HIPAA Tip #5: Understanding HIPAA Business Associate Agreements



In our last HIPAA Tip post on Understanding HIPAA Business Associates (BAs), we mentioned that BA relationships are governed by so-called BA Agreements, or BAAs. In this post, we explain what BA Agreements are, the terms in them, and what they mean for developers.

HIPAA Business Associates Must Have BA Agreements in Place Before PHI is Moved

BAAs must be in place before any PHI is transmitted to or exchanged with any Business Associate. This includes vendors like hosting firms and cloud service providers. HIPAA’s enforcer, the OCR, has issued a number of serious penalties against entities who exchanged PHI before a BAA was signed, or who had no BAA at all. Developers beware: Sending PHI to any other entity without first executing a BAA is a clear and serious HIPAA violation.

BA Agreements Are Legally Binding Contracts

BAAs are legally binding contracts, enforceable in court like other contracts. HIPAA makes BAAs mandatory whenever PHI is exchanged for virtually any purpose other than direct clinical care or payment for care. Since BAAs are binding agreements, developers need to know what they’re agreeing to before signing them. The jurisdiction of a BAA, written into the terms, is also important. If legal issues arise with a Business Associate and PHI is involved, the courts where the BAA has jurisdiction will be the courts used.

HIPAA Requires Specific Things to Be in BA Agreements

HIPAA specifies certain provisions, or “terms” that BAAs must have to be compliant. HIPAA permits additional terms to be added if both parties agree, if the additional terms don’t conflict with HIPAA’s other requirements and restrictions. And since BAAs are legal contracts, they must actually be signed, or “executed” by both parties for the Agreement to be in effect. Electronic signatures (versus handwritten) are permitted, as long as the process complies with applicable electronic-signature laws.

Provisions (Terms) Contained in Common BAAs

BA Agreements are all about protecting PHI and assigning responsibilities and duties around it. Because of this, BAAs must contain at least the following ten terms in order to be valid and compliant with HIPAA law.

  1. Permitted Uses and Disclosures — establishes both the permitted and required uses and disclosures of PHI by the Business Associate.
  2. No Further Uses or Disclosures — provides that the BA will not use or further disclose PHI other than as permitted or required by the contract, or as required by law.
  3. Use of Appropriate Data Safeguards — requires the BA to implement appropriate safeguards to prevent unauthorized use or disclosure of PHI, including implementing requirements of the HIPAA Security Rule.
  4. Disclosure of Breaches, Compromises and Threats to PHI — requires the BA to report to its upstream BA (or to a Covered Entity, if applicable) any use or disclosure of PHI not provided for in the BAA, including incidents that constitute breaches of unsecured PHI. Such disclosures must be made promptly, and timeframes for reporting are usually specified.
  5. Disclosure of PHI to Facilitate Patients’ Rights Under HIPAA — require the BA to disclose PHI as specified, to satisfy obligations regarding Patients’ Rights under HIPAA. This can include patient requests for copies of PHI, as well as amendments and accountings of disclosures. This provision is often waived in BAAs with tech firms, making Patient Rights the responsibility of an upstream BA or Covered Entity, usually a medical provider. HIPAA permits this if all parties agree.
  6. Coordinate with HIPAA Obligations of Related Covered Entities or BAs — to the extent the BA is to carry out a Covered Entity’s (or other BA’s) obligations under the HIPAA Privacy Rule, this require the BA to comply with HIPAA’s requirements applicable to the obligations.
  7. Make Data Available to HHS to Determine Compliance with HIPAA – this requires the BA to make its internal records relating to uses and disclosures of PHI available to the OCR, so it can determine or investigate compliance with HIPAA.
  8. Contract Termination — at termination of the BA Agreement, this requires that the BA return or destroy all PHI received from the upstream BA or the Covered Entity, whichever applies.
  9. Ensure Subcontractor Compliance — requires a BA to ensure that all subcontractors with access to PHI agree to the same restrictions and conditions that apply to the BA itself. This creates the “BA chain”, where PHI and BA Agreements flow down from an original source of PHI, and includes every one of the BAs (subcontractors) handling or processing the PHI.
  10. Authorize Termination of the BAA for Violations – this provision authorizes termination of the BA Agreement if either party violates a material term of the contract, which also includes material violations of the HIPAA Regulations.

Seek Qualified Legal Help if Needed

Developers should expect to see these terms in every BA Agreement they see, and know that additional terms may also be present. Vendors with real HIPAA experience are available, and can make compliance faster and easier. Finally, before signing any BA Agreement, seek the advice of competent legal counsel, and be sure you fully understand each of the terms.

Was this article helpful? Check out our final tip on choosing a HIPAA-compliant vendor or subscribe below to learn more about MedStack and get tips delivered straight to your inbox.