Businesses involved in the healthcare industry in the United States need to comply with the privacy and security standards defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These guidelines apply to how protected health information (PHI) and electronically protected health information (ePHI) are processed, shared, and transmitted. In our discussion, we will use the terms PHI and ePHI interchangeably.
Two types of organizations are required to comply with HIPAA privacy and security standards. They are categorized as either a Covered Entity (CE) or Business Associate (BA). This article will discuss the details of a Business Associate Agreement (BAA) made between a CE and BA.
Covered Entities and Business Associates
In HIPAA terminology, a covered entity is one of the following:
- A healthcare provider such as a doctor, dentist, health clinic, nursing home, or pharmacy.
- A health plan that includes HMOs, health insurance companies, company health plans, and government programs like Medicare and Medicaid.
- A healthcare clearinghouse such as transcription services that process nonstandard health information into another format.
A business associate is defined as a person or organization that performs specific functions or activities involving the use or disclosure of protected health information, on behalf of, or provides services to, a covered entity. Some examples of a BA are:
- Organizations that provide cloud hosting services to covered entities that include storing, transmitting, and processing ePHI.
- Third-party administrators that help a covered entity such as with insurance claims processing, billing and payment processing.
- Accountants or attorneys providing services to a covered entity that involve access to PHI.
- Independent medical transcriptionists working for a covered entity.
- External companies relied on for outsourcing services such as EMR providers, IT service providers, answering services for medical offices, telemedicine providers, and more.
A covered entity can also be a business associate of another covered entity. Business associates can outsource activities to subcontractors who also need to maintain HIPAA compliance. A CE needs to understand the relationship between its BAs and ensure that everyone is complying with HIPAA guidelines.
It is the responsibility of the covered entity to ensure that the business associates they are working with are aware of their role in processing PHI. In many cases, such as when a doctor’s office uses a third-party cloud-hosted healthcare solution, the BA is more involved in directly handling PHI than the covered entity.
Ignorance of the fact that PHI is involved can result in exposing sensitive data unintentionally to unauthorized actors and risks a data breach. To ensure that all parties understand their roles and responsibilities regarding ePHI, business associate agreements need to be in place for each BA working with a given covered entity.
What is a Business Associate Agreement?
A Business Associate Contract, or Business Associate Agreement, is a contract that stipulates the types of protected health information (PHI) that will be provided to the business associate, the allowable uses and disclosures of PHI, the measures that must be implemented to protect that information, and the actions that the BA must take in the event of a security breach that exposes PHI.
The same provisions are in place for BAAs between covered entities and business associates as well as those between BAs and their subcontractors. According to HIPAA standards, the following information needs to be incorporated into BAAs drawn up between CEs and their business associates. The written contract established between a CE and BA needs to:
- Define the permitted and required use and disclosures of PHI by the BA.
- Instruct the BA not to use or disclose PHI in ways not permitted by the contract unless required by law.
- Outline the requirements that need to be in place to prevent unauthorized use or disclose of PHI based on the HIPAA Security Rule.
- Require business associates to report any use or disclosure of PHI not defined in the contract to the covered entity.
- Ensure the BA discloses protected health information as specified in its contract to satisfy a covered entity’s obligations to provide individuals with copies of their protected health information.
- Require the BA to comply with a covered entity’s obligations under the HIPAA Privacy Rule.
- Require that the BA makes its records and practices available to HHS to audit the covered entity’s HIPAA compliance.
- Ensure that the BA returns or destroys all ePHI associated with the covered entity if possible.
- Instruct the BA to maintain the same restrictions and conditions it is subject to with all of its subcontractors.
- Authorize contract termination if the BA violates any of its terms.
Checklist for Drafting a Solid Business Associate Agreement
Taking into account the specific information required to be in a BAA, the following checklist provides a good place for a covered entity to start when establishing an agreement. Make sure all of these elements are present in a BAA.
- Description of the proper use of PHI.
- When and how PHI can be disclosed.
- The need for additional BAAs to cover subcontractors.
- How PHI will be destroyed by the BA.
- The technical safeguards that will be in place to protect PHI.
- The BA’s role in satisfying the CE’s HIPAA obligations.
- When mandatory disclosure of PHI is warranted.
- How and when data breaches must be reported.
- The right to terminate the BAA.
What to Avoid when Engaging a New Business Agreement
When entering any type of business arrangement, there are certain items, factors, or characteristics that should raise red flags concerning the ability of the parties to successfully carry out their responsibilities. This is certainly true of BAAs, and a poorly constructed or inferior agreement can result in a breach of unsecured protected health information. The associated costs to the covered entity and the individuals whose data was compromised make it imperative that only verifiable business associate agreements are put in place.
The following red flags need to be avoided by a covered entity when entering into a BAA with a business associate.
- Non-searchable policies and procedures – Policies and procedures need to be searchable to satisfy investigations by the Office for Civil Rights (OCR) that require the procurement of specific documents. Searchable documentation is also necessary to effectively train the workforce to maintain HIPAA compliance.
- Unclear and non-standard policy document formatting – A clearly identified structure for formatting and indexing procedures needs to be in place to facilitate identifying and locating documents.
- Long and overly complex policy documents – Policy and procedure documentation should be logical and concise to reduce the possibility of being misunderstood.
- Inefficient approval processes – The approval process used to create and maintain policies and procedures needs to provide efficient and prompt action when changes need to be implemented.
- Incomplete employee training records – Documentation needs to exist demonstrating employee training on security policies and procedures. These reports must be kept and made available for six years.
- Dusty physical copies of policy manuals – It is common for policy documents to be stored online where they are easily accessible. Unused policy documents indicate a lack of employee training and possibly outdated procedures.
- Policies lacking risk or compliance assessments – BAs should be conducting regular risk assessments to ensure they are in compliance with HIPAA security and privacy guidelines. An inability to produce recent assessments should concern a covered entity considering entering into a BAA with a third party.
Covered entities searching for viable business associates can use the business associate agreement as a measuring stick for evaluating their potential partners. Organizations that do not meet the provisions required to be in a viable BAA should not be considered by CEs intent on protecting their patients’ and customers’ PHI. The stakes are too high for taking risks with sensitive and protected data privacy and security.
Related article: Do Medical Answering Services Need to be HIPAA Compliant?