A HIPAA business associate agreement (BAA) establishes the guidelines and responsibilities for safeguarding protected health information (PHI) when a primary health care provider or health plan needs another entity to handle the sensitive information.
HIPAA Law
The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to enter into business associate agreements with every third-party service provider that may come into contact with protected health information.
Business associate agreements are just one aspect of HIPAA compliance, but they’re essential in ensuring business associates properly handle and safeguard PHI.
- What Is a HIPAA Business Associate Agreement?
- Key Terminology
- Business Associate Agreement Requirements
- Examples of Business Associate Agreement Failures
- How HIPAA Differentiates between Business Associates and Subcontractors
- What Happens If a Business Associate Violates a BAA?
- How to Create a Business Associate Agreement
- HIPAA Business Associate Agreement Sample
- Frequently Asked Questions
What Is a HIPAA Business Associate Agreement?
A HIPAA business associate agreement is a contract covered entities must sign with any third-party service provider (the “business associate”) that will have access to protected health information. This legally binding document ensures the business associate will:
- Implement the necessary safeguards to protect PHI following HIPAA regulations.
- Use and disclose PHI only as the agreement and HIPAA law permit.
- Assist the covered entity in responding to individuals’ rights requests and any Department of Health and Human Services investigations.
- Report any breaches or impermissible uses of PHI to the covered entity.
Additionally, a business associate contract is a critical risk management tool because the covered entity and business associate can face significant penalties if they fail to comply with HIPAA regulations.
This document is essential to protecting how external entities handle sensitive health information and achieve overall HIPAA compliance.
Key Terminology
Here’s some key terminology to know when creating a BAA:
Covered Entity
A covered entity is any health care provider, health plan, or health care clearinghouse that must comply with HIPAA rules [1] . It can be an individual or an organization. Examples of covered entities include the following:
- Pharmacies
- Nursing homes
- Chiropractors
- Dentists
- Psychologists
- Clinics
- Doctors
- Government programs paying for medical care (like Medicaid, Medicare, and military health care programs)
- Company health plans
- HMOs
- Health insurance companies
The CMS-covered entity guidance tool can help determine if your practice must be HIPAA-compliant [2] .
Protected Health Information
The HIPAA Privacy Rule defines protected health information (PHI) as all “individually identifiable health information.” [3] Covered entities and business associates must restrict how they use this information, including a person’s full name, address, or Social Security Number, through a BAA.
Some medical data that falls under the categorization of PHI includes the following:
- An individual’s past, present, or future physical or mental health.
- The extent and type of health care a physician provides to an individual.
- The past, present, or future payment for an individual’s health care.
Business Associate
A business associate is any individual, agency, or organization with access to protected health information (PHI) to perform a service for a covered entity. They can only use or disclose PHI as their BAA describes.
Employees and contractors that a health care provider hires solely to work for a covered entity are not business associates. Instead, they should sign a confidentiality agreement to meet HIPAA compliance requirements.
Data Safeguards
Data safeguards are controls business associates and covered entities implement to protect the PHI’s availability, integrity, and confidentiality.
With the advancement of technology and increasing reliance on digital tools in the health care industry, entities must consider factors like audit trails, encryption, access controls, cloud storage, electronic health record systems, and digital communication platforms when establishing and reviewing BAAs.
While the HIPAA Privacy Rule protects sensitive health information in any medium, the HIPAA Security Rule protects health information in electronic forms [4] .
Business Associate Agreement Requirements
The Code of Federal Regulations (CFR) outlines three main requirements that a BAA must contain [5] :
Permissible Uses
Here are the permissible uses to include in BAAs [6] :
- The business associate may only use or disclose protected health information. You have two options:
- Provide a specific list of acceptable purposes.
- Reference an underlying service agreement.
- The business associate may use or disclose PHI as the law requires.
- The business associate agrees to make requests, disclosures, and uses for PHI under one of two conditions:
- Consistent with the covered entity’s policies and procedures for the minimum necessary rule.
- Subject to outlined minimum necessary requirements.
- The business associate may not use or disclose PHI in a way that would violate 45 CFR Subpart E.
- Optional: The business associate may use PHI for the proper management and administration of the business associate or to carry out their legal responsibilities.
- Optional: The business associate may provide data aggregation services about the covered entity’s health care operations.
Business Associate Obligations
Here are some obligations a business associate must fulfill:
- To not use or disclose PHI as the agreement and HIPAA law forbid.
- To use appropriate safeguards and comply with 45 CFR Subpart C relating to electronic PHI.
- To report any prohibited use or disclosure of PHI or security incident to their covered entity (per 45 CFR § 164.410).
- To ensure any subcontractors that create, maintain, receive, or transmit PHI on the business associate’s behalf adhere to the same requirements, conditions, and restrictions that apply to the business associate (per 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2)).
- To make PHI available in a designated record set to the covered entity (per 45 CFR 164.524).
- To make any amendments to PHI in a designated record (per 45 CFR 164.526).
- To maintain and make available the necessary information to provide an accounting of disclosures to the covered entity (per 45 CFR 164.528).
- To make its records, books, and internal practices available to the Secretary, who can determine if they comply with HIPAA.
Termination Provisions
BAAs can terminate by an established end date or for cause if the associate violates a term.
Once the agreement terminates, a business associate has the following obligations:
- Only retain PHI that’s essential for their continued operations or legal responsibilities.
- Return to the covered entity (or destroy) any remaining PHI.
- Continue using appropriate safeguards for protecting electronic PHI.
- Do not disclose or use any remaining PHI for prohibited reasons.
Examples of Business Associate Agreement Failures
Explore some examples of BAA failures so you can better understand this document’s purpose:
Asking Every Contractor to Sign a BAA
Some covered entities will insist every contractor enters a BAA even when unnecessary. For example, covered entities may unnecessarily enter into a BAA even though they don’t need it because they’re both subject to HIPAA. A covered entity may also ask a contractor to sign a BAA even if they don’t have access to PHI, which can waste time and resources.
Assuming HIPAA Compliance With a Signed BAA
Simply having a business associate sign a BAA doesn’t guarantee HIPAA compliance. Some covered entities won’t follow through with their due diligence obligations, like auditing business associates, because they assume automatic compliance by completing a BAA.
Not Having a BAA for Business Associates through Which Electronic PHI Passes
Even if you don’t directly disclose PHI to an entity, it might still pass through their systems electronically. If you don’t implement a BAA, you could violate HIPAA as a covered entity.
Only Implementing Encryption as a Safeguard
While encryption is an important safeguard for protecting PHI, you must also implement physical and administrative safeguards to ensure HIPAA compliance.
How HIPAA Differentiates between Business Associates and Subcontractors
Explore the differences between a business associate and a subcontractor under HIPAA:
Business Associate
Explore what a business associate is below:
Definition
A business associate is an individual or entity that provides services to or performs specific activities or functions on behalf of a covered entity.
Who Can Be Considered One
Examples of business associates include:
- A CPA firm whose accounting services require a health care provider to disclose PHI.
- A consultant who performs utilization reviews for a hospital.
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider. Then, it forwards the processed transaction to an insurance payer.
- An independent medical transcriptionist who provides transcription services to a physician.
- A pharmacy benefits manager who manages a health plan’s pharmacist network.
Specific Requirements
Here are some specific requirements for a business associate:
- Enter into and maintain a BAA with a covered entity.
- Offer “satisfactory assurances” that they’ll shield PHI appropriately.
- Comply with all pertinent HIPAA regulations, including the Privacy Rule, Security Rule, and Breach Notification Rule.
- Maintain detailed records, including incident response plans, policies, procedures, security measures, and risk assessments.
- Cooperate with investigations.
Subcontractor
Explore what a subcontractor is and how they differ from a business associate:
Definition
A subcontractor is an organization or individual that can access PHI when providing a service for a business associate.
The subcontractor has no contact with a covered entity but must sign a business associate subcontractor agreement (BASA) with the business associate to comply with HIPAA.
Who Can Be Considered One
Common examples of associate business subcontractors are:
- Email encryption providers
- Attorneys
- File sharing vendors
- Accountants
Specific Requirements
Here are the specific requirements a subcontractor must meet:
- Abide by contractual obligations.
- Implement the proper security measures.
- Assure the business associate they’ll comply with HIPAA.
- Play their role in the chain of responsibility.
Chain of Command in HIPAA
Like a covered entity and a business associate must enter a BAA, a business associate and a subcontractor must enter a similar agreement.
What Happens If a Business Associate Violates a BAA?
If a business associate operating under a BAA mishandles PHI or otherwise violates the agreement, the covered entity must take steps to cure the breach, end the violation, or terminate the contract with the business associate to avoid being held liable under HIPAA.
Business associates must follow the BAA’s guidelines for notifying the covered entity of a breach and may also have to inform affected individuals.
Depending on the severity of the HIPAA violation, the perpetrator may face penalties like fines or jail time. For example, in 2016, Care New England Health System (CNE) had to undergo a comprehensive corrective action plan and pay $400,000 to settle potential HIPAA violations [7] .
How to Create a Business Associate Agreement
Step 1 – Provide the Agreement’s Basic Information
Provide the name of the covered health care provider (or health care plan/clearinghouse) and the business associate. List each party’s address. Include the date you’re entering the agreement.
Step 2 – Define the Business Associate’s Obligations and Activities
Specify that the business associate will gain access to PHI so it can help the covered entity complete its health care activities. Clarify that the information is not for the business associate’s independent use. Include optional activities/obligations, such as handling disclosure requests, amendments, and access requests.
Step 3 – List the Permitted Uses and Disclosures by the Associate
List the permitted uses and disclosures by the associate. Include any customizations, as you may want to specify unique purposes.
Step 4 – State Termination Protocols
State if the agreement terminates on a certain date or if the covered entity can terminate it for a specific cause. Clarify if the business associate has time to cure the breach or end the violation before termination.
Step 5 – Obtain Signatures
Obtain both parties’ signatures and write their titles.
HIPAA Business Associate Agreement Sample
Download a HIPAA business associate agreement template below in PDF or Word format:
Frequently Asked Questions
When Is a BAA Required?
A covered entity and a business associate must enter a BAA whenever the business associate might come into contact with PHI.
What Is an “Other Arrangement” in the Context of HIPAA Compliance?
An “other arrangement” is an understanding or agreement different from a BAA. It establishes the terms and conditions for handling protected health information and describes the duties of the involved parties. It allows for more flexibility when the proposed arrangement doesn’t align with the traditional BAA relationship.
What Happens If My Business Associate Discloses PHI?
As the covered entity, you must mitigate harm and notify the proper parties. You should implement additional safeguards, offer additional training, and revise policies and procedures to correct the mistakes. You can terminate the agreement if you no longer want to work with the business associate.
How Frequently Should I Renew a BAA?
You don’t have to renew a BAA at any certain frequency, but you can revisit and evaluate it and make changes depending on factors like changes in the law or your business relationship.
Is a BAA Required Between Two Covered Entities?
Because covered entities are already required to follow the HIPAA Privacy Rule, one covered entity can disclose PHI to another covered entity without a BAA.
