HIPAA Business Associate Agreements-an understanding

Key Takeaway:

Business Associate agreements are designed to perform a number of important functions. They are meant to safeguard and secure patient healthcare information.

In simple terms, a HIPAA Business Associate agreement, abbreviated to BAA, is a contract that a HIPAA Covered Entity enters into with a HIPAA Business Associate (BA) agreeing to ensure protection of Personal Health Information (PHI) in compliance with HIPAA guidelines.

This is fundamentally required because it is through Business Associates that Covered Entities carry out their work, and hence agreeing to terms by which they operate is very important. A directive to this effect was issued on February 18, 2010, in accordance with the HITECH Act of 2009.

What should a Business Associate agreement contain?

A HIPAA Business Associate agreement should contain:

  • A clear and explicit description of the ways in which a BA has to report a data breach and respond to it
  • A clear statement of what is to be done when there are data breaches that a Business Associate's subcontractors cause
  • A provision that requires a BA to demonstrate how it will respond to an Office of Civil Rights (OCR) investigation.

Requirements under a HIPAA Business Associate agreement

  • When handling and using PHI, a BA's disclosure must be compliant with the mandates prescribed by the HIPAA Security Rule and HIPAA Privacy Rule
  • The Act requires that any HIPAA Business Associate serving a health care provider or institution has to be audited by the OCR, which comes under Department of Health and Human Services (HHS)
  • Such a BA is liable for being held accountable for a data breach and can also be penalized for noncompliance.

Changes into the Business Associate agreement

Provisions of the HIPAA relating to the Business Associate agreement were amended in January 2013. This 2013 amendment significantly changed the nature and scope of Business Associate agreements. While there were no issues with the nature and content of a Business Associate agreement, there was a need for important amendments because the earlier provision of 2010 had largely included some Covered Entities, such as health care providers, health insurance plans and clearinghouses and excluded important stakeholders such as lawyers, accountants, and many others who had access to healthcare information. In view of this, some provisions of a Business Associate agreement were changed to expand the scope of those who came to be termed Business Associates, so that these amendments would apply to these excluded groups, as well.

What does a Covered Entity require from a Business Associate in a Business Associate agreement?

Ideally, a Business Associate agreement should explicitly require Business Associates to disclose/implement the following elements to Covered Entities:

businessAssociateAgreements Click Here to Explore More