10 Requirements to Include in Your Business Associate Agreement

HIPAA Security / By
Business Associate Agreement

10 Requirements to Include in Your Business Associate Agreement

The HIPAA Privacy, Security, and Breach Notification Rule require Covered Entities and their third-party vendors, referred to by the Department of Health and Human Services as Business Associates (BAs), are required to obtain a signed Business Associate Agreement (BAA) from each vendor, and their subcontractors, to ensure appropriate safeguards are implemented to protect Protected Health Information (PHI) and electronic PHI (ePHI). The BAA serves as a contract to clarify and limit the use or disclosure of PHI only as permitted or required by law.

Put it in the Business Associate Agreement

Healthcare third-party vendors are required to comply with the HIPAA Privacy and Security Rules to appropriately safeguard protected health information (PHI). One of those requirements is a current and signed contract, referred to as a Business Associate Agreement (BAA), for each third-party vendor.

Four things third-party vendor contract do:

  1. Serves to clarify and limit the allowable uses and disclosures of PHI by the vendor.
  2. Identifies how a third-party vendor may use or disclose PHI only as permitted or required by its contract or as required by law.
  3. That a third-party vendor is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of PHI that are not allowed in the contract or required by law.

A third-party vendor is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.

Something to Ponder ...

Business Associates can and have been held directly liable and subject to civil and, in some cases, criminal penalties for making uses and disclosures of PHI that were not authorized.

Business Associate Agreement

10 Business Associate Agreement Requirements

The written contract between a CE and a BA must:

  1. Determine when and how the third-party vendor is allowed to use or disclose PHI.
  2. Require that the third-party vendor will not use or disclose PHI other than what has been permitted by the contract or required by law.
  3. Establish what safeguards will be put in place to prevent unauthorized PHI disclosure. This includes implementing HIPAA requirements surrounding electronic PHI. This effort is intended to help reduce and eliminate Medical Records Snooping!!
  4. Require the third-party vendor to report to the provider any use or disclosure of PHI not covered by the contract, including incidents or breaches of unsecured PHI.
  5. Ensure the third-party vendor will disclose PHI as specified in the contract to satisfy a provider ‘s obligation with respect to individuals’ requests for copies of their PHI. PHI should be available for amendments as well.
  6. To the extent the third-party vendor is to carry out a provider ‘s obligation under HIPAA, require that the third-party vendor comply with the requirement relevant to the obligation.
  7. Ensure internal practices, books and records relating to the use and disclosure of PHI by the third-party vendor will be made available to the Department of Health and Human Services to determine the provider ‘s HIPAA compliance.
  8. Require that the third-party vendor return or destroy all PHI received from, or created or received by the third-party vendor on the provider ‘s behalf, upon termination of the contract.
  9. Require that third-party vendor enter agreements with their subcontractors that may have access to PHI.
  10. Allow the provider to terminate the contract if the third-party vendor violates a material term of the contract.

HHS provides a sample BAA to help CEs and BAs more easily comply with the BA contract requirements.

Helpful Tips for Third-Party Vendor Contract Management

Here are four tips to incorporate into your third-party vendor contract management activities: 

  1. Keep all contracts/agreements in a centralized location that can be accessed anytime.
  2. Know when third-party vendor contracts expire.
  3. Ensure all third-party vendor contract are signed.
  4. Continually monitor third-party vendor compliance by issuing assessments and include third-party vendors when performing your risk analysis.