HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Important Information on HIPAA Business Associate Agreements

The Omnibus Rule has now been in effect for a week and is an amendment to HIPAA regulations which requires all Business Associate Agreements to be HIPAA-compliant. Any new BAA’s issued – or those issued after Sept 23, 2014 – must comply with the HIPAA Omnibus Rule; however the same applies to any business agreements already in place. Existing agreements must also be updated to take the new Omnibus Rule into account.

If any agreements have not been updated, the HHS’ OCR will consider this a HIPAA violation and would be within its rights to issue a financial penalty for each agreement that does not comply with the new rule. It is therefore essential that healthcare organizations perform a full review of all BAA’s currently active and address any non-compliance issues.

Issuing HIPAA Compliant Business Associate Agreements

A HIPAA-compliant BAA must be issued and signed by a Business Associate (BA) to ensure that PHI is properly protected. A Business Associate is classed as any individual, company, organization or other entity that performs a function, offers a service or conducts activities on behalf of a covered entity which requires access to Protected Health Information (PHI). It is important to note that ‘entity’ includes e-prescribing gateways and software that accesses PHI data.

Please see the HIPAA Journal Privacy Policy

The purpose of the BAA is to ensure that a BA takes responsibility for protecting confidential information and understands that appropriate safeguards need to be employed to prevent PHI from being viewed, copied or used by unauthorized individuals. Information must be included on how PHI can be used and to whom it can be disclosed. The BAA serves as a contract and states the terms of use of PHI dictated by the covered entity and permitted by law.

Failure to comply with the BAA or adhere to its terms will see the business associate liable. Liability means financial penalties will be incurred for non-compliance issues and the BA could potentially face criminal charges for the disclosure of confidential PHI to unauthorized third parties.

What Must be Included in a BAA?

The Department of Health and Human Services requires Business Associate Agreements to be written contracts that explicitly state the terms of use of PHI; it’s permitted uses and to whom the information may be disclosed. The required minimum safeguards for protecting the data must also be stated in the BAA. Should the BA use subcontractors, they are also covered by the agreement and the BA takes full responsibility for their actions and is responsible for ensuring the terms of the contract are met by any subcontractor requiring access to the PHI.

Information must also be provided on how the data must be treated on completion or termination of the contract. The data must ideally be returned or must be permanently destroyed. It must also be stated that in the event of a violation of a material term of the contract, the covered entity has the right to terminate that contract.

Immediate Action Required

If you have not reviewed your BAAs to account for the Omnibus Rule you are committing a HIPAA violation and can face financial penalties for each violation committed. Consult the HHS website for further information on BAAs and the Omnibus rule and ensure all business associates are aware of the new regulations and agree to abide by its terms.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.