HIPAA Business Associate Agreement

A HIPAA Business Associate Agreement (BAA) is a contract between a HIPAA-covered entity (like a healthcare provider, health plan, or healthcare clearinghouse) and a business associate (a third-party company that performs activities or services on behalf of the covered entity which involve the use or disclosure of protected health information or PHI) that outlines the privacy and security measures the business associate must implement to protect the confidentiality and integrity of the PHI, in compliance with the HIPAA. This guide answers the following questions:

What Should a HIPAA Business Associate Agreement Consist Of?

What a HIPAA Business Associate Agreement should consist of is stipulated in the HIPAA Administrative Simplification Regulations. However, because implementation specifications relating to Business Associate Agreements are spread throughout the HIPAA Administrative Simplification Regulations, the risk exists that some Agreements may not be HIPAA compliant and may lead to HIPAA violations.

What is a Business Associate Agreement in HIPAA?

A Business Associate Agreement in HIPAA is a written contract between two parties that establishes the permitted and required uses and disclosures of Protected Health Information (PHI). Most often, the two parties entering into a contract are a HIPAA covered entity and an individual or organization (a business associate) performing a function or providing a service for or on behalf of the covered entity that involves the creation, receipt, maintenance, or transmission of PHI.

Contracts can also be between a business associate and a subcontractor, or a secondary business associate if, for example, an organization providing billing services for a covered entity creates, receives, maintains, or transmits PHI via a cloud service provider that is already a business associate of the covered entity. It is also possible for an organization that is a covered entity in its own right to provide services as a business associate to another covered entity.

What Must a HIPAA Business Associate Agreement Include?

Typically, a HIPAA Business Associate Agreement starts by stating the names of the parties entering into the contract, an explanation of what the contract is for, and a list of definitions. Alternatively, the contract may include a “catch-all” definition such as “the following terms used in this Agreement shall have the same meaning as in the HIPAA Rules”. Thereafter, the written contract between the two parties (i.e., a covered entity and a business associate) must:

1. Establish the Permitted Uses and Disclosures of PHI

Rather than list each permitted use or disclosure individually, a HIPAA Business Associate Agreement usually refers to the Service Agreement between the covered entity and business associate that describes the services being provided for or on behalf of the covered entity. This clause usually prohibits the business associate from further using or disclosing PHI except as permitted by the contract or as required by law.

2. Require the Implementation of Appropriate Safeguards

In most cases, a HIPAA Business Associate Agreement requires the business associate to implement appropriate safeguards to prevent unauthorized uses or disclosures of PHI – including all Security Rule safeguards. However, when entering into a contract with a cloud service provider (i.e., Google, AWS, Microsoft, etc.), this clause may also require the covered entity to implement security safeguards and configure them compliantly.

3. Require that Security Incidents are Reported

One often overlooked requirement of a HIPAA Business Associate Agreement is that business associates are required (by §164.314(a)(2)(C)) to report all security incidents (as defined in §164.304) – not just those that result in a data breach or a disclosure not permitted by the contract. With regards to reporting a data breach, the contract should also stipulate the business associate has to comply with the implementation specifications of §164.410.

4. Require Compliance with Patients’ Rights

Under the Privacy Rule §§164.524-164.526, patients have the right to request a copy of their PHI (provided it is maintained in a designated record set), request amendments to their PHI if errors exist, and request an accounting of disclosures. Business associates that maintain PHI in designated record sets are required to comply with these patients’ rights when requested by a patient or by the covered entity for whom a service is being provided.

5. Allow HHS to Inspect Books, Records, and Practices

To the extent required by law, and subject to applicable privileges, a business associate must allow HHS’ Office for Civil Rights (OCR) to inspect its books, records, and practices concerning the uses and disclosures of PHI received from the covered entity or created or received by the business associate. This is so OCR can determine the covered entity’s compliance with HIPAA and both party’s compliance with the HIPAA Agreement.

6. Require the Return or Destruction of PHI

Although most contracts do not stipulate an expiry date, they must include a clause that states the business associate will – where feasible – return or destroy any PHI in their possession at the termination of the HIPAA Agreement. This clause also applies to PHI shared by the business associate with a contractor, and should stipulate it is the business associate’s responsibility to recover PHI from the contractor.

7. Include Disclosures of PHI to Subcontractors

In many cases, it is not possible to prevent business associates disclosing PHI to subcontractors or secondary service providers such as Google, AWS, or Microsoft. However, in such cases, business associates must agree to seek assurances that PHI will be safeguarded via a second HIPAA Business Associate Agreement that imposes the same restrictions and conditions on uses and disclosures of PHI as apply to the business associate.

8. Include the Covered Entity’s Responsibilities

It was mentioned previously that some contracts require covered entities to implement Security Rule safeguards. Additionally, covered entities have Privacy Rule responsibilities if, for example, a patient exercises their right to restrict disclosures of PHI or withdraw an authorization. In such cases, or if restrictions exist in a Notice of Privacy Practices, the covered entity has a responsibility to notify the business associate.

9. Stipulate the Terms of Termination

The terms of termination should apply to both parties inasmuch as if either the covered entity or the business associate breaches the terms of the HIPAA Business Associate Agreement, and the breach is not resolved with an agreed period of time (stipulated in the contract), the Agreement is terminated with immediate effect. At the time of termination, all PHI must be returned to the covered entity or destroyed regardless of who the breaching party is.

10. Conclude with Contact Details and Signatures

Contracts usually conclude with a Miscellaneous section covering topics such as data ownership, the conditions for amending the HIPAA Agreement, and a statement stipulating that, in the event of a conflict between a Service Agreement and the HIPAA Agreement, the terms of the HIPAA Business Associate Agreement prevail. There should also be a section for the contact details and signatures of the parties’ authorized representatives.

What Optional Clauses can be Added to a HIPAA Agreement?

Individuals with experience of HIPAA Business Associate Agreements will be aware that some contracts can be relatively brief, while others contain dozens of pages. In some cases, the difference in length can be attributable to long explanations of what the contract is for (especially if details of the Service Agreement are included in the preamble) and a full list of definitions; but often the reason for the difference in length is the addition of optional clauses.

Optional clauses can be added for many reasons. For example, a covered entity may make it a requirement of a HIPAA Business Associate Agreement that a business associate implements security measures beyond those required by the Security Rule (i.e., two-factor authentication), or trains members of the workforce on applicable HIPAA Privacy Rule standards in addition to providing mandatory security and awareness training.

In the event that a covered entity is subject to state laws that preempt HIPAA (i.e., Texas), the covered entity may choose to include optional clauses relating to state law in the contract; or, if other federal laws apply to the covered entity’s activities (i.e., FTC’s Identity Theft Prevention Red Flags Rule), the covered entity may add clauses to the HIPAA Agreement that require the business associate to also comply with the federal law.

Some covered entities’ contracts also make the business associate responsible for the covered entity’s costs of recovering from a data breach if the reason for the data breach is the “failure to perform, negligence, willful misconduct, or breach of obligations under the HIPAA Business Associate Agreement” by the business associate. In such cases, a further optional clause may require the business associate to have insurance coverage for such an event.

What Traps, Dangers, and Issues Exist with HIPAA Agreements?

In addition to the implementation specifications for Business Associate Agreements being spread throughout the HIPAA Administrative Simplification Regulations, there are a number of traps, dangers, and issues that can exist with HIPAA Agreements and that can lead to non-compliant contracts and the potential for HIPAA violations. The following is a small selection of the traps, dangers, and issues that can exist.

One of the most common traps is entering into a cloud service provider’s HIPAA Business Associate Agreement without understanding what services are covered by the contract. Usually, covered services are described as “in-scope” and subject to the organization subscribing to a business or enterprise account. The trap in this example is that users – believing a contract covers all services – may create, store, or transmit PHI via a service not covered by the Agreement.

There can be several dangers related to HIPAA Business Associate Agreements. The biggest one is when the clause requiring security incidents (even unsuccessful ones) to be reported to covered entities is omitted from the contract. Admittedly, you can understand why Microsoft might omit this from its default HIPAA Business Associate Agreement because the cloud service provider probably experiences thousands of unsuccessful security incidents per day.

While Microsoft has the mechanisms in place to withstand security incidents and any potential consequences, a smaller cloud service provider might not have the systems in place to identify (say) a network intrusion that appears unsuccessful, but which later results in the failure of the network’s security (i.e., via a Command and Control takeover). For this reason, covered entities may need to be advised of unsuccessful security incidents.

Other issues can exist when a covered entity sends a business associate a contract and invites them to submit any exceptions they wish to remove from the HIPAA Business Associate Agreement. Although the covered entity should be aware of what clauses must be included in a HIPAA Business Associate Agreement, any proposed modifications to the contract should be reviewed by a legal professional with experience in HIPAA compliance.

When is a HIPAA Business Associate Agreement Not Required?

The requirement to enter into a HIPAA Business Associate Agreement when PHI is disclosed to a third party can be found in the Privacy Rule (§164.502 & §164.504) and in the Security Rule (§164.308 & §164.314). However, there are circumstances in which a HIPAA Business Associate Agreement is not required. These include, but are not limited to:

  • When a covered entity discloses PHI to a healthcare provider for the treatment of a patient. For example, if a hospital refers a patient to a specialist and discloses the minimum necessary PHI to the specialist to enable the treatment.
  • Similarly, a HIPAA Business Associate Agreement is not necessary when a physician discloses PHI to a laboratory, or when a hospital laboratory discloses PHI to a reference laboratory, when the purpose of the disclosure is the treatment of a patient.
  • When PHI is collected or shared by a health plan that is a public benefits program, such as Medicare, and an agency other than the agency administering the health plan determines eligibility for enrollment in the public benefits program.
  • When a healthcare provider discloses PHI to a health plan to support an eligibility check, authorization for treatment, or request for payment, and the healthcare provider and health plan are independent covered entities.
  • When any access to PHI may be accidental or incidental. For example, when engaging the services of an organization (i.e., an environmental services agency) whose functions or services do not involve the use or disclosure of PHI.
  • When an organization is a conduit for the delivery of PHI. Examples include the US Postal Service and private courier services such as DHL, UPS, and FedEx – but not electronic delivery services which store copies of PHI on servers or could be intercepted in transit.
  • When a financial institution acts as a payment processor for payment of health care or health plan premiums. Even though these activities relate to payments for health care, the financial institution is providing its normal banking services to its customers. It is not performing a service for or on behalf of a covered entity.

Other times when a HIPAA Business Associate Agreement is not necessary include when PHI is shared permissibly among members of a covered entity’s or business associate’s workforce, and when PHI is shared permissibly among covered entities who participate in an organized health care arrangement (OHCA) to make disclosures that relate to the joint health care activities of the OHCA.

Why it is Important to Understand HIPAA Business Associate Agreements

It is important to understand HIPAA Business Associate Agreements because any errors, omissions, or unresolved issues can result in gaps in HIPAA compliance that lead to HIPAA violations. It is also the case that entering into incomplete or inaccurate contracts could be perceived by HHS’ Office for Civil Rights as no contract being in place at all – a further violation of HIPAA.

The failure to implement a HIPAA Business Associate Agreement when one is required can result in HHS’ Office for Civil Rights imposing a civil monetary penalty – even if no breach of unsecured PHI has occurred. For example, in 2017, the Center for Children’s Digestive Health in Illinois was fined $31,000 for the failure to enter into a contract with a business associate prior to sharing PHI.

Additionally, the failure to review and update HIPAA Business Associate Agreements can also be penalized by regulators. In 2016, the Care New England Health System was fined $400,000 for failing to update its HIPAA Business Associate Agreement with the Woman & Infants Hospital of Rhode Island since 2005 – despite being required to by the Final Omnibus Rule in 2013.

Conversely, entering into a HIPAA Business Associate Agreement with a contractor when none is required can be unnecessarily time-consuming and expensive. Therefore, if your organization is unsure of the requirements for HIPAA Business Associate Agreements, unsure about when an Agreement is required, or unsure of the Agreement’s content, it is recommended you seek professional compliance advice.