HIPAA Business Associate Agreement
A HIPAA business associate agreement is a contract between a HIPAA-covered entity and a vendor used by that covered entity. A HIPAA-covered entity is typically a healthcare provider, health plan, or healthcare clearinghouse that conducts transactions electronically. A vendor of a HIPAA covered entity that needs to be provided with protected health information (PHI) to perform duties on behalf of the covered entity is called a business associate (BA) under HIPAA. A vendor is also classed as a BA if, as part of the services provided, electronic PHI (ePHI) passes through their systems. A signed HIPAA business associate agreement must be obtained by the covered entity before allowing a business associate to come into contact with PHI or ePHI.
Since the passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act and its incorporation into HIPAA in 2013 via the HIPAA Omnibus Final Rule, subcontractors used by business associates are also required to comply with HIPAA. A business associate must likewise obtain a signed HIPAA business associate agreement from its subcontractors before access is given to PHI or ePHI. If subcontractors use vendors that require access to PHI or ePHI, they too need to enter into business associate agreements with their subcontractors.
What is a HIPAA-Compliant Business Associate Agreement?
The business associate agreement is a contract that stipulates the types of protected health information (PHI) that will be provided to the business associate, the allowable uses and disclosures of PHI, the measures that must be implemented to protect that information (e.g. encryption at rest and in transit), and the actions that the BA must take in the event of a security breach that exposes PHI.
The contract should stipulate that the BA (or subcontractor) must implement appropriate administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of ePHI and meet the requirements of the HIPAA Security Rule. Some of those measures may be stated in the BAA or it may be left to the discretion of the BA. The BAA should also include the allowable uses and disclosures of PHI to meet the requirements of the HIPAA Privacy Rule. In the event that PHI is accessed by individuals unauthorized to view the information, such as an internal breach or cyberattack, the business associate is required to notify the covered entity of the breach and may be required to send notifications to individuals whose PHI has been compromised. The timescale and responsibilities for notifications should be detailed in the agreement.
A business associate should also be made aware of the consequences of failing to comply with the requirements of HIPAA. Business associates can be fined directly by regulators for HIPAA violations. Both the Department of Health and Human Services’ Office for Civil Rights and state attorneys general have the authority to issue financial penalties for violations of HIPAA Rules.
Unlike most contracts, a HIPAA business associate agreement does not necessarily indemnify a covered entity against financial penalties for a breach of PHI. If a covered entity fails to obtain “satisfactory assurances” that a BA is HIPAA-compliant prior to entering into a contract, and a breach of PHI subsequently occurs, the covered entity may be considered liable for the breach.
HIPAA Definitions and BA Exclusions Cause the Most Issues
Covered entities can be fined for not having a HIPAA business associate agreement in place or for having an incomplete agreement in place – even though HITECH § 78 FR 5574 states BAs are obligated to comply with the HIPAA Security Rule even if no HIPAA business associate agreement is executed.
The issue for many covered entities is they are not always sure of who a HIPAA business associate agreement applies to. The Department of Health & Human Services defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
However, exclusions to this definition exist (see 45 CFR 160.103) and it may be the case that the scope of a covered entity’s relationship with a vendor changes over time.
Common Covered Entity Business Associate Agreement Failures
Insisting Every Contractor Signs a BAA
Some covered entities have taken a “better-safe-than-sorry” approach to address their definition issues, and have executed agreements with all entities they have business relationships with – whether they were required or not. Recent research funded by the California Healthcare Foundation found covered many entities were entering into agreements with other covered entities unnecessarily, and were also entering into agreements with vendors who had no access to PHI and were never likely to. In one case, a covered entity required its landscaper to sign a HIPAA business associate agreement.
Assuming a Signed BAA Means Compliance with HIPAA
During the research, CHF found many covered entities were neglecting their due diligence obligations and were failing to obtain “satisfactory assurances” that the BA they were sharing PHI with was HIPAA-compliant. Instead, they restricted their investigative efforts to “high risk” IT vendors and only ensured they had mechanisms in place to protect stored and electronically transmitted PHI. Fewer still audited their BA’s to ensure compliance with HIPAA. Only a small minority asked to see evidence of risk assessments and policies and procedures covering the actions that must be taken in the event of a breach of PHI. These failures could see the covered entity fined for violating HIPAA.
Not Having a HIPAA Business Associate Agreement for Companies That Touch ePHI
Many vendors are not given PHI to perform tasks on behalf of the covered entity, but ePHI passes through their systems. Many software solutions touch ePHI which means the software provider is classed as a business associate. There are exception for entities that act as conduits through which ePHI simply passes (See the conduit exception), although most cloud service and software providers are not excepted from compliance with HIPAA and BAAs are required.
Common Failures by Business Associates and Their Subcontractors
HIPAA Compliance Means More Than the Encryption of PHI
Encrypting all ePHI that is stored or transmitted by a business associate is an important safeguard, but encryption alone is insufficient to ensure HIPAA compliance. Physical safeguards must also be implemented to ensure ePHI cannot be accessed by unauthorized individuals and administrative safeguards must be put in place and written policies and procedures must be developed and maintained.
Failing to Enter into a HIPAA Business Associate Agreement with Subcontractors
The business associate agreement ensures there is a chain of custody for PHI. A vendor of a HIPAA covered entity must enter into a contract with the covered entity, and a subcontractor used by a business associate is also required to enter into such a contract. A subcontractor is a business associate of a business associate and is not covered by the BA/covered entity contract. A separate contract must be signed before access to PHI is allowed. The chain can be long and the further away from the covered entity that ePHI passes, the greater potential there is for HIPAA business associate agreement violations.
Business Associate Agreement Template Failures
There are many HIPAA business associate agreement templates available, but care should be taken before they are used. Before using such a template, it is important to check for whom that template has been designed to make sure it is relevant. It should also be personalized it to include all of the requirements stipulated by the covered entity.
Financial Penalties for HIPAA Business Associate Agreement Failures
The penalties for HIPAA violations are tiered, depending on the degree of culpability and have been detailed in the infographic below.
The HHS’ Office for Civil Rights has issued many financial penalties for business associate agreement failures. During investigations of data breaches and complaints, OCR found that the following covered entities had failed to obtain a signed HIPAA-compliant BAA from at least one vendor. That was either the sole reason for the financial penalty or the additional violation contributed to the severity of the financial penalty.
|Year||Covered Entity||Financial Penalty|
|2018||Pagosa Springs Medical Center||$111,400|
|2018||Advanced Care Hospitalists||$500,000|
|2017||The Center for Children’s Digestive Health||$31,000|
|2016||Care New England Health System||$400,000|
|2016||Oregon Health & Science University||$2,700,000|
|2016||Raleigh Orthopaedic Clinic, P.A. of North Carolina||$750,000|
|2016||North Memorial Health Care of Minnesota||$1,550,000|