HIPAA Business Associate Agreement

A HIPAA Business Associate Agreement is a contract between a HIPAA Covered Entity and a business or individual that performs functions or activities on behalf of, or provides a service to, the Covered Entity when the function, activity, or service involves access to Protected Health Information (PHI) by the business or individual.

A HIPAA Covered Entity is any health plan or healthcare clearinghouse, or any health care provider that conducts transactions covered by HIPAA standards. When a Covered Entity outsources functions, activities, or services to a third party that is not a member of the Covered Entity´s workforce and that involves the disclosure of PHI, they do so to a Business Associate.

Before disclosing PHI to a Business Associate, a Covered Entity must sign a HIPAA Business Associate Agreement (also known as a HIPAA Business Associate Contract). The contract should clarify what PHI is being disclosed to the Business Associate and the permissible uses and disclosures of PHI by the Business Associate – for example to subcontractors.

Since the passage of the HITECH Act and the incorporation of relevant provisions into HIPAA via the HIPAA Omnibus Final Rule, subcontractors used by Business Associates are also required to comply with HIPAA. Therefore, if a Business Associate subcontracts a function, activity, or service to a further party, an additional HIPAA Business Associate Agreement must be in place.

What is a HIPAA-Compliant Business Associate Agreement?

As well as a HIPAA-compliant Business Associate Agreement clarifying what PHI is being provided to the Business Associate and the permissible uses and disclosures, it must also:

  • Stipulate that the Business Associate will not use or further disclose the information other than as permitted by the contract or as required by law
  • Require the Business Associate to implement appropriate safeguards to prevent unauthorized uses or disclosures of the PHI.
  • Require the Business Associate to report any use or disclosure not provided for by the agreement, including breaches of unsecured PHI
  • Require the Business Associate to satisfy individuals’ requests for copies of PHI, incorporate any amendments, and account for the disclosure.
  • Require the Business Associate to make available to HHS records relating to the use and disclosure of PHI in the event of an audit or investigation.
  • Require the Business Associate to return or destroy PHI received from, created for, or received on behalf of, the Covered Entity at the termination of the agreement.
  • Require the Business Associate to ensure that any with access to PHI agree to the same restrictions and conditions that apply to the business associate
  • Authorize termination of the contract by the Covered Entity if the Business Associate violates any term of the agreement.

Note: Contracts between Business Associates and Business Associates that are subcontractors are subject to these same requirements.

A Business Associate should also be made aware of the consequences of failing to comply with the requirements of HIPAA. Business Associates can be fined directly by regulators for HIPAA violations. Both the Department of Health and Human Services’ Office for Civil Rights and state attorneys general have the authority to issue financial penalties for violations of HIPAA.

In addition, unlike most contracts, a HIPAA Business Associate Agreement does not necessarily indemnify a Covered Entity against financial penalties for a breach of PHI attributable to the non-compliance of the Business Associate. If a Covered Entity fails to obtain “satisfactory assurances” that a Business Associate is HIPAA-compliant prior to entering into an agreement, and a breach of unsecured PHI subsequently occurs, the Covered Entity may be considered liable for the breach.

HIPAA Business Associate Examples

The HHS web page relating to Business Associates lists several HIPAA Business Associate examples; but it is important to note that most of these third party service providers are only Business Associates if PHI is shared with or disclosed to the third party for a service the third party is providing for the Covered Entity.

For example, HHS´ list includes an attorney whose legal services to a health plan include access to PHI. If the attorney does not have access to PHI, they are not a Business Associate, and no Business Associate Agreement is required. The same applies to the example of an accounting firm providing services to a health care provider.

More relevant HIPAA Business Associate examples can be found looking at a Covered Entity´s day-to-day operations and identifying which services that may involve a disclosure of PHI are out-sourced. For example, if teams share PHI over collaboration tools such as Google Workspace, Google is a Business Associate, and a Business Associate Agreement is required.

Other potential HIPAA Business Associate examples include:

Definitions and Exclusions Cause the Most Issues

Covered Entities can be fined for not having a HIPAA Business Associate Agreement in place or for having an incomplete agreement in place, even though HITECH § 78 FR 5574 states Business Associates are obligated to comply with the HIPAA Security Rule even if no HIPAA business associate agreement is executed. These fines can be issued even if no further HIPAA violation occurs.

The issue for many Covered Entities is they are not always sure of who a HIPAA Business Associate Agreement applies to. The Department of Health & Human Services defines a Business Associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a Covered Entity.”

However, exclusions to this definition exist (see 45 CFR 160.103) and it may be the case that the scope of a Covered Entity’s relationship with a Business Associate changes over time – notwithstanding that a Covered Entity can be a Business Associate for another Covered Entity if it performs functions, activities, or services that involve the disclosure of PHI.

Common Covered Entity Business Associate Agreement Failures

Insisting Every Contractor Signs a BAA

Some Covered Entities have taken a “better-safe-than-sorry” approach to address their definition issues, and have executed agreements with all entities they have business relationships with – whether they were required or not.

Recent research funded by the California Healthcare Foundation (CHF) found many Covered Entities were entering into agreements with other Covered Entities unnecessarily, or were also entering into agreements with Business Associates who had no access to PHI and were never likely to. In one case, a Covered Entity required its landscaper to sign a HIPAA Business Associate Agreement.

Assuming a Signed BAA Means Compliance with HIPAA

During the research, CHF found many Covered Entities were neglecting their due diligence obligations and were failing to obtain “satisfactory assurances” that the Business Associate they were sharing PHI with was HIPAA-compliant. Instead, they restricted their investigative efforts to “high risk” IT vendors and only ensured they had mechanisms in place to protect stored and electronically transmitted PHI.

Fewer still audited Business Associates to ensure compliance with HIPAA. Only a small minority asked to see evidence of risk assessments and policies and procedures covering breaches of unsecured PHI. These failures could see the Covered Entity fined for violating HIPAA, even when no other HIPAA violation or breach of unsecured PHI occurs.

Not Having a HIPAA Business Associate Agreement for Companies That Touch ePHI

Even when PHI is not disclosed to a company – because the company is not performing a function, activity, or service for a Covered Entity – PHI might pass through their systems. For example, if ePHI is sent from a Covered Entity to a Business Associate via Outlook 365. In this example, because ePHI has passed through its system, Microsoft would be classed as a Business Associate to the Covered Entity.

There are exceptions for companies that act as conduits through which ePHI simply passes (for example the Postal Service – see the conduit exception). This is because the Postal Service does not storage PHI other than on a temporary basis incident to the transmission service, whereas copies of emails sent via Outlook 365 remain on Microsoft´s servers indefinitely. Therefore, most cloud service providers and software vendors are Business Associates under HIPAA.

Common Failures by Business Associates and Their Subcontractors

HIPAA Compliance Means More Than the Encryption of PHI

Encrypting all ePHI that is stored or transmitted by a Business Associate is an important safeguard, but encryption alone is insufficient to ensure HIPAA compliance. Physical safeguards must also be implemented to ensure ePHI cannot be accessed by unauthorized individuals, and administrative safeguards such as policies and procedures must be developed and implemented.

Failing to Enter into a HIPAA Business Associate Agreement with Subcontractors

The HIPAA Business Associate Agreement ensures there is a chain of custody for PHI. A Business Associate of a Covered Entity must enter into a contract with the Covered Entity, and a subcontractor used by a Business Associate is also required to enter into such a contract.

A subcontractor is a Business Associate of a Business Associate and is not subject to the terms of the top level Business Associate Agreement. A separate contract must be signed with the subcontractor before access to PHI is allowed. The chain can be long and the further away from the Covered Entity ePHI passes, the greater potential there is for HIPAA Business Associate Agreement violations.

Business Associate Agreement Template Failures

There are many HIPAA Business Associate Agreement templates available, but care should be taken before they are used. Before using such a template, it is important to check for whom that template has been designed to make sure it is relevant. It should also be personalized it to include all of the requirements stipulated by the Covered Entity.

Financial Penalties for HIPAA Business Associate Agreement Failures

The penalties for HIPAA violations are tiered, depending on the degree of culpability and have been detailed in the infographic below.

The HHS’ Office for Civil Rights has issued many financial penalties for Business Associate Agreement failures. During investigations of data breaches and complaints, OCR found that the following Covered Entities had failed to obtain a signed HIPAA-compliant Business Associate Agreement from at least one third party service provider. This was either the sole reason for the financial penalty or the Business Associate Agreement failure contributed to the severity of the financial penalty.

Year Covered Entity Financial Penalty
2018 Pagosa Springs Medical Center $111,400
2018 Advanced Care Hospitalists $500,000
2017 The Center for Children’s Digestive Health $31,000
2016 Care New England Health System $400,000
2016 Oregon Health & Science University $2,700,000
2016 Raleigh Orthopaedic Clinic, P.A. of North Carolina $750,000
2016 North Memorial Health Care of Minnesota $1,550,000

FAQs

As a software vendor, what do I need to do to become a HIPAA-compliant Business Associate?

If your software product or service creates, receives, maintains, or transmits ePHI on behalf of a Covered Entity, you have to ensure policies and procedures are in place to comply with the Privacy, Security, and Breach Notification Rules. This includes conducting and documenting a risk analysis of your computer systems to identify potential security risks and respond accordingly.

If, as a Business Associate, I share ePHI with other companies, do I need to sign an agreement with them?

Assuming you are sharing ePHI with another company to execute the services being provided to a Covered Entity, you will need to sign an agreement with the third party. An example of such a scenario is a software vendor that uses the services of a Cloud Service Provider such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform.

Is it always necessary for third party service providers to sign an agreement with a Covered Entity?

While it is almost always necessary for a Business Associate to sign an agreement with a Covered Entity when a Business Associate is creating, receiving, maintaining, or transmitting ePHI of behalf of the Covered Entity, if a third party service provider the company is not providing a covered service, (i.e., a landscaper), the service provider is not a Business Associate, and no agreement is required.

What are the exceptions to the requirement to sign a Business Associate Agreement?

There are a few exceptions to the requirement to sign a Business Associate Agreement. These include specialists to whom a hospital refers a patient and transmits the patient’s medical chart for treatment purposes, laboratories to whom a physician discloses the PHI of a patient for treatment purposes, and disclosures of PHI by a group health plan to a plan sponsor such as an employer.

How can a Covered Entity be a Business Associate for another Covered Entity?

Under the Privacy Rule (45 CFR § 164.506) Covered Entities are allowed to disclose PHI to third parties for treatment, payment, and health care operations. All other disclosures of PHI require a Business Associate Agreement in place – for example, if a private consultant performed a utilization review for a hospital that involved the disclosure of PHI.

If a physician outsources lab services, does the provider of the lab service have to sign a Business Associate Agreement?

This depends on why the physician is outsourcing the lab service. If the disclosure of PHI is for the treatment of a patient, the transaction is allowable under the Privacy Rule and no Business Associate Agreement is required. However, for any other type of transaction in which PHI is disclosed, an agreement will be necessary.

How frequently should HIPAA Business Associate Agreements be renewed?

Unless an agreement stipulates a termination date, agreements remain valid indefinitely. However, it is a best practice to review agreements at least annually. A Covered Entity should ask for a copy of the Business Associate´s most recent risk assessment, confirm there have been no changes to state or federal laws that would impact the agreement, and check that SLAs are being maintained.

How might changes to state laws impact an agreement covered by a federal law?

HIPAA preempts all state and federal laws unless a state or federal law provides more privacy protections than HIPAA or gives patients more rights than HIPAA. States such as Texas have very stringent medical record privacy laws which apply to all organizations that collect, process, or maintain the PHI of a Texas resident – regardless of where the organization is located. Any change to Texas´ Medical Records Privacy Act could impact an agreement covered by HIPAA?

Why won´t Microsoft sign my Business Associate Agreement?

Cloud Service Providers such as Microsoft, AWS, and Google Cloud Platform offer hyperscale, multi-tenant services that are standardized for all customers and therefore they treat all customers in the same way – regardless of whether they are Covered Entities or not. However, each Cloud Service Provider has produced a HIPAA-compliant Business Associate Agreement it is willing to sign with customers. You can find the Microsoft Business Associate Agreement in the Service Trust Portal.

If I have further questions about Business Associates and Business Associate Agreements, where can I find the answers?

The most comprehensive source of information relating to HIPAA is the HHS website. However, because the HHS cannot cover every possible relationship between a Covered Entity and a Business Associate, some of the information can be hard to follow or open to interpretation. For advice relating to specific circumstances, it is recommended to seek professional HIPAA compliance help.