Natali_Mis/istock via Getty Imag
What Is a HIPAA Business Associate Agreement (BAA)?
HIPAA-covered entities must have a business associate agreement (BAA) in place with each of their partners to maintain PHI security and overall HIPAA compliance.
HIPAA-covered entities are required to enter into business associate agreements (BAAs) with any third party that handles protected health information (PHI).
As the cyber threat landscape evolves and data privacy and security concerns escalate, healthcare organizations are increasingly relying on third parties to manage vast amounts of PHI. As a result, comprehensive business associate agreements have become crucial to compliance, security, and privacy.
But what exactly are HIPAA business associates? Are they held to the same healthcare privacy and security requirements as covered entities? What happens when they violate their obligations?
In this primer, HealthITSecurity takes a deeper look into the role of business associates and BAAs in the healthcare security ecosystem and explains why they are vital to healthcare organizations.
What is a BAA?
According to HHS, any individual or entity that performs functions or activities on behalf of a covered entity that requires the business associate to access PHI is considered a business associate.
This individual or organization may also provide services to a covered entity. Examples include a consultant who does hospital utilization reviews or an attorney who has PHI access as they provide legal services to a healthcare provider.
HIPAA permits covered entities to disclose protected health information to a business associate only to help the covered entity carry out its health care functions.
However, there are exceptions to the business associate standard, HHS says, where “a covered entity is not required to have a business associate contract or other written agreement in place before protected health information may be disclosed to the person or entity.”
These exceptions include but are not limited to the following situations:
- Disclosures by a covered entity to a healthcare provider for treatment of the individual
- PHI collection and sharing by a health plan that is a public benefits program, such as Medicare
- Disclosures to a health plan sponsor, by a group health plan, the health insurance issuer, or HMO that provides health insurance benefits or coverage for the group health plan
- With individuals or organizations that are a conduit for PHI, like the US Postal Service
Once a covered entity has identified its applicable business associates, it must ensure that these third parties will only use any provided PHI in a secure and established manner.
“Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions—not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate,” HHS maintained on its website.
Here is where business associate agreements come into play.
Understanding the intricacies of business associates and BAAs
Established in 2013, the HIPAA Omnibus Rule changed how business associates are expected to maintain PHI security.
“The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity,” HHS states on its website.
“The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”
Business associates can also now be subject to similar repercussions as covered entities under HIPAA regulations should PHI become compromised in a healthcare data breach.
A business associate agreement, or business associate contract, is a written arrangement that specifies each party’s responsibilities when it comes to PHI.
The agreement must describe permitted and required PHI uses for the business associate and state that the business associate “will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.”
The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.
Appropriate safeguards need to be established, ensuring that the business associate will prevent PHI disclosure outside of what is permitted in the contract.
“Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement,” HHS explains. “If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to [OCR].”
A sample business associate agreement can be found on HHS’ website here.
What happens when business associates violate HIPAA regulations?
Business associates can be held liable for PHI exposure, just like covered entities. Entering into a BAA holds business associates accountable for complying with HIPAA or risk facing penalties associated with noncompliance.
The HHS website states that business associates are directly liable for the following HIPAA violations:
- Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
- Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
- Failure to comply with the requirements of the Security Rule.
- Failure to provide breach notification to a covered entity or another business associate.
- Impermissible uses and disclosures of PHI.
- Failure to disclose a copy of electronic PHI (ePHI) to either (a) the covered entity or (b) the individual or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations under 45 CFR 164.524(c)(2)(ii) and 3(ii), respectively, with respect to an individual’s request for an electronic copy of PHI.
- Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
- Failure, in certain circumstances, to provide an accounting of disclosures.
- Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf and failure to comply with the implementation specifications for such agreements.
- Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
In September 2020, CHSPSC agreed to pay $2.3 million in penalties as part of the most recent enforcement action against a business associate by the Office for Civil Rights (OCR). CHSPSC provides services to hospitals indirectly owned by Community Health Systems.
The enforcement action stemmed from a 2014 data breach that impacted more than 6 million patients and 237 covered entities. Hackers exfiltrated Social Security numbers, birth dates, contact information, and emergency contact details.
The OCR’s audit revealed “longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.”
The CHSPSC case is a clear example of the perils of failing to sign a BAA.
Both covered entities and business associates will benefit from having a current and comprehensive BAA in place. This way, all parties understand how they are expected to store, transfer, and handle PHI and other sensitive information.
Additionally, BAAs will help ensure HIPAA compliance and prove to OCR that organizations took the necessary steps to keep data secure should an investigation ever need to take place.
Reviewing the business associate relationship, engaging with third-party vendors
Before entering into a business relationship with a vendor, healthcare organizations must vet potential partners and ensure they can be trusted with PHI. Additionally, organizations should have all potential vendors undergo a technical review to ensure their security controls are up to the organization’s standards.
Depending on the amount and type of data a vendor will have access to, onboarding may look slightly different.
“If the vendor has access to PHI, that’s obviously going to be a much more high-risk vendor. We have to consider operational risk, too. The vendor may not have access to PHI, but if they run our HVAC system in the OR, that’s a different risk,” Michael Shrader, director of information security at South-Central Pennsylvania integrated health system WellSpan Health, said in a previous interview with HealthITSecurity.
“We have to make sure that we assess those risks appropriately because if we cut off their access and they can’t fix the HVAC, there could be some serious consequences.”
Shrader also noted the limits of BAAs, which underscore the importance of third-party risk assessments in conjunction with BAAs.
“We all have business associate agreements that help us transfer risk,” Shrader said. “But they are just agreements. There’s nothing technically preventing them from doing something wrong with our data.”
For that reason, healthcare organizations should continually reassess third-party vendors to ensure compliance. Shrader recommended that health systems review vendors yearly, if possible.
It may be helpful to align vendor reassessments with the health system’s procurement cycle so that before the bill is paid, the vendor must complete an updated questionnaire. Integrating reassessments with system upgrades is a practical way to prevent vendors from slipping through the cracks.
To create a comprehensive business associate agreement, healthcare providers should also consider reaching out to a neutral third party, such as a lawyer or consulting firm.
For example, a lawyer who practices in the healthcare IT privacy and security space should understand the intricacies of HIPAA and understand what needs to be in place in a proper business associate agreement.
HHS also suggests consulting State Attorney’s General Offices and Office of the National Coordinator for Health Information Technology (ONC) guidance for general information about the HIPAA Privacy and Security Rules, beyond just business associate agreements.
Comprehensive knowledge of HIPAA regulations will help providers and healthcare executives understand the business associate relationship. Utilizing available tools and resources can also help organizations create applicable business associate agreements to ensure PHI security.
Originally published on April 28, 2017. Updated on February 14, 2022.