How To Write a HIPAA Business Associate Agreement


How to Write HIPAA Business Associate Agreements

Business Associate Agreements, often called BAAs, are an important part of HIPAA compliance. They serve as a foundation, ensuring that everyone involved understands their responsibilities when it comes to safeguarding protected health information (PHI). But what exactly is a BAA, and why is it important?

In simple terms, a Business Associate Agreement is a written contract, a binding promise between two entities. It states, “When you entrust me with sensitive health data, I pledge to uphold all HIPAA compliant standards.” These standards, set by the HIPAA-covered entity, guarantee the confidentiality and security of patient data.

But who exactly requires this agreement? Consider a scenario where a health care provider partners with an external billing service. This service, being a business associate, would access patient data. Hence, a BAA is essential to ensure the data’s proper management. Similarly, IT firms handling health records, healthcare clearinghouses, or even accounting services dealing with medical finances need this agreement.

In a nutshell, before any disclosures of PHI or collaborations in the healthcare sector, a robust HIPAA business associate agreement is more than just recommended; it’s a necessity. It’s the foundation that ensures every piece of patient information remains secure and treated with the utmost care.

Key Components of a HIPAA Business Associate Agreement

The HIPAA Business Associate Agreement contract should be written in the following sequence:

  • Definitions
  • Obligations & Activities of Business Associates
  • Disclosures by Business Associates
  • Permissible Requests by Covered Entity
  • Term & Termination

Let’s break it down.

1. Definitions

General Terms:

Understanding specific terms is crucial when dealing with HIPAA compliance. Here are some of the terms that have the same meaning as outlined within HIPAA:

  • Breach: Improper use or sharing of protected health information (PHI).
  • Data Aggregation: Combining data for analysis or health care operations.
  • Designated Record Set: Records a covered entity holds, including medical and billing records.
  • Disclosure: Sharing health information outside the entity that holds it.
  • Health Care Operations: Activities related to health care, like quality assessment and improvement.
  • Individual: The person whose health information is being discussed.
  • Minimum Necessary: Using or sharing only the least amount of PHI needed.
  • Notice of Privacy Practices: A document explaining how a patient’s health information may be used and shared.
  • Protected Health Information (PHI): Any health information that can identify an individual.
  • Required By Law: Something a law requires regarding the use or sharing of PHI.
  • Secretary: Refers to the Secretary of the U.S. Department of Health and Human Services.
  • Security Incident: Attempted or successful unauthorized access or misuse of information systems.
  • Subcontractor: A third party a business associate hires to help perform its duties.
  • Unsecured Protected Health Information: PHI that is not protected against unauthorized access.
  • Use: Employing, applying, or analyzing health information within the entity that holds it.

Specific Terms:

  • Business Associate: This term aligns with the definition of “business associate” as per 45 CFR 160.103. In the context of an agreement, it refers to the name of the business associate. 
  • Covered Entity: This aligns with the “covered entity” definition at 45 CFR 160.103. In an agreement’s context, it signifies the name of the covered entity. 
  • HIPAA Rules: This encompasses the Privacy, Security, Breach Notification, and Enforcement Rules found in 45 CFR Part 160 and Part 164. 

2. Obligations & Activities of Business Associates

A Business Associate commits to:

  • Safeguarding PHI: They must neither use nor disclose PHI unless the Agreement permits or law mandates it. 
  • Upholding Security Measures: They should employ suitable safeguards, especially concerning electronic PHI, to prevent unauthorized use or disclosure. 
  • Reporting Issues: Any unauthorized use or disclosure of PHI, including breaches of unsecured PHI as per 45 CFR 164.410, should be promptly reported to the covered entity. 
  • Subcontractor Compliance: As per 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), any subcontractor handling PHI on behalf of the business associate should adhere to the same standards and conditions. 
  • Access to PHI: They should provide access to PHI in a designated record set as required under 45 CFR 164.524. 
  • Amending PHI: Any changes to PHI in a designated record set, as directed by the covered entity under 45 CFR 164.526, should be made. 
  • Accounting for Disclosures: They should maintain and provide information necessary for an accounting of disclosures as per 45 CFR 164.528. 
  • Adhering to Covered Entity’s Obligations: If the business associate is responsible for any of the covered entity’s duties under Subpart E of 45 CFR Part 164, they should comply with the relevant requirements. 
  • Transparency with the Secretary: They should make their internal practices and records accessible to the Secretary to ascertain HIPAA rule compliance. 

Note: While this provides a foundational understanding, always consult with a HIPAA compliance or legal expert when finalizing such crucial agreements.

3. Disclosures by Business Associates

  1. Permitted Uses and Disclosures

(a) Usage and Disclosure of Protected Health Information (PHI): A business associate, in the context of health care operations, has the responsibility to handle PHI with utmost care. They can use or disclose this information in two primary scenarios:

  • Based on a detailed list that outlines specific permissible purposes. 
  • As necessary to execute services that are explicitly mentioned in a service agreement. 

Moreover, with the rise of digital healthcare and the need for HIPAA compliant software, there’s an increasing emphasis on de-identifying PHI. Business associates might be authorized to carry out this process in accordance with 45 CFR 164.514(a)-(c). The method of de-identification and the subsequent allowed uses and disclosures of this de-identified data should be transparent and well-defined.

(b) Mandatory Disclosures: Sometimes, the law might necessitate the disclosure of PHI. In such cases, a business associate has the obligation to comply.

(c) Consistency with Minimum Necessary Policies: All actions involving PHI, whether it’s use, disclosure, or requests, should:

  • Align with the covered entity’s minimum necessary policies and procedures, ensuring proper management of patient data. 
  • Adhere to specific minimum necessary requirements that are in harmony with the covered entity’s policies. 

(d) Restrictions on Use and Disclosure: Business associates must exercise caution. They shouldn’t use or disclose PHI in ways that would breach Subpart E of 45 CFR Part 164 if the covered entity were to do the same. However, certain specific uses and disclosures might be exceptions to this rule.

(e) Management and Administration: For the proper management and administration of their operations, business associates can utilize PHI. This also extends to fulfilling their legal responsibilities.

(f) Disclosure for Management and Legal Responsibilities: Business associates can disclose PHI for their management, administration, or legal responsibilities if:

  • The law mandates the disclosure. 
  • They obtain assurances that the disclosed information will remain confidential and will only be used or disclosed as required by law or for the intended purpose. 

(g) Data Aggregation Services: In the age of data-driven health care functions, business associates might offer data aggregation services related to the health care operations of the covered entity.

4. Permissible Requests by Covered Entity

(a) Notification of Privacy Practices: The covered entity should proactively inform the business associate of any limitations in their notice of privacy practices as per 45 CFR 164.520. This is crucial if such limitations might impact the business associate’s use or disclosure of PHI.

(b) Changes in Permissions: Any alterations or revocations in an individual’s permission to use or disclose their PHI should be communicated to the business associate. This ensures that the business associate’s actions align with the individual’s preferences.

(c) Restrictions on Use or Disclosure: The covered entity should keep the business associate in the loop about any restrictions on the use or disclosure of PHI they’ve agreed to or are mandated to follow under 45 CFR 164.522. This is essential to ensure that the business associate’s actions are in sync with these restrictions.

Guidelines for Requests by Covered Entity

The covered entity must exercise caution when making requests. They shouldn’t ask the business associate to use or disclose PHI in ways that wouldn’t be allowed under Subpart E of 45 CFR Part 164 if done by the covered entity itself. Exceptions might be present if the business associate will use or disclose PHI for data aggregation or their management and legal responsibilities.

5. Term & Termination

  1. Agreement Duration (Term)

Every Business Associate Agreement (BAA) has a start and an end. The start is the “effective date,” the day when the agreement kicks into action. The end can be a set date or a specific event that triggers the agreement’s conclusion. But remember, if the business associate doesn’t stick to the rules, the covered entity can decide to end the agreement early.

  1. Termination Due to Breach (Termination for Cause)

The covered entity has the right to end this Agreement if it believes that the business associate has breached a significant term of the Agreement. If the business associate hasn’t rectified the breach or ceased the violation within the timeframe set by the covered entity, termination can ensue. But, there’s often a grace period. This means the business associate gets a chance to fix their mistakes before the agreement is terminated.

  1. Responsibilities Post-Termination

(c) Handling of Protected Health Information (PHI) After Termination:

[Option 1 – Return or Destruction of PHI]

Upon the Agreement’s conclusion, the business associate should hand back to the covered entity all protected health information they’ve received or created on behalf of the covered entity. This includes any form of PHI, and the business associate should not retain any copies.

[Option 2 – Retention for Specific Purposes]

If the Agreement ends, the business associate, concerning the PHI received or created on behalf of the covered entity, should:

  1. Keep only the PHI essential for their proper management, administration, or legal responsibilities.
  2. Hand back or, if the covered entity agrees, destroy any remaining PHI.
  3. Continue to employ the right safeguards, especially concerning electronic protected health information, ensuring no unauthorized use or disclosure of PHI.
  4. Not use or disclose the retained PHI for any other purpose than what it was retained for, adhering to the conditions set out in the previous sections.
  5. Return or destroy the retained PHI when it’s no longer required for their management, administration, or legal duties.
  1. Continuation of Obligations (Survival)

The business associate’s responsibilities, as mentioned in this section, will continue even after the Agreement’s termination. This ensures patient data is protected, aligning with HIPAA compliant software and regulations.

MedStack HIPAA Business Associate Agreement

When dealing with Protected Health Information (PHI), looking at how established agreements like MedStack’s HIPAA Business Associate Agreement (BAA) are structured can be helpful. This agreement, which forms part of the MedStack Customer Agreement, offers a practical example of effectively managing PHI in compliance with HIPAA regulations.

Key Elements as Demonstrated by MedStack’s BAA:

  • Definitions: MedStack’s BAA clearly defines critical terms, such as Breach, PHI, and Covered Entity, under HIPAA Rules. This clarity is essential for any effective BAA.
  • Permitted Uses and Disclosures: The agreement outlines specific scenarios where MedStack may use or disclose PHI, either as stipulated in the agreement or as required by law. This serves as a model for how BAAs can specify boundaries for PHI handling.
  • Obligations of MedStack: The agreement details MedStack’s commitments, including using and disclosing PHI only as permitted, implementing safeguards, reporting any breaches, and ensuring subcontractor compliance. These obligations are a key part of any BAA, ensuring all parties understand their responsibilities.
  • Client Obligations: MedStack’s BAA also outlines the customer’s responsibilities, such as implementing safeguards for PHI, encrypting PHI, and obtaining necessary consent. This mutual understanding of obligations is crucial for maintaining HIPAA compliance.
  • Term and Termination: The BAA remains effective as long as the MedStack Customer Agreement is in place and details the conditions under which it can be terminated. This aspect of the agreement ensures both parties are clear about the duration of their commitments and the termination process.

By following MedStack’s BAA, organizations can gain insights into the essential components of a HIPAA-compliant business associate agreement.


Final Thoughts

A Business Associate Agreement (BAA) is a vital contract in healthcare. It ensures that when patient data is shared, it’s protected. Think of it as a safety promise between two parties. If a healthcare provider shares patient details with another service, like billing, this agreement ensures data is handled correctly. So before sharing patient information, having a BAA is essential.

If you’re looking for a trusted HIPAA compliance partner, reach out to MedStack for more information.