Business Associate Agreement 101
September 25, 2017
Running a business without any help from third parties is difficult, if not impossible. Hiring outside help when you need extra hands or have special needs often makes good business sense. The HIPAA Privacy Rule requires all Covered Entities to have a signed Business Associate Agreement (BAA) with any Business Associate (BA) they hire that may come in contact with PHI. The HIPAA Omnibus Rule changed how BAs and Business Associate Subcontractors (BAS) can be held liable for potential HIPAA violations. Therefore, it is in the Covered Entity’s and the BA’s best interest to maintain a thorough understanding of their relationship and how they expect one another to secure patient, client, or employee data.
Who is a Business Associate or a Business Associate Subcontractor and what needs to be in the agreement between these businesses? This week, we discuss the requirements of a BA and BAS and the specifics of a Business Associate Agreement (BAA). Before we break down the details of classifying your vendors, take a look at this infographic to get an understanding of the differences among Covered Entities, Business Associates, and Business Associate Subcontractors.
What is a Business Associate Agreement?
A Business Associate Contract, or Business Associate Agreement, is a written arrangement that specifies each party’s responsibilities when it comes to PHI. HIPAA requires Covered Entities to only work with Business Associates who assure complete protection of PHI. These assurances have to be in writing in the form of a contract or other agreement between the Covered Entity and the BA.1
HHS can audit BAs and Subcontractors for HIPAA compliance, not just Covered Entities. This means that organizations must have a BAA for all three levels in order to meet the requirements of HIPAA. It’s in both of your best interests to have an agreement since all three classifications are responsible for protecting PHI.
The Business Associate/Subcontractor Agreement must include the following information, according to HHS:
- Describe the permitted and required PHI uses by the Business Associate/Subcontractor
- Provide that the Business Associate/Subcontractor will not use or further disclose PHI other than as permitted or required by the contract or as required by law;
- Require the Business Associate/Subcontractor to use appropriate safeguards to prevent inappropriate PHI use or disclosure
Once Covered Entities, Business Associates, and Business Associate Subcontractors have identified their relationship with one another, it is necessary to ensure that any third-parties will guard the PHI they receive. A signed agreement documents that the BA knows they must safely handle PHI.
Understanding Who Your Business Associates and Business Associate Subcontractors Are
Who are Your Business Associates?
You need to be able to identify the classification of your workforce before you know what HIPAA requires. As defined by the Health Information Portability and Accountability Act (HIPAA), a Business Associate is any organization or person working in association with or providing services to a Covered Entity who generates, handles, or discloses Protected Health Information (PHI).2
Potential Business Associates are people or companies like:
- Accounting or consulting firms
- Cloud vendors
- Consultants hired to conduct audits, perform coding reviews, etc.
- Medical equipment service companies handling equipment that holds PHI
- Translator services
- Shredding services
- File sharing vendors
- Information Technology vendors
According to HHS, Covered Entities may only disclose PHI to an entity to help carry out its healthcare functions, not for the Business Associate’s independent use or purposes.”1 For example, a Business Associate/Subcontractor cannot use the PHI from the Covered Entity for its own email campaign.
Who are Business Associate Subcontractors?
A Business Associate Subcontractor is a person or entity to which a Business Associate delegates a function, activity or service.3 While a Covered Entity receives help from a Business Associates, BAs employ their own help. HIPAA refers to these people and companies as Business Associate Subcontractors. Similarly, Business Associates must have a Business Associate Subcontractor Agreement with their BASs. The BA and BAS Agreements are almost identical, so the primary difference is the definition of the category.
Who is not considered a Business Associate/Subcontractor?
Business Associate/Subcontractor exceptions include, but are not limited to, the following examples considered ‘conduits’ for PHI:
- Internet Service Providers
- US Postal Service
- and other courier services1
Contractors and Confidentiality Agreements
Contractors working exclusively for your company, individuals with other clients, and workers hired through a business are not Business Associates. However, your company is responsible if one of these individuals breaches PHI.
For these types of employees who are not Business Associates, Total HIPAA recommends this: If the “employee” is a contractor working exclusively for your company or a sole proprietor with other clients, you cannot expect the individual to generate policies and procedures for privacy and security like a BA or BAS. It is meaningless to ask them to sign a BAA or a Subcontractor BAA because they will not have the compliance infrastructure required by HIPAA.
Instead, ask them to sign a confidentiality agreement. We include these items in the confidentiality agreements we provide for our clients:
- Firstly, clarify the type of information the agreement covers.
- What type of information cannot be copied or modified?
- Information must be returned upon employer’s request
- Disciplinary action for persons responsible for a breach of confidential information
Additionally, we recommend that the entity includes important individuals in all training activities.
What Happens If My Business Associate/Subcontractor Discloses PHI?
Finally, a Business Associate/Subcontractor’s failure to meet the requirements of an agreement could result in substantial ramifications:
“A Business Associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of Protected Health Information that are not authorized by its contract or required by law. A Business Associate/Subcontractor also is directly liable and subject to civil penalties for failing to safeguard electronic Protected Health Information in accordance with the HIPAA Security Rule.”4
When a Business Associate/Subcontractor breaches or violates a BAA, the Covered Entity must take reasonable steps to cure the breach or end the violation. “If such steps are unsuccessful, they must terminate the contract or arrangement,” HHS explains. “If termination of the contract or agreement is not feasible, a Covered Entity is required to report the problem to HHS Office for Civil Rights.”1
How can Total HIPAA help me with my Employees, Contractors, Business Associates, and/or Business Associate Subcontractors?
In conclusion, Total HIPAA offers a comprehensive solution for each and every relationship your organization has. From an award-winning HIPAA training to contracts and agreements, we can service your needs so that you’ve protected your business. HIPAA compliance isn’t a suggestion – it’s the law. Call us today at 800.344.6381.
Sign up for Our Blog
May 14, 2019
Jason Karn, Total HIPAA Chief Compliance Officer, spoke with Greg Manson, Direct of Audit and Compliance at Carolinas IT, about the process of hiring a Managed Service Provider (MSP). In… Read More ›Read More
April 15, 2019
Jason Karn, Total HIPAA’s Chief Compliance Officer, recently spoke with David Smith, a nationally recognized healthcare benefits consultant and regulatory expert, to discuss how fully-insured, self-funded, and hybrid employee benefits… Read More ›Read More