From juggling schedules, providing care, and managing day-to-day operations, so much goes into managing a healthcare organization.
Luckily, there are third-party vendors that can help relieve some of the burden from your team to let them focus on what’s most important. But using third-party organizations and tools often means sharing protected health information, or PHI.
So how do you safely use tools and resources while maintaining HIPAA compliance?
The answer’s simple: Business Associate Agreements.
Business Associate Agreements (BAAs) are a type of contract mandated by HIPAA to protect PHI when shared with a third party.
Sometimes referred to as Business Associate Contracts, creating effective BAAs is a crucial part of becoming HIPAA compliant.
Below, we dig into why you need BAAs and how to create them.
A business associate is any individual, vendor, or organization that comes into contact with a healthcare organization's PHI. Business associates work with covered entities to perform services such as storing and processing PHI.
Because a business associate handles PHI, it is just as responsible for protecting patient health care data as a covered entity.
Examples of business associates include:
If a covered entity outsources the handling of PHI to a third party, HIPAA requires that those third parties provide assurances that they will protect PHI. To prove this, a business associate must enter into a BAA with the covered entity.
A BAA is a legally binding agreement between a covered entity and a business associate that ensures the protection of PHI. These agreements are mandated by the HIPAA Security Rule.
The agreement must clearly define what a third party can and can’t do with PHI, as well as the consequences for noncompliance with the agreement.
Both covered entities and business associates benefit from entering into a BAA. These agreements remove the guesswork of how to handle PHI.
Any business associate that handles PHI for a covered entity needs to complete a BAA. BAAs are also required if a business associate uses a subcontractor that will handle the PHI shared by a covered entity.
A covered entity’s internet service providers and courier service partners are not considered business associates and do not need to complete a BAA.
A covered entity’s employees are also not considered business associates. However, employees working for a covered entity still fall under the jurisdiction of HIPAA. This means the covered entity must provide HIPAA training for all employees on the proper handling and protection of PHI.
We always recommend clarifying any specifics with your legal department to ensure your BAAs cover all necessary topics.
HIPAA outlines a few essential topics to cover within a BAA.
We’ve created a business associate agreement example to help as you create your own.
Remember that there’s more to creating a BAA than filling in the blanks. Use this template as a starting point and customize it as needed to fit your agreement.
When a BAA is violated, the covered entity must take steps to address the breach or end the violation caused by a business associate. If these steps are unsuccessful, the covered entity must terminate the contract to safeguard PHI.
Even if a breach is caused by a business associate, both parties share the responsibility to address the breach. Those responsibilities may include:
The U.S. Department of Health and Human Services (HHS) has the right to audit covered entities, business associates, and subcontractors at any time.
If the HHS discovers a business to be noncompliant with HIPAA, that business may face legal and financial consequences.
If there’s no BAA in place, both parties may find themselves on the hook for HIPAA penalties — not just the business that caused the violation.
For this reason, BAAs are critical not only for ensuring all third parties handle PHI safely, but also for protecting your own organization from HIPAA violations.
Who Enforces HIPAA + How To Make Sure Your Business Is Compliant
Common BAA failures on the part of business associates include:
As mentioned, failure to create and comply with BAAs can result in legal and financial consequences.
HIPAA categorizes noncompliance events into two categories: civil and criminal penalties. The penalties can include fines, corrective action plans, or even jail time.
HIPAA penalties range in severity based on the nature of the offense and the knowledge the offender had of the violation.
Business associate agreements serve as a line of defense that protects not only patient information but also your organizational liability.
There are many factors to consider when creating ironclad BAAs. Our team of experts are well-versed in creating BAAs that satisfy the rigorous requirements of HIPAA.
To find out how Secureframe can streamline your HIPAA compliance, request a demo with our team today.
What is a HIPAA Business Associate Agreement?
A HIPAA Business Associate Agreement (BAA) is a contract between a HIPAA-covered entity and a business associate (or between two business associates) that outlines the protective measures that must be put in place to safeguard Protected Health Information (PHI) under HIPAA regulations.
The BAA must specify the permitted and required uses of PHI by the business associate, ensure that the business associate will not use or disclose the PHI other than as permitted or required by the contract or as required by law, and require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information.
How often do business associate agreements need to be renewed?
A BAA lasts for as long as the vendor contract between the covered entity and business associate lasts. These agreements do not need to be signed on a recurring basis and are effectively evergreen documents.
However, it’s considered best practice to review BAAs on a regular schedule to make sure information is current and up to date with any changes to HIPAA or state laws.
When adjustments are made to the use or disclosure of PHI for business associates, be sure to have both parties sign and date to acknowledge the update.
If, as a Business Associate, I share ePHI with other companies, do I need to sign an agreement with them?
Yes, business associates are required to enter an agreement with any subcontractor that will create, maintain, transmit, or receive PHI from the business associate. These agreements are known as subcontractor BAAs.
HIPAA requires business associates to ensure that any subcontractor with access to PHI agrees and adheres to the same restrictions and conditions outlined in the original covered entity/business associate agreement.
What is the difference between a BAA and a NDA?
A BAA is a legally binding agreement that a HIPAA covered entity and business associate must enter into to protect PHI. It is mandated by the HIPAA Security Rule. A NDA is also a legally binding agreement — however, it is not required by HIPAA and it is not entered into to ensure the protection of PHI. This type of agreement can be made between many types of entities and individuals in order to ensure the signer keeps certain information confidential.
Who needs a Business Associate Agreement?
A Business Associate Agreement is required between a HIPAA-covered entity (like healthcare providers, health plans, and healthcare clearinghouses) and a business associate. A business associate is a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI.
If a business associate subcontracts with another entity to perform work that involves PHI, a BAA is also required between the business associate and the subcontractor.