Business Associate Agreement: When and Why You Need It?
Business associate agreements are essential from a legal and a trade perspective. But, many don’t realize how significant entering a BAA is until they have an issue. It’s important to understand what a business associate agreement is and its role in protecting both parties if a breach occurs. Read on to learn more about BAAs and their significance.
What is a business associate agreement? Who needs to sign a business associate agreement?
Business associate agreements are common in the healthcare industry. They’re a written contract between healthcare providers and their partners who handle the provider’s PHI (protected health information). The agreement outlines the responsibilities of both the provider and the outsourced company for handling PHI. As both entities protect PHI, forming a BAA is in the best interest of both parties. But, to create effective partnerships you must know what the purpose of a business associate agreement is.
Who are covered entities?
To understand what a business associate agreement is, you should know what groups are covered entities. Essentially, they are organizations that are subject to HIPAA compliance. The HIPAA rules state covered entities include healthcare plans, healthcare clearinghouses, and healthcare providers who relay information that’s associated with transactions that have HHS enforced standards. Researchers have covered entities too if they are healthcare providers who send private health info.
Examples of covered entities:
- Health Insurance Providers
- Medicare and Medicaid programs
Who are business associates?
HIPAA defines business associates as any party working with or providing services to a covered entity that generates, handles, or discloses protected health information. When drafting contracts, you need to understand and assign a label to your partners. This allows you to find out what HIPAA requires for their classifications. Depending on their role and the data they handle, HIPAA could impose more strict or more lax regulations.
Examples of business associates:
- Accounting firms
- Cloud vendors
- Medical equipment service companies
- File sharing service vendors
- IT companies
Even though these groups typically aren’t subject to HIPAA regulations, the Department of Health and Human Services (HHS) states that they may only handle PHI if it helps the covered entity carry out their healthcare services. Additionally, when handling PHI, they may not give it out for personal use or purposes. For example, a business associate can’t use a healthcare facility’s PHI to deliver emails promoting their brand.
Who are subcontractors?
Subcontractors are a third party recruited by the business associate to create, receive, send, or keep PHI on their behalf. Subcontractors are liable under the same regulations as business associates, meaning they must adhere to the terms of the business associate agreement. When considering who needs to sign a business associate agreement, you should hold all subcontractors to the same standards as your partners.
What is considered PHI?
According to HIPAA, PHI is any identifiable health information that is used, maintained, transmitted, or stored by a covered entity or a business associate of a covered entity. PHI can be in any form, including physical files, electronic records, and verbal information. Essentially, all health information is private if it includes individual identifiers that can show someone’s identity. You should carefully handle individual identifiers including names, dates, phone numbers, social security numbers, addresses, and full-face photos.
Why are business associate agreements necessary?
Once you understand what a business associate agreement is, you should know why they’re essential in the industry. Because of the increasing complexity of modern healthcare, most covered entities will have to outsource certain operations to outside corporations or business associates.
Since business associates aren’t held to HIPAA standards, the two parties need to form an agreement that protects the private health information of the healthcare providers’ clients. Without business associate agreements, many organizations would face substantial legal penalties from fines to closures.
Creating a BAA
The contract must include required and approved uses of PHI and state that the business associate won’t use the health information in unpermitted ways. When creating a BAA, you need to include safeguards to protect yourself from liability against these breaches. A standard business associate agreement will include terms and provisions that outline what can and cannot be done with your patient’s information.
Signing a BAA
Business associate agreements are a critical part of complying with HIPAA (Health Insurance Portability and Accountability Act), as the act requires practices to only work with organizations that can guarantee the confidentiality of PHI.
Signing a BAA is in the best interest of all parties since HHS can audit both business associates and subcontractors for HIPAA compliance. The contract protects both partners in case of a breach of PHI, meaning it’s important to ensure that everyone who handles private info signs the agreement. Once you know what a business associate agreement is, you can easily pick out liable parties.
Proper tracking and management
One of the best defenses against breaches is thorough tracking and management of BA relationships. But, many organizations handle this work inconsistently or dismiss the importance of tracking and management.
To track and manage your BAAs, your organization must identify who is and isn’t a BA or BA subcontractor, see if there’s a current agreement on file for each BA, document the date in which each contract was signed, and make sure the agreements follow HIPAA requirements. It’s important to keep an effective management system, meaning you should review each agreement annually.
Termination of business associate agreement
Business associate agreements are typically terminated or canceled in cases of term violations or breaches. For example, the business associate may use PHI to send out advertisements promoting their services without telling the covered entity. Here, it’s in the covered entity’s best interest to end the arrangement. Upon the termination of a business associate agreement, the BA must return or destroy all PHI that they received from the covered entity.
HIPAA provision requirements
Certain business associate agreement requirements must be included in each contract.
Each agreement must include provisions that outline:
- Permitted uses of PHI
- Safeguards to prevent PHI use or disclosure violations
- Compliance with HIPAA security rule
- Reporting of unauthorized uses and disclosures
- Agreements with subcontractors
- Who can access PHI
- Amendments to PHI
- Delegation of the covered entity’s duties
- Records available to the Secretary of Health and Human Services
- Return or destroy PHI at termination
- Termination Provisions
It is critical to include the HIPAA-required provisions in your document otherwise, it’ll offer you little to no protection if your partner misuses any of your client’s identifying data. The best way to ensure that you include all of the necessary terms is to use a smart contract management platform when drafting your arrangement.
New business associate agreement requirements
The HIPAA Omnibus Rule has shifted how we expect business associates to uphold PHI security. It requires the covered entity to get satisfactory assurances that the business associate will take proper precautions when safeguarding the PHI it receives from the covered entity. These assurances must be in writing, either as a contract or a different agreement between the covered entity and business associate. Business associates may now face the same penalties as the covered entity if PHI is compromised in a healthcare data breach.
What happens if a business associate or their subcontractor discloses PHI?
When you don’t understand what a business associate agreement is, you are more vulnerable to contractual breaches. All parties could face serious ramifications if a BA or their subcontractor violates the terms of the agreement. Since they are liable under HIPAA and the law, if they use the protected health information in impermissible ways, you and your partners could face serious penalties if there is a violation.
What should a covered entity do if their business associate violates a BAA?
A covered entity must take reasonable steps to end the issue when a business associate or subcontractor violates or breaches the BAA that they entered. Many breaches are accidental, so these agreements give the business associate a chance to fix the breach or violation. If either party is unsuccessful in putting an end to the breach or violation, then they must end the contract. But, if termination isn’t an option, then the covered entity must report the issue to the HHS Office for Civil Rights.
Standard business associate agreement templates
Companies that don’t understand what a business associate agreement is, often include extra provisions that are unnecessary for compliance and undesirable for legal and business purposes. This is why standardized pre-approved BAA templates are helpful to many organizations.
But, when they are required to use a form other than their pre-approved template, or if the BA requests changes to the template, we recommend that an accredited attorney review the changes. Many services offer pre-made BAA templates that can be altered to fit your specific needs, making it easier than ever to draft a HIPAA compliant BAA.
Using smart contract software to manage business associate agreements
No one enjoys creating, signing, and managing business associate agreements. Although, many of us need to daily. BAAs are often dense and technical but are essential from both a legal and business perspective. The easiest way to deal with BAAs is by using contract management software. This technology-driven tool will streamline each process when creating your BAA, saving you and your business associate from accidental breaches and hefty legal penalties.
Even if you don’t completely understand what a business associate agreement is, management software allows you to still create effective contracts. So, if you want to simplify your BAA processes but don’t want to overlook any important details, using a smart contract management platform is the way to go.