Business Associate Agreements: From “What?” to “Done!”
By Gracie Hogue, BM
The saying “it takes a village” doesn’t only apply to raising children – there are many other businesses that keep your practice running successfully that cannot be in-house or self-supplied. This is essentially what business associates are. Here’s the more technical version: A business associate is a person or entity who performs functions or activities on behalf of or provides services to a covered entity that involves access to PHI. The HIPAA Rules require that the Business Associate will appropriately safeguard PHI.
Here are some examples of possible business associates to a dental and/or medical practice:
- A third party administrator that assists a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
- A consultant that performs utilization reviews for a hospital.
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
- An independent medical transcriptionist that provides transcription services to a physician.
- A pharmacy benefits manager that manages a health plan’s pharmacist network.
To be HIPAA compliant, you need to have Business Associate Agreements with these businesses.
Now, what should that agreement consist of?
A written contract between a covered entity and a business associate must:
- Establish the permitted and required uses and disclosures of protected health information by the business associate;
- Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
- Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;
- Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;
- Require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings;
- To the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation;
- Require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
- At termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity;
- Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and
- Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract. Contracts between business associates and business associates that are subcontractors are subject to these same requirements.
Here’s a free model of a BAA: https://www.hhs.gov/sites/default/files/model-business-associate-agreement.pdf
The Business Associate Agreement serves to clarify and limit as appropriate the permissible uses & disclosures of PHI by the business associate. The business associate is directly liable under the HIPAA rules and subject to civil and criminal penalties just like a Covered Entity for making uses and disclosures of PHI that are not authorized or failing to safeguard the ePHI.