Comply With Us

Business Associate Agreements, Who Knew? Many Don’t.

October 11, 2023

Deep within the confines of all that is compliance lies the Health Insurance Portability and Accounting Act (HIPAA). Often referred to, rarely read, and virtually never understood by many, HIPAA was enacted in 1996, its primary purpose being to protect a patient’s sensitive information from being disclosed without proper consent or knowledge.

The HIPAA Privacy Rule was issued to implement the requirements of HIPAA. The Privacy Rule addresses using and disclosing individuals’ health information, more commonly known as protected health information or PHI. 

The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A key goal of the Privacy Rule is to ensure that individuals’ health information is protected while allowing the necessary health information to get into the proper hands to ensure high-quality healthcare is delivered. The Privacy Rule permits important uses of information while protecting the privacy of people who seek care and healing.

As part of that protection, all Covered Entities are required to have a signed Business Associate Agreement (BAA). What is this document, who does it apply to, and is it necessary?

Employers generally need some assistance from a third party to run their business. Outside help makes good business sense but comes with a few concerns, including potential HIPAA violations.

The BAA is a written arrangement that specifies each party’s responsibilities when it comes to PHI. HIPAA requires Covered Entities to work with Business Associates who can ensure complete protection of PHI. The assurances must be in writing as a contract or other agreement between the Covered Entity, the Business Associate, and sub-contractors.

The actual agreement must:

  • Include a description of the permitted and required PHI uses by the Business Associate. 
  • Provide that the Business Associate will not use or disclose PHI other than as permitted or required by the contract or as required by law. 
  • Require the Business Associate to use appropriate safeguards to prevent inappropriate PHI use or disclosure.

As with any of these subject matters, a glossary of terms usually helps to understand who these regulations and laws apply to. So, let’s define the parties involved.

Covered Entity – An organization that provides a product or service for medical treatment or collects health information about an individual. Some examples of a Covered Entity include physicians, dentists, health insurance carriers, or a health plan.

Business Associate – An organization that creates, receives, maintains, or transmits PHI for a Covered Entity. Some examples include attorneys, accountants, shredding companies, third-party administrators, and brokers/consultants.

Business Associate Subcontractor - An organization that creates, receives, maintains, or transmits PHI on behalf of a Business Associate. Examples include email encryption providers, backup storage services, and attorneys.

Inevitably, there will be an instance where a Business Associate/sub-contractor discloses PHI. A failure to meet the requirements of an agreement is beset with serious ramifications. When there is a breach or a violation of a BAA, the Covered Entity must take reasonable steps to cure the breach or end the violation. If it comes to pass that such steps are unsuccessful, then the contract or arrangement should be terminated.

Employers should review their BAAs to ensure they comply with the law and are up to date. Some helpful tips include:

  • Expiration date. An expired BAA is the same as not having a BAA at all. 
  • Business Associate Agreements are drafted to meet three purposes: education, compliance, and enforceability. Employers must take great care to ensure that the agreements satisfy all those purposes. Therefore, simply stating that an associate “agrees to follow all applicable laws” may not be enough to meet compliance rules. Assumptions should not be made that a Business Associate knows what to do in case of a breach or the security rules that must be followed. The BAA should specifically outline the expectations of the associate. 
  • Breach notifications. Even though the new rules now independently apply to Business Associates, you can have problems if there is a breach. The BAA needs to specifically explain breach notification procedures, including who conducts investigations, when, and who bears the cost. BAAs need to consider state laws regarding the timing and procedures related to reporting breaches, 
  • Use of client data. While the laws expressly prohibit any language that would allow for the sale of protected health information, many BAAs are drafted to include provisions for the Business Associate’s use of de-identified data. Covered Entities must determine whether they want to allow data to be used this way. 

Whether or not you consider BAAs a necessary evil, they are a requirement that shouldn’t be overlooked. There should be no shortcuts when reviewing the document to ensure all parties are adequately protected. Breaches have consequences. Covered Entities, employers, and Business Associates should familiarize themselves with BAAs and their uses.

For any questions or concerns, please reach out to MZQ Consulting.