What to look for in a Business Associate Agreement?
The HIPAA Privacy, Security, and Breach Notification Rule require Covered Entities and Business Associates (BAs) to obtain a signed Business Associate Agreement (BAA) from each BA, and their subcontractors, to ensure appropriate safeguards are implemented to protect Protected Health Information (PHI) and electronic PHI (ePHI).
Business Associates can and have been held directly liable and subject to civil and, in some cases, criminal penalties for making uses and disclosures of PHI that were not authorized.
The BAA serves as a contract to clarify and limit the use or disclosure of PHI only as permitted or required by law.
10 Tips for Your Business Associate Agreement
The written contract between a CE and a BA must:[iv]
- Establish the permitted and required uses and disclosures of PHI by the BA;
- Require that the BA not use or further disclose the information other than what is permitted or required by the contract or as required by law;
- Require the BA to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to ePHI; This efforts to reduce and eliminate Medical Records Snooping!!
- Require the BA to report to the CE any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured PHI;
- Require the BA to disclose PHI as specified in its contract to satisfy a CE’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accounting;
- To the extent the BA is to carry out a CE’s obligation under the Privacy Rule, require the BA to comply with the requirements applicable to the obligation;
- Require the BA to make available to Health & Human Services (HHS) its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of, the CE for purposes of HHS determining the CE’s compliance with the HIPAA Privacy Rule;
- At termination of the contract, if feasible, require the BA to return or destroy all PHI received from, or created or received by the BA on behalf of, the CE;
- Require the BA to ensure any subcontractors it may engage with on its behalf which have access to PHI agree to the same restrictions and conditions that apply to the BA with respect to such information; and
- Authorize termination of the contract by the CE if the BA violates material term of the contract. Contracts between BAs and BA subcontractors are subject to these same requirements
HHS provides a sample BAA to help CEs and BAs more easily comply with the BA contract requirements.
Here is an overview of what Business Associates are required to:
- • Protect PHI – BA agrees to implement the Administrative, Physical and Technical standards identified in the HIPAA Security Rules and certain standards under the Privacy Rule. BA should be able to provide copies of their HIPAA Policies and Procedures if requested.
- • Train Workforce – All workforce members of the BA should be trained on their responsibilities for protecting PHI in their possession and/or control. CEs may request to review all employee training records.
- • Breach Notification – In the event a PHI breach occurs the BA should contact the CE without delay. HIPAA alli recommends including the following statement in the BAA contract, the BA must notify the CE within ten (10) business days of the breach discovery. The CE has sixty (60) days after discovering the breach to notify HHS as well as the patients affected in the breach.
- • Subcontractors – The BA must require their subcontractors meet the same HIPAA Privacy, Security, and Breach Notification requirements that apply to the BA.
- • Return or Destroy Information – When the service contract with the BA is over and the BA no longer needs access to the CE’s PHI after completing their contractual service obligations, the BA must agree to return and/or destroy any PHI they have received from the CE. This also means all subcontractors will return and/or destroy any data they have.
Note: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as CEs’ & BAs’ organizations and technologies change.
Covered Entities and Business Associates your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure!
Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?
Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat – schedule a call with HIPAA alli today!
[i] 45 CFR §§ 164.103, 165.502(e) and 165.504(e)
[ii] Business Associate & Covered Entity defined at § 45 CFR 160.103
[iii] HIPAA Rules shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR §§ 160 and Part 164.
[iv] at § 45 CFR 164.504