Everything Practices Need to Know About Business Associate Agreements

In the early days of HIPAA, the Department of Health and Human Services developed the concept of Business Associate (BA) agreements in an effort to extend patient privacy protections to Providers’ vendors and partners. But in January 2013 the Department of Health and Human Services took an extra step in enforcing this rule when they published a final set of regulations entitled the “HIPAA Omnibus Rule,” modifying the existing Health Insurance Portability and Accountability Act (HIPAA).

The revised rules now state that a BA can be held directly liable for (civilly or criminally) violating HIPAA, but that doesn’t mean practices are off the hook.  Practices are still responsible for ensuring (to the best of their ability) that the BAs they work with are HIPAA compliant.

This means practices need to scrutinize and re-asses their BA agreements and follow through on their due diligence to avoid liability if a BA is breached. Unfortunately, the same old standardized BA agreements being used may not be cutting it – here are some tips for what to include in a comprehensive BA agreement:

What information should be included? (Provisions per HRSA.gov)
Privacy provisions:

  • Describe the permitted and required uses of protected health information by the business associate;
  • Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law;
  • Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract;

Security provisions:

  • Include that the business associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity;
  • Require the business associate ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards;
  • Provide that the business associate will report to the covered entity any security incident of which it becomes aware;
  • Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.”

What is the Provider’s role if a BA is breached?
If a Provider is made aware of a BA breach or any type of violation of the agreement the Provider is required to take “reasonable steps” to “cure the breach or end the violation.” In the case that the Provider is unsuccessful the BA contract should be terminated and/or the Department of Health and Human Services should be notified.

Revisit Existing Agreements
As we mentioned earlier, information about new provisions may not be included in “standard” business associate agreements developed before the omnibus regulation. It is recommended that Providers review existing agreements for accuracy and update as necessary.

 As compliance enforcement heats up Providers never want to assume that their BAs are clear on HIPAA requirements or understand the level of responsibility involved in protecting patient information.

If Providers do their part to educate BAs on the required provisions of HIPAA they will ultimately save themselves from an enormous amount of liability and headache in the case of a breach.