HIPAA Business Associate Agreement

A HIPAA Business Associate Agreement is most often a contract between a HIPAA covered entity and a business or individual that performs certain functions or activities on behalf of, or provides a service to, the covered entity when the function, activity, or service involves the creation, receipt, maintenance, or transmission of Protected Health Information (PHI) by the business or individual.

This article aims to help you understand how to engage with business associates in a HIPAA compliant way, and what needs to be in your HIPAA Business Associate Agreement. You can use this guide in conjunction with our HIPAA Compliance Checklist for Business Associates.

Outsourcing to a Business Associate

A HIPAA covered entity is a healthcare provider, health care clearinghouse, or health plan that conducts transactions covered by the HIPAA standards in 45 CFR Part 162.

When a covered entity outsources functions, activities, or services to a third party that is not a member of the covered entity´s workforce or is not a party excluded by the Administrative Simplification Regulations, and the outsourced function involves a disclosure of PHI, the third party is known as a business associate.

Before disclosing PHI to a business associate, a covered entity must enter into a HIPAA Business Associate Agreement with the business associate (also known as a HIPAA Business Associate Contract or Addendum).

The contract should establish the permissible uses and disclosures of PHI by the business associate, how the business associate will support patients’ Privacy Rule rights, and the responsibilities of both parties to maintain the privacy and security of PHI.

Subcontractors Of Business Associates

Since the passage of the HITECH Act and the incorporation of relevant provisions into HIPAA via the HIPAA Omnibus Final Rule, subcontractors used by business associates are also required to comply with HIPAA.

This means that if a business associate subcontracts a function, activity, or service to a third party that involves a disclosure of PHI (for example, if the business associate stores PHI in the cloud), an additional – or downstream – HIPAA Business Associate Agreement also must be in place between the business associate and the cloud service provider.

What is a HIPAA-Compliant Business Associate Agreement?

As well as a HIPAA-compliant Business Associate Agreement establishing the permissible uses and disclosures of PHI by business associate and subcontractors, how the business associate will support patients’ Privacy Rule rights, and the responsibilities of both parties to maintain the security and privacy of PHI it must also:

• Stipulate that the business associate will not use or further disclose PHI other than as permitted by the contract or as required by law
• Require the business associate to implement appropriate safeguards to prevent unauthorized uses or disclosures of the PHI.
• Require the business associate to report any use or disclosure not provided for by the agreement, including breaches of unsecured PHI
• Require the business associate to satisfy requests for copies of PHI, amendments to PHI, and accounting of disclosures.
• Require the business associate to make records available relating to uses and disclosures of PHI in the event of an audit or investigation.
• Require the business associate to return or destroy PHI received from, or on behalf of, the covered entity at the agreement’s termination.
• Require the business associate to ensure that any subcontractors with access to PHI agree to the same restrictions and conditions that apply to the business associate
• Authorize the termination of the contract by the covered entity if the business associate violates any term of the agreement (and vice versa).

Note: Contracts between business associates and business associates that are downstream subcontractors are subject to these same requirements.

A business associate should also be made aware of the consequences of failing to comply with the requirements of HIPAA. Business associates can be fined directly by HHS’ Office for Civil Rights, State Attorneys General, and/or the Federal Trade Commission for HIPAA violations.

In addition, unlike most contracts, a HIPAA Business Associate Agreement does not necessarily indemnify a covered entity against financial penalties for a breach of PHI attributable to the non-compliance of the business associate.

If a covered entity fails to conduct due diligence to ensure a business associate is HIPAA-compliant prior to entering into an agreement, and a breach of unsecured PHI subsequently occurs, the covered entity may be considered liable for the breach.

Optional Clauses in HIPAA Business Associate Agreements

In addition to the required clauses of a HIPAA Business Associate Agreement, covered entities and business associates can add optional clauses. Optional clauses can be added for many reasons. For example, a covered entity may require that a business associate implements security measures beyond those required by the Security Rule (i.e., 2FA).

Depending on the service being provided for or on behalf of the covered entity, it many also be a condition of the contract that members of the business associate’s workforce receive training on applicable Privacy Rule standards in addition to providing the security and awareness training mandated by the Security Rule.

It can also be the case that a covered entity is subject to state laws that preempt HIPAA (i.e., Texas) or federal laws with additional data protection requirements (i.e., FTC’s Identity Theft Prevention Red Flags Rule). In such cases, the covered entity may include optional clauses that account for more stringent privacy and security regulations.

“One-size-fits-all” Business Associate Agreements prepared by large software companies can also include optional clauses. For example, the Microsoft BAA includes a clause that excuses it from responding to patients’ access and amendment requests because PHI is not stored (by Microsoft) in designated record sets.

Similarly, AWS’ Business Associate Addendum includes a clause stipulating that AWS’ compliance obligations are conditional on the in-scope services covered by the Addendum being configured correctly by the customer, that audit logging is enabled, and that all PHI placed into the AWS Cloud is encrypted.

Other optional clauses can require business associates to be liable for the covered entity’s costs of responding to and recovering from a data breach if the security incident is attributable to the business associate’s “failure to perform, negligence, willful misconduct, or breach of obligations under the HIPAA Business Associate Agreement”.

HIPAA Business Associate Examples

The HHS web page relating to business associates lists several HIPAA business associate examples, but it is important to note that most of these third-party service providers are only business associates if PHI is shared with or disclosed to the third party for a service the third party is providing for the covered entity.

For example, HHS´ list includes an attorney whose legal services to a health plan include access to PHI. If the attorney does not have access to PHI, they are not a business associate, and no HIPAA Business Associate Agreement is required. The same applies to the example of an accounting firm providing services to a healthcare provider.

More relevant HIPAA business associate examples can be found by looking at a covered entity´s day-to-day operations and identifying which services that may involve a disclosure of PHI are outsourced. For example, if healthcare teams share PHI over collaboration tools such as Google Workspace, Google is a business associate, and a HIPAA Business Associate Agreement is required.

Other potential HIPAA business associate examples include:

• Amazon Web Services if (for example) PHI is stored in the cloud.
• Vendors of E-prescribing software
• Third-party PHI disposal services
• Freelance medical transcriptionists
• Outsourced IT consultants and engineers
• Vendors of password managers
• Medical answering services
• Managed Service Providers (MSPs)
• Print and Mailing Services

Definitions and Exclusions Cause the Most Issues

Covered entities can be fined for not having a HIPAA Business Associate Agreement in place or for having an incomplete agreement in place, even though HITECH § 78 FR 5574 states business associates are obliged to comply with the HIPAA Security Rule even if no HIPAA Business Associate Agreement is executed. These fines can be issued even if no further HIPAA violation occurs.

The issue for many covered entities is they are not always sure of whom a HIPAA Business Associate Agreement applies to. HHS defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”

However, exclusions to this definition exist (see 45 CFR 160.103) and it may be the case that the scope of a covered entity’s relationship with a business associate changes over time – notwithstanding that a covered entity can be a business associate for another covered entity if it performs functions, activities, or services that involve the disclosure of PHI.

Exclusions and exemptions that cause the most issues include:

• When a healthcare provider employed by a Covered Entity refers a patient to an external healthcare provider and shares PHI with the external healthcare provider for the purpose of treating the patient.
• When PHI is disclosed by a hospital to an external laboratory, or when a hospital laboratory discloses PHI to a reference laboratory, when the purpose of the disclosure of PHI is to treat a patient.
• When a healthcare provider discloses PHI to a health plan to support an eligibility check, a request for authorization, a claim or payment, or any other Part 162 transaction (or when the reverse happens).
• When a conduit such as the Postal Service, DHL, or FedEx has access to PHI in the delivery of a service, and when a financial institution processes a payment for healthcare or health insurance premiums.
• When units of an Organized Health Care Arrangement (OHCA) disclose PHI to each other for the joint health care activities of the OHCA or (for example) when a group health plan purchases insurance from an HMO.

Common Covered Entity Business Associate Agreement Failures

Insisting Every Contractor Signs a BAA

Some covered entities have taken a “better-safe-than-sorry” approach to address their definition issues, and have executed agreements with all entities they have business relationships with – whether they were required or not.

Recent research funded by the California Healthcare Foundation (CHF) found many covered entities were entering into agreements with other covered entities unnecessarily or were also entering into agreements with third-party service providers who had no access to PHI and were never likely to. In one case, a covered entity required its landscaper to sign a HIPAA Business Associate Agreement.

Assuming a Signed BAA Means Compliance with HIPAA

During the research, CHF found many covered entities were neglecting their due diligence obligations and were failing to obtain “satisfactory assurances” that the business associate they were sharing PHI with was HIPAA-compliant. Instead, they restricted their investigative efforts to “high-risk” IT vendors and only ensured they had mechanisms in place to protect stored and electronically transmitted PHI.

Fewer still audited business associates to ensure compliance with HIPAA. Only a small minority asked to see evidence of risk assessments and policies and procedures covering breaches of unsecured PHI. These failures could see the covered entity fined for violating HIPAA, even when no other HIPAA violation or breach of unsecured PHI occurs.

Failing to Understand “In-Scope” Services

When a covered entity or business associate enters into a HIPAA Business Associate Agreement with (for example) a cloud service provider, the covered entity or business associate is only allowed to create, receive, store, or transmit PHI using “in-scope” or “eligible” services that the cloud service provider has included in a service agreement.

If a covered entity enters into a Business Associate Agreement with (say) Google for its “in-scope” Workspace services, but fails to implement the necessary safeguards to prevent workforce members from disclosing PHI via personal Gmail accounts, the covered entity is in violation of HIPAA despite having a Business Associate Agreement in place with Google.

Not Having a HIPAA Business Associate Agreement for Companies Through Which ePHI Passes

Even when PHI is not disclosed to a company – because the company is not performing a function, activity, or service for a covered entity – PHI might pass through their systems. For example, if ePHI is sent from a covered entity to a business associate via Outlook 365. In this example, because ePHI has passed through its system, Microsoft would be classed as a business associate to the covered entity. This rule applies even when a service has “no view” access to PHI.

There are exceptions for companies that act as conduits through which ePHI simply passes (for example the Postal Service – see the conduit exception). This is because the Postal Service does not store PHI other than on a temporary basis incident to the transmission service, whereas copies of emails sent via Outlook 365 remain on Microsoft´s servers indefinitely. Most cloud service providers and software vendors have “persistent access” to ePHI and are business associates under HIPAA.

Common Failures by Business Associates and Their Subcontractors

HIPAA Compliance Means More Than the Encryption of PHI

Encrypting all ePHI that is stored or transmitted by a business associate is an important safeguard, but encryption alone is insufficient to ensure HIPAA compliance. Physical safeguards must also be implemented to ensure ePHI cannot be accessed by unauthorized individuals, and administrative safeguards such as policies and procedures must be developed and implemented.

Failing to Enter into a HIPAA Business Associate Agreement with Subcontractors

The HIPAA Business Associate Agreement ensures there is a chain of custody for PHI. A business associate of a covered entity must enter into a contract with the covered entity, and a subcontractor used by a business associate is also required to enter into such a contract.

A subcontractor is a downstream business associate of a business associate and the terms of the top-level HIPAA Business Associate Agreement are not automatically applied. In these cases, a separate contract must be signed with the subcontractor before access to PHI is allowed. The downstream chain can be long and, the further away from the covered entity ePHI travels, the greater potential there is for HIPAA Business Associate Agreement violations.

Failing to Consider Appropriate Timeframes for Individuals’ Requests

In the context of a long downstream chain, it is important to consider the steps an access request or amendment request may have to go through before it is resolved. For example, if a chain consists of five downstream business associates, and each HIPAA Business Associate Agreement between the five parties allows ten days to respond to an upstream access request, the total amount of time it takes to resolve a patient access request could be longer than the 30 days allowed by the Privacy Rule.

Business Associate Agreement Template Failures

There are many Business Associate Agreement templates available, but care should be taken before they are used. Before using such a template, it is important to check for whom that template has been designed to make sure it is relevant. It should also be customized as necessary to include all of the requirements stipulated by the covered entity.

Financial Penalties for HIPAA Business Associate Agreement Failures

HHS’ Office for Civil Rights (OCR) has issued many financial penalties for HIPAA Business Associate Agreement failures. During investigations of data breaches and complaints, OCR found that the following covered entities had failed to enter into a HIPAA-compliant Business Associate Agreement with at least one third-party service provider. This was either the sole reason for the financial penalty or the HIPAA Business Associate Agreement failure that contributed to the severity of the financial penalty.

Year	Covered Entity	Financial Penalty
2018	Pagosa Springs Medical Center	$111,400
2018	Advanced Care Hospitalists	$500,000
2017	The Center for Children’s Digestive Health	$31,000
2016	Care New England Health System	$400,000
2016	Oregon Health & Science University	$2,700,000
2016	Raleigh Orthopaedic Clinic, P.A. of North Carolina	$750,000
2016	North Memorial Health Care of Minnesota	$1,550,000

HIPAA Business Associate Agreement FAQs

What is a Business Associate Agreement?

A Business Associate Agreement is a contract between a covered entity and a business associate that stipulates the permissible uses and disclosures of PHI shared by the covered entity with the business associate and provides that the business associate will not further disclose PHI except as permitted by the contract, will use appropriate safeguards to protect the confidentiality, integrity, and availability of PHI, and will comply with requests for access to, amendment of, and an accounting of disclosures if required.

When is a Business Associate Agreement required?

A Business Associate Agreement is required whenever a Covered Entity shares PHI with a Business Associate or with another Covered Entity for uses other than for treatment, payment, or operations purposes when the second Covered Entity is acting as a Business Associate for the first Covered Entity.

Who needs a Business Associate Agreement?

Any organization that performs a service for or on behalf of a HIPAA Covered Entity – that involves the sharing of PHI by the Covered Entity – is required to have a Business Associate Agreement. This includes cloud storage and security services that have “persistent access” to PHI even though the PHI is encrypted and the Covered Entity maintains the decryption key.

What is the purpose of the Business Associate Agreement?

Prior to the passage of the HITECH Act, Covered Entities often shared PHI with Business Associates on the strength of a verbal assurance that the PHI would remain secure. However, if a data breach occurred due to the negligence of a Business Associate, a Covered Entity could escape sanctions for failing to conduct due diligence on the Business Associate by referring to the verbal assurances.

The purpose of a Business Associate Agreement is to close this enforcement loophole. Under §164.504(e), Covered Entities are required to ensure Business Associates do not engage in “patterns of activity” that may be in violation of HIPAA; and, if such patterns exist, take steps to stop the noncompliant activity or terminate the Business Associate Agreement.

What does a Business Associate Agreement do?

The key things a Business Associate Agreement does is define the conditions under which PHI is being shared with a Business Associate, stipulate how the PHI can be used, and put in writing that all PHI in the Business Associate´s possession at the end of the Agreement must be returned or destroyed. Other provisions may apply depending on the nature of the service being provided.

What must a Business Associate Contract specify?

A Business Associate Contract is another name for a Business Associate Agreement and the exact nature of its contents can vary depending on the nature of the service being provided for or on behalf of a Covered Entity. However, there are some components that are common among all Business Associate Agreements inasmuch as the contract states which the permissible uses and disclosures, that Business Associates must report security incidents to the Covered Entity, and – where appropriate – respond to right of access requests within the permitted time.

As a software vendor, what do I need to do to become a HIPAA-compliant Business Associate?

If your software product or service creates, receives, maintains, or transmits ePHI on behalf of a Covered Entity, you have to ensure policies and procedures are in place to comply with the Privacy, Security, and Breach Notification Rules. This includes conducting and documenting a risk analysis of your computer systems to identify potential security risks and respond accordingly.

If, as a Business Associate, I share ePHI with other companies, do I need to sign an agreement with them?

Assuming you are sharing ePHI with another company to execute the services being provided to a Covered Entity, you will need to sign an agreement with the third party. An example of such a scenario is a software vendor that uses the services of a Cloud Service Provider such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform.

Is it always necessary for third-party service providers to sign an agreement with a Covered Entity?

While it is almost always necessary for a Business Associate to sign an agreement with a Covered Entity when a Business Associate is creating, receiving, maintaining, or transmitting ePHI on behalf of the Covered Entity, if a third-party service provider the company is not providing a covered service, (i.e., a landscaper), the service provider is not a Business Associate, and no agreement is required.

What are the exceptions to the requirement to sign a Business Associate Agreement?

There are a few exceptions to the requirement to sign a Business Associate Agreement. These include specialists to whom a hospital refers a patient and transmits the patient’s medical chart for treatment purposes, laboratories to whom a physician discloses the PHI of a patient for treatment purposes, and disclosures of PHI by a group health plan to a plan sponsor such as an employer.

How can a Covered Entity be a Business Associate for another Covered Entity?

Under the Privacy Rule (45 CFR § 164.506) Covered Entities are allowed to disclose PHI to third parties for treatment, payment, and health care operations. All other disclosures of PHI require a Business Associate Agreement in place – for example, if a private consultant performed a utilization review for a hospital that involved the disclosure of PHI.

If a physician outsources lab services, does the provider of the lab service have to sign a Business Associate Agreement?

This depends on why the physician is outsourcing the lab service. If the disclosure of PHI is for the treatment of a patient, the transaction is allowable under the Privacy Rule and no Business Associate Agreement is required. However, for any other type of transaction in which PHI is disclosed, an agreement will be necessary.

How frequently should HIPAA Business Associate Agreements be renewed?

Unless an agreement stipulates a termination date, agreements remain valid indefinitely. However, it is a best practice to review agreements at least annually. A Covered Entity should ask for a copy of the Business Associate´s most recent risk assessment, confirm there have been no changes to state or federal laws that would impact the agreement, and check that SLAs are being maintained.

How might changes to state laws impact an agreement covered by a federal law?

HIPAA preempts all state and federal laws unless a state or federal law provides more privacy protections than HIPAA or gives patients more rights than HIPAA. States such as Texas have very stringent medical record privacy laws which apply to all organizations that collect, process, or maintain the PHI of a Texas resident – regardless of where the organization is located. Any change to Texas´ Medical Records Privacy Act could impact an agreement covered by HIPAA?

Why won´t Microsoft sign my Business Associate Agreement?

Cloud Service Providers such as Microsoft, AWS, and Google Cloud Platform offer hyperscale, multi-tenant services that are standardized for all customers and they treat all customers in the same way – regardless of whether they are Covered Entities or not. However, each Cloud Service Provider has produced a HIPAA-compliant Business Associate Agreement it is willing to sign with customers. You can find the Microsoft Business Associate Agreement in the Service Trust Portal.

If I have further questions about Business Associates and Business Associate Agreements, where can I find the answers?

The most comprehensive source of information relating to HIPAA is the HHS website. However, because the HHS cannot cover every possible relationship between a Covered Entity and a Business Associate, some of the information can be hard to follow or open to interpretation. For advice relating to specific circumstances, it is recommended to seek professional HIPAA compliance help.