A business associate agreement (BAA) is a contract between a covered entity and a business associate before activities that involve the disclosure of protected health information (PHI). It is a requirement under the Health Insurance Portability and Accountability Act (HIPAA) to protect the security of individuals’ health information.
Authorization Required
A business associate agreement is required to be authorized before a party can receive, maintain, create, or transmit PHI on a covered entity’s behalf.[1]
What’s Included?
A business associate agreement outlines the obligations of an individual or company that will be accessing a covered entity’s PHI which includes:
- Safeguards. Implementing proper measures to minimize a security breach or unwanted disclosure of PHI.[2][3]
- Compliance with HIPAA Security Rule. To provide administrative safeguards, physical safeguards, and technical safeguards.[4]
- Accessibility. To allow patients to obtain, add, or amend their medical records and information.[5]
- Reporting. In a breach, the business associate agrees to report all its details to the covered entity.[6]
- Subcontractors. If the business associate uses any subcontractors that obtain access to PHI, they also agree to the same rules and regulations.[7][8]
What is a Business Associate?
A business associate is a contractor, business entity, or service provider that performs services involving the handling of PHI on behalf of a covered entity.[9]
Examples
- Accountants. Bookkeepers or CPAs are hired to assist with a covered entity’s finances and tax records.
- Attorneys and law firms. Legal counsel hired by a covered entity for consultation or representation.
- Billing companies. If a 3rd party is used to assist with the coding and billing of specific patients.
- Claims processing companies. For any company, other than insurance, that assists the covered entity in processing claims.
- Consultants. 3rd party hired to assist in an audit, compliance, or other services.
- Contractors. Individuals hired on a short or long-term basis to provide services.
- Data or IT storage providers. Hosting, server companies, or EHR vendors.
- Subcontractors. Similar to contractors, although they use a separate subcontractor agreement between the contractor (not the covered entity).
NOT a Business Associate
- Employees, interns, and volunteers. Although, they would need to authorize a confidentiality agreement.
- Financial institutions. A bank, credit union, or credit card company that processes payments and does not include medical information during the billing process.
- Healthcare providers. Other healthcare providers that work with the covered entity, such as doctors, nurses, pharmacists, hospitals, etc.)
- Insurance companies. They are considered a covered entity and not a business associate under HIPAA.
- Postal companies. USPS, FedEx, UPS, and any other postal company that handles medical records for delivery.
- Property staff. If a medical office is located in an office complex with cleaners and janitors.
Sample
BUSINESS ASSOCIATE AGREEMENT
THIS AGREEMENT is entered into on [DATE], by and between:
Covered Entity: [COVERED ENTITY’S NAME], with a mailing address of [COVERED ENTITY’S ADDRESS] (“Covered Entity”), and
Business Associate: [BUSINESS ASSOCIATE’S NAME], with a mailing address of [BUSINESS ASSOCIATE’S ADDRESS] (“Business Associate”).
WHEREAS, Business Associate provides certain services to or on behalf of Covered Entity, and in connection with those services, Business Associate creates, receives, maintains, or transmits protected health information (PHI);
NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this Agreement, the parties agree as follows:
1. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
a. Business Associate agrees not to use or disclose PHI other than as permitted or required by the Agreement or as required by law.
b.Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
2. PROHIBITION ON UNAUTHORIZED USE OR DISCLOSURE
a. Business Associate will not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
3. MITIGATION OF HARMFUL EFFECTS
a. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Agreement.
4. OBLIGATIONS OF BUSINESS ASSOCIATE
a. Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of the PHI other than as provided for by this Agreement.
b. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware.
c. Business Associate agrees to ensure that any agent, including a subcontractor, agrees to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
5. DUTIES UPON TERMINATION
a. Upon termination of this Agreement for any reason, Business Associate will return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate.
6. INDEMNIFICATION
a. Business Associate agrees to indemnify, defend and hold harmless Covered Entity and its directors, officers, employees, and agents from and against all claims, damages, liabilities, judgments, costs, and expenses (including reasonable legal fees and expenses) arising out of or in connection with any breach of this Agreement by Business Associate, or any negligent or wrongful act or omission of Business Associate concerning its use or disclosure of PHI.
7. INSURANCE
a. Business Associate will maintain a policy or policies of insurance with coverage amounts that are commercially reasonable and customary for the risks associated with this Agreement.
8. TERM AND TERMINATION
a. The Term of this Agreement shall be effective as of mentioned herein and shall terminate when all of the PHI provided by Covered Entity to Business Associate or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information.
b. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall either:
i. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate the contract if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity;
ii. Immediately terminate the contract if Business Associate has breached a material term of the contract and cure is not possible; or
iii. If neither termination nor cure is feasible, report the violation to the Secretary.
9. TRAINING
a. Business Associate shall train its employees and subcontractors on the requirements of HIPAA and the BAA.
10. DATA OWNERSHIP
a. It is agreed that all PHI is owned by the Covered Entity.
11. DISPUTE RESOLUTION
a. The parties agree to negotiate in good faith to resolve any disputes that arise out of this Agreement.
This Agreement is executed the day and year first written above and is binding upon the parties, their successors, and assigns.
Covered Entity:
Signature: ____________________________ Date: ______________
Name: ____________________________
Title: ____________________________
Business Associate:
Signature: ____________________________ Date: ______________
Name: ____________________________
Title: ____________________________