What Is a HIPAA Business Associate Agreement?
A HIPAA business associate agreement is a contract that covered entities must sign with any third-party service provider (the “business associate”) that will have access to protected health information. This legally binding document ensures the business associate will:
- Implement the necessary safeguards to protect PHI following HIPAA regulations.
- Use and disclose PHI only as permitted by the agreement and HIPAA law.
- Assist the covered entity in responding to individuals’ rights requests and any Department of Health and Human Services investigations.
- Report any breaches or impermissible uses of PHI to the covered entity.
Additionally, a business associate contract is a critical risk management tool because the covered entity and business associate can face significant penalties if they fail to comply with HIPAA regulations.
This document is essential to protecting how external entities handle sensitive health information and achieve overall HIPAA compliance.
Key Terminology
Here’s some key terminology to know when creating a BAA:
Covered Entity
A covered entity is any health care provider, health plan, or health care clearinghouse that must comply with HIPAA rules. It can be an individual or an organization. Examples of covered entities include the following:
- Pharmacies
- Nursing homes
- Chiropractors
- Dentists
- Psychologists
- Clinics
- Doctors
- Government programs paying for medical care (like Medicaid, Medicare, and military health care programs)
- Company health plans
- HMOs
- Health insurance companies
The CMS-covered entity guidance tool can help determine if your practice must be HIPAA-compliant.
Protected Health Information
The HIPAA Privacy Rule defines protected health information (PHI) as all “individually identifiable health information.” Covered entities and business associates must restrict how they use this information, including a person’s full name, address, or Social Security Number, through a BAA.
Some medical data that falls under the categorization of PHI includes the following:
- An individual’s past, present, or future physical or mental health.
- The extent and type of health care a physician provides to an individual.
- The past, present, or future payment for an individual’s health care.
- An individual’s patient incident reports.
Business Associate
A business associate is any individual, agency, or organization with access to protected health information (PHI) to perform a service for a covered entity. They can only use or disclose PHI as their BAA describes.
Data Safeguards
Data safeguards are controls business associates and covered entities implement to protect the PHI’s availability, integrity, and confidentiality.
With the advancement of technology and increasing reliance on digital tools in the health care industry, entities must consider factors like audit trails, encryption, access controls, cloud storage, electronic health record systems, and digital communication platforms when establishing and reviewing BAAs.
While the HIPAA Privacy Rule protects sensitive health information in any medium, the HIPAA Security Rule protects health information in electronic forms.
Business Associate Agreement Requirements
The Code of Federal Regulations (CFR) outlines three main requirements that a BAA must contain:
Permissible Uses
Here are the permissible uses to include in BAAs:
- The business associate may only use or disclose protected health information. You have two options:
- Provide a specific list of acceptable purposes.
- Reference an underlying service agreement.
- The business associate may use or disclose PHI as the law requires.
- The business associate agrees to make requests, disclosures, and uses for PHI under one of two conditions:
- Consistent with the covered entity’s policies and procedures for the minimum necessary rule.
- Subject to outlined minimum necessary requirements.
- The business associate may not use or disclose PHI in a way that would violate 45 CFR Subpart E.
- Optional: The business associate may use PHI for the proper management and administration of the business associate or to carry out their legal responsibilities.
- Optional: The business associate may provide data aggregation services about the covered entity’s health care operations.
Business Associate Obligations
Here are some obligations a business associate must fulfill:
- To not use or disclose PHI as the agreement and HIPAA law forbid.
- To use appropriate safeguards and comply with 45 CFR Subpart C relating to electronic PHI.
- To report any prohibited use or disclosure of PHI or security incident to their covered entity (per 45 CFR § 164.410).
- To ensure any subcontractors that create, maintain, receive, or transmit PHI on the business associate’s behalf adhere to the same requirements, conditions, and restrictions that apply to the business associate (per 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2)).
- To make PHI available in a designated record set to the covered entity (per 45 CFR 164.524).
- To make any amendments to PHI in a designated record (per 45 CFR 164.526).
- To maintain and make available the necessary information to provide an accounting of disclosures to the covered entity (per 45 CFR 164.528).
- To make its records, books, and internal practices available to the Secretary, who can determine if they comply with HIPAA.
Termination Provisions
BAAs can terminate by an established end date or for cause if the associate violates a term.
Once the agreement terminates, a business associate has the following obligations:
- Only retain PHI that’s essential for their continued operations or legal responsibilities.
- Return to the covered entity (or destroy) any remaining PHI.
- Continue using appropriate safeguards for protecting electronic PHI.
- Do not disclose or use any remaining PHI for prohibited reasons.
