Business Associate agreements are designed to perform a number of important functions. They are meant to safeguard and secure patient healthcare information.
In simple terms, a HIPAA Business Associate agreement, abbreviated to BAA, is a contract that a HIPAA Covered Entity enters into with a HIPAA Business Associate (BA) agreeing to ensure protection of Personal Health Information (PHI) in compliance with HIPAA guidelines.
This is fundamentally required because it is through Business Associates that Covered Entities carry out their work, and hence agreeing to terms by which they operate is very important. A directive to this effect was issued on February 18, 2010, in accordance with the HITECH Act of 2009.
A HIPAA Business Associate agreement should contain:
Provisions of the HIPAA relating to the Business Associate agreement were amended in January 2013. This 2013 amendment significantly changed the nature and scope of Business Associate agreements. While there were no issues with the nature and content of a Business Associate agreement, there was a need for important amendments because the earlier provision of 2010 had largely included some Covered Entities, such as health care providers, health insurance plans and clearinghouses and excluded important stakeholders such as lawyers, accountants, and many others who had access to healthcare information. In view of this, some provisions of a Business Associate agreement were changed to expand the scope of those who came to be termed Business Associates, so that these amendments would apply to these excluded groups, as well.
Ideally, a Business Associate agreement should explicitly require Business Associates to disclose/implement the following elements to Covered Entities: