HIPAA Business Associate Agreement

A HIPAA Business Associate Agreement is a contract between a Covered Entity and a Business Associate (BA) – or between a BA and a sub-contractor – stipulating how Protected Health Information (PHI) can be used. The contract sets out the terms of permissible use based on the relationship between the parties and the activities or services being performed by the BA or sub-contractor.

The contract should also stipulate that the BA will not use or disclose any PHI with which they come into contact other than as permitted by the HIPAA Business Associate Agreement, that the BA implements appropriate safeguards to prevent the unauthorized disclosure of PHI, and that the BA will advise the Covered Entity of any breaches of PHI.

Unlike most contracts, a HIPAA Business Associate Agreement does not necessarily indemnify a Covered Entity against financial penalties for a breach of PHI. If a Covered Entity fails to obtain “satisfactory assurance” that a BA is HIPAA-compliant prior to entering into a contract, and a breach of PHI subsequently occurs, the Covered Entity may be considered liable for the breach.

HIPAA Definitions and BA Exclusions Cause the Most Issues

As well as being potentially liable for sub-contractor breaches of PHI, Covered Entities can be fined for not having a HIPAA Business Associate Agreement in place or for having an incomplete Agreement in place – even though HITECH § 78 FR 5574 states BAs are obligated to comply with the HIPAA Security Rule even if no HIPAA Business Associate Agreement is executed.

The issue for many Covered Entities is they are not always sure of who a HIPAA Business Associate Agreement applies to. The Department of Health & Human Services defines a Business Associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”

However, exclusions to this definition exist (see 45 CFR 160.103) and it may be the case that the scope of a Covered Entity´s relationship with a vendor changes over time. Some Covered Entities have taken a “better-safe-than-sorry” approach to address their definition issues, and executed Agreements with all the entities they have business relationships with – whether they were required or not.

Covered Entities also Failing to Obtain Satisfactory Assurance

Recent research funded by the California Healthcare Foundation found Covered Entities entering into Agreements with other Covered Entities unnecessarily, and entering into Agreements with vendors who had no access to PHI and were never likely to. In one case, a Covered Entity required its landscaper to sign a HIPAA Business Associate Agreement.

During the research it was also found many Covered Entities are neglecting their due diligence obligations and failing to obtain “satisfactory assurance” the BA they were sharing PHI with was HIPAA-compliant – usually restricting their investigative efforts to ensuring that “high risk” IT vendors had mechanisms in place to protect electronically transmitted PHI.

Fewer still audited their BA´s compliance with HIPAA – only a small minority asking to see HIPAA-required risk assessments, policies and procedures in the event of a breach of PHI. Remember, if the HHS´ Office for Civil Rights consider that the Covered Entity has not done enough to obtain “satisfactory assurance” of HIPAA compliance, the Covered Entity can be held liable for a breach of PHI.