business associate. If the covered entity drafts and signs the best possible agreement, and keeps it up to date—but doesn’t monitor compliance, there isn’t a high level of protection from data breaches and fines. And, in the event of a data breach, covered entities will be required to show that they’ve done their due diligence and given best efforts to prevent the breach.

Remember that while a properly executed business associate agreement will transfer most of the financial liability of a BA’s data breach to the BA itself, there remains the ever-present risk of damage to the covered entity’s public reputation.

SEE ALSO: 7 HIPAA MYTHS & MISUNDERSTANDINGS, DEBUNKED


What’s in a business associate agreement?

HIPAA, business associate agreementFirst of all, realize that you definitely need to know the ins and outs of what’s in (and should be in) a business associate agreement. Most covered entities use a business associate agreement template, which is fine and even recommended. But regardless of who created it, you need to know what’s in it.

Some of the required elements:

  • Permissible and required disclosures: what the business associate can and can’t do with the data, as well as what they’re required to do with the data
  • Reference to “downstream” subcontractors: ensure that they are responsible to abide by same terms as the BAs
  • BA’s duty to safeguard the data: with reference to the security rule 
  • Reporting obligations: BA’s responsibility to notify CE of impermissible disclosures, which could include a data breach incident 
  • Termination clause: CE can terminate contract for violation of terms, and in the event of termination, the BA must return or destroy the data  

Elements that aren’t legally required but are still good to have:

  • A “right to audit” clause: gives the covered entity right to monitor the business associate’s compliance with BAA
  • Indemnification clause: each party will take respective responsibility for any financial harm caused
  • Expiration dates: if you don’t regularly review your BAAs, they may have expiration dates of which you’re unaware. This puts them at risk of becoming invalid. Does HIPAA require expiration dates on business associate agreements? No. The agreements can be in force indefinitely. However, it’s crucial that you check on them periodically, so expiration dates are a great way to force the action of review. 

The “Minimum Necessary” Rule

This requirement is found in the HIPAA Privacy Rule and supports the foundational principle that parties shouldn’t create, use, disclose, or transfer more information than is needed to complete the task.

Many BAs believe that the covered entity takes care of the minimum necessary requirement. But, the business associate also has the responsibility to request and use only the minimum amount of information required to perform the task.

SEE ALSO: HIPAA Business Associate Agreement; Who's Really Responsible? 


Contract Negotiation

Sometimes business associates want to change parts of the agreement. Or, a larger organization might have a standard contract and won’t sign anyone’s but their own. In these cases, you can find yourself at a sticking point. Where do you dig in your heels and where do you give a little leeway?

If you find yourself in this situation:
  • Create a checklist of items to address 
  • Understand that required elements are not negotiable 
  • Identify objectives and prioritize them to avoid getting stuck on non-important issues 
If a business associate is not going to comply with certain things, that’s a good indication as to whether or not you should work with them.

HIPAA regulations require you to take action if you know or believe a business associate is not HIPAA compliant. And, covered entities should remember that they have purchasing power in relation to a business associate. In a recent SecurityMetrics poll, we asked covered entities if they would work with a business associate who would not sign a BAA. 100% of respondents answered, “no.”

HIPAA Compliance

Even if a business associate does not consider itself to be “within” the healthcare industry, the reality is that if they store, process, transmit, maintain and/or touch protected health information in any way—they must be HIPAA compliant. Covered entities may catch more heat from data breaches, but business associates are also legally bound to protect PHI.

The business associate agreement is the starting point for the covered entity-business associate relationship. It defines roles, places responsibilities, and—if properly followed + maintained—ultimately helps keep protected health information safe and secure.

Ryan Marshall (CISSP, HCISPP) is the HIPAA fulfillment manager at SecurityMetrics. He has worked in data security for eight years, and has specialized in HIPAA, healthcare reliance, and HIPAA regulations for three years.