What are HIPAA Business Associate Agreements

Business Associate Agreements are contracts executed between a HIPAA covered entity (e.g. a provider) and a third party “business associate” who might reasonably have access to ePHI (e.g. an attorney or a transcription service provider). These agreements (or BAAs as they’re called), specify the security and privacy responsibilities between the CE and the BA.

Why is that important? For a couple reasons…

  • It’s Federal Law. In the HIPAA Security rule (§ 164.308(b)(1)), BAAs are required to be executed between all CE’s and BAs.
  • Liability Reduction. In the event of a data breach, you’ll want specific stipulations between the CE and the BA to determine who was responsible for the breach. Without a BAA, the CE will share that liability with the BA.
  • Patient Protection. Protecting a patient’s medical records is of paramount importance to the CE; you should probably make sure that the BA feels the same way.
  • Best Practice. Agreements like this are extremely common outside of healthcare, and are usually referred to as “vendor agreements.” This is a standard practice that all businesses who use IT should follow.

With the BAA in place, your obligations don’t end there. You must ensure that your BAs are performing their own due diligence in the protection of ePHI. While HIPAA does not require the CE to monitor the actions of the BA, the CE still must include the BA in their own risk assessments. These must be maintained routinely.

The passage of the Omnibus Rule also enhanced the “transitive” property of HIPAA. All BAs – and ePHI-processing contractors of BAs – are subject to the full scope of HIPAA. This notably includes medical billing & transcription companies and attorneys, as well as anyone they work with who has any kind of access to the ePHI they might store. Furthermore, the contractors of the original BA must have an agreement at least as restrictive as the original BA’s agreement.

Special note on “agency”: Regardless of your BAA, you may also be subject to additional liabilities due to the “law of agency.” If your BAA is allowed to act on your behalf, the BA may be considered an “agent” of the CA and may share liabilities outside of the BAA. This is worth noting for those practices that are part of larger networks (e.g. ACOs).

For the CE’s you NEED to protect yourself with these agreements. Whatever you do, do NOT simply download a template and sign. You need to understand what you’re signing and impose strict limitations on the use of the ePHI and strict delineation of liabilities between CE and BA. You should definitely seek the help of an attorney in these matters.