Since 1996, the Health Insurance Portability and Accountability Act (HIPAA) has required thousands of companies around the US to create business associate agreements.
HIPAA regulations allow covered entities to hire third-party service providers or other persons or businesses (known as business associates), with whom they would disclose protected health information (PHI) to assist the covered entity in its healthcare functions.
If your business has access to protected health information and plans to form partnerships with third parties to handle this information, you need this document.
Specifically, you’re required by law to sign a business associate agreement before any work is performed. Not doing so could be a costly mistake.
Protect your patients and your business with our free business associate templates, or simplify the process with our online builder.
What Is a Business Associate Agreement?
A HIPAA business associate agreement (BAA) is a written contract detailing the covered entity and business associate’s responsibilities regarding confidential, personally identifiable health information — and is legally distinct from a non-disclosure agreement.
Details include:
- the business associate’s permitted and required uses and disclosures of PHI.
- a clause stating the business associate will not use or further disclose PHI other than as permitted by the BAA or as required by law.
- measures the business associate must take to keep PHI secure.
- steps the business associate must take in the event of a breach.
What is a business associate?
A business associate is any individual, agency, or organization that is given protected health information to perform a service on behalf of a covered entity.
An example of a business associate would be:
- A third-party administrator assists a health plan with claims processing.
- A CPA firm whose accounting services require a healthcare provider to disclose protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
- A consultant who performs utilization reviews for a hospital.
- A healthcare clearinghouse translates a claim from a non-standard format into a standard transaction on behalf of a healthcare provider and then forwards the processed transaction to an insurance payer.
- An independent medical transcriptionist who provides transcription services to a physician.
- A pharmacy benefits manager who manages a health plan’s pharmacist network.
What is a covered entity?
HIPAA defines a covered entity as any healthcare provider, health insurance plan, or healthcare clearinghouse that collects and electronically transmits an individual’s protected health information.
An example of a covered entity would be:
- Doctors
- Clinics
- Nursing homes
- Pharmacies
- Insurance companies
- Government healthcare programs
- Billing services
- Health Information Systems
Please visit the US Department of Health & Human Services website for more information on how HIPAA defines covered entities and business associates.
Who needs a business associate agreement?
All covered entities that plan to share protected health information with a third party must create a HIPAA-compliant business associate agreement before agreeing to do business together.
As the electronic sharing of healthcare data and the use of digital and cloud-based storage increases, organizations within and adjacent to the health industry need a business associate agreement to operate.
HIPAA BAA Requirements
Compliance with the rules outlined under HIPAA is required by law if your company holds the personal health information of individuals, and seeks to expand business operations to outside associates.
What is BAA compliance?
The Health Insurance Portability and Accountability Act is broadly broken up into four sections:
- The Privacy Rule
- The HIPAA Security Rule
- The Breach Notification Rule
- The Enforcement Rules
In order to maintain HIPAA compliance, all covered entities and business associates must comply with the HIPAA privacy standards, as well as security and breach notification rules.
Privacy Rule
The HIPAA privacy rule set national standards to protect the confidentiality of health information with which business associates and covered entities must comply. It maintains that covered entities can’t use or disclose health information to third-parties without the consent of the individual.
Furthermore, it gives patients greater control over their protected health information by allowing them to review, correct inaccuracies, and obtain copies of their personal medical records.
Security Rule
The security rule established which safeguards must be put in place to protect PHI. For instance, a comprehensive security risk analysis of a covered entity and business associate’s operations should be conducted before either party can handle and transmit PHI.
Breach Notification Rule
A security breach is when the security and privacy of the protected health information have been compromised. HIPAA requires covered entities to notify all individuals whose protected health information is affected by a breach and the Secretary of Health and Human Services.
Business associates made aware of a security breach must promptly inform the covered entity so they may begin the proper notification processes.
Enforcement Rule
By establishing the enforcement rule, HIPAA set forth the rules by which covered entities and business associates must comply with the Health and Human Services department during any HIPAA violation investigation — in addition to the ramifications and penalties for violating HIPAA.
Penalties for violating HIPAA regulations
It’s in the covered entity and business associate’s best interest to avoid violating HIPAA — the consequences of which may cripple your company.
Depending on the nature of the violation, current civil and criminal penalties under HIPAA include the following:
- Minimum of $100 (up to $25,000) for each negligent violation made by an individual
- Minimum of $50,000 (up to $250,000) for each willful violation made by an individual
- Prison sentence of up to one year for each negligent violation
- Prison sentence of up to five years for receiving PHI through dishonest means
- Prison sentence of up to ten years for willful violations with the intent to profit or do harm
You can avoid civil penalties by implementing appropriate procedures to correct a non-willful violation within 30 days.
Business Associate Agreement Sample
To save time, we recommend using our business associate agreement builder.