What are HIPAA Business Associate Agreements? Business Associate Agreements are contracts executed between a HIPAA “covered entity” (e.g. a provider) and a third party “business associate” with access to ePHI (e.g. an attorney or a transcription service provider). These agreements (or BAAs as they’re called), specify the security and privacy responsibilities between the covered entity (CE) and the business associate (BA).

Attention on why this is important…

• It’s Federal Law. In the HIPAA Security rule (§ 164.308(b)(1)), BAAs are required to be executed between all CE’s and BAs.
• Liability Reduction. In the event of a data breach, you’ll want specific stipulations between the CE and the BA to determine who was responsible for the breach. Without a BAA, the CE will share that liability with the BA.
• Patient Protection. Protecting a patient’s medical records is of paramount importance to the CE; you should probably make sure that the BA feels the same way.
• Best Practice. Agreements like this are extremely common outside of healthcare, and are usually referred to as “vendor agreements.” This is a standard practice that all businesses who use IT should follow.

With the BAA in place, your obligations don’t end there. You must ensure that your BAs are performing their own due diligence in the protection of ePHI. While HIPAA does not require the CE to monitor the actions of the BA, the CE still must include the BA in their own risk assessments. These must be maintained routinely.

Enhancement with the Omnibus Rule

The passage of the Omnibus Rule also enhanced the “transitive” property of HIPAA. All BAs – and ePHI-processing contractors of BAs – are subject to the full scope of HIPAA. This notably includes medical billing & transcription companies, attorneys, and any colleagues with access to ePHI . Furthermore, the contractors of the original BA must have an agreement at least as restrictive as the original BA’s agreement.

Special note on “agency”: Regardless of your BAA, you may also be subject to additional liabilities due to the “law of agency.” If your BAA is allowed to act on your behalf, the BA may be considered an “agent” of the CA and may share liabilities outside of the BAA. This is worth noting for those practices that are part of larger networks (e.g. ACOs).

Conclusion

For the CE’s you NEED to protect yourself with these agreements. Whatever you do, do NOT simply download a template and sign. You need to understand what you’re signing and impose strict limitations on the use of the ePHI and strict delineation of liabilities between CE and BA. You should definitely seek the help of an attorney and a certified security expert in these matters. If you or your organization need help to start designing, engineering and/or implementing a HIPAA business associate agreement, schedule a free consultation with one of our cyber security experts.