What is a Business Associate Agreement in HIPAA?

In simple summary, a Business Associate Agreement (BAA) is a legal contract that exists between a Covered Entity and a Business Associate who comes into contact with Protected Health Information (PHI). Sometimes called a Business Associate Contract, it is critical and required to maintain HIPAA compliance.

With the main bulk of PHI being stored electronically, most data can also be found outside of your physician’s office.  X-rays, insurance information, prescriptions, and other records are stored offsite so that they can be electronically transmitted.  Those companies that use, store, transmit, and/or access the protected health information are going to fall under the Business Associate category of HIPAA.

Some common examples of a Business Associate include:

• Billing company
• Answering service
• IT consultant
• Medical transcriptionist
• Shredding company
• Attorney

Legislation requires that as a Covered Entity, you should only work with Business Associates who can safeguard the integrity and security of all PHI, and this must be assured in the form of a legally binding contract.  That contract is known as the Business Associate Agreement, and it is in everyone’s best interest to have one in place, especially in the event of a breach.

This document should include and outline the following:

 Establish what permitted PHI the Business Associate will access and how they will use it

1. The requirement that the BA will use the appropriate safeguards to secure that PHI
2. A requirement that the BA will report to the Covered Entity any use or disclosure not included in the contract – including any events that constitute a breach; it should also outline the procedure in the event of a data breach
3. That the BA will disclose any PHI covered to satisfy the Covered Entity’s obligation to accommodate an individual’s request for their information as well as for any amendments and accountings
4. An outline for the termination of the agreement as well as a description for the process of destroying or returning any PHI
5. That any subcontractors that engage on the BA’s behalf and have access to PHI agree to the same restrictions and conditions

This contract can also include an outline of the relationship of the two parties, but its main goal is to define that the covered entity holds it as a requirement of the BA to implement appropriate administrative, technical, and physical safeguards in compliance with the Security Rule to ensure that the electronic PHI is held in confidence and with integrity, and availability.  It must also be stated that the BA will not “use or further disclose the information other than as permitted or required by the contract or as required by law.”  Additional details on what the U.S. Department of Health & Human Service (HHS) specifically requires in the BA can be found here.

It can be noted that employees of the Business Associate do not need to individually sign the BAA as they are part of the organization and not BAs themselves. However, they should be part of a HIPAA training program that will assist in maintaining the integrity and security of the PHI that the company has access to.

Accountability If A Breach Occurs

A BAA will help protect both parties in the event of a breach.  If one party violates the agreement, the other party has grounds for legal action, but if there is no BAA in place, both parties are held responsible in the event of a breach and may face action from HHS, the Office for Civil Rights, and possibly even the Department of Justice.  HIPAA fines are based on a tier system and the level of accountability and knowledge factor into the fine amount which ranges from $100 to $50,000+ PER violation.

While this agreement is not a fail-safe against financial penalties for a covered entity, it can help with mitigating the risk of penalty if a breach does occur.  Is your company ensuring that all their Business Agreements are in place and done correctly?  Are you regularly verifying that your Business Associates are doing their part to protect your organization’s PHI? HIPAA Secure Now can help with that and all of your compliance needs – from Business Associate Agreement templates to checklists for your Business Associates, we’ve got you covered.