HIPAA and Business Associate Agreements (BAAs)

What is a Business Associate Agreement (BAA)?

It has become necessary for HIPAA-covered entities to set up partnerships with other organizations to safeguard their healthcare data assets. The contracts for these partnerships, which specify what each party is accountable for concerning PHI, are called business associate agreements (BAAs) or business associate contracts.

Who is considered to be a HIPAA Business Associate?

According to the U.S. Department of Health & Human Services (HHS), a business associate is any person or entity that carries out functions or activities for a covered entity where it is necessary that the business associate has to access protected health information (PHI).

This person or organization might also make their services available to a covered entity. For instance, a consultant who prepares and carries out hospital utilization assessments or an attorney given PHI access as they offer their services to a healthcare provider are both considered business associates.

On the other hand, there are allowances with the business associate standard, HHS says, where “a covered entity is not required to have a business associate contract or other written agreement in place before protected health information may be disclosed to the person or entity.”

These exceptions include the following circumstances (but this list is not conclusive):

  • Disclosures of information by a covered entity to a healthcare provider for management and care of the individual
  • PHI collection and distribution by a health plan, specifically a public benefits program such as Medicare
  • Disclosures of information to a health plan sponsor by a group health program, a health insurance issuer, or HMO that makes health insurance benefits or coverage available for the group health plan
  • With persons or organizations that are a go-between for PHI, such as the U.S. Postal Service

When a covered entity has defined who their applicable business associates are, it is essential to make certain that these third parties will only access and use any PHI given to them in a protected and established way.

“Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions—not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate,” HHS states on its site.

The complexities of business associates and BAAs

The HIPAA Omnibus Rule altered the way business associates are supposed to uphold PHI security.

“The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity,” HHS says on its site. “The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”

Business associates can now be held legally responsible with the same repercussions as covered entities can under HIPAA regulations if/when PHI is hacked and healthcare data ends up compromised.

The contract must define what PHI uses are necessary and allowed for the business associate, as well as plainly explain that the business associate “will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.”

The right safety measures need to be established, making certain that the business associate will only disclose PHI when their contract permits them to.

“Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement,” HHS details on their site. “If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to [OCR].”

An example business associate agreement can be reviewed on the HHS site here.

MAXtech Can Help You

We specialize in helping healthcare professionals remain HIPAA compliant. Schedule a free HIPAA assessment with us to see how we can help you.