For healthcare organizations, complying with HIPAA regulations is mandatory. Your organization needs to implement robust internal policies and process to safeguard the protected health information (PHI) you are generating, sharing, and storing. At the same time, you need to ensure that your partners, vendors, and subcontractors are similarly prepared to protect sensitive information.
A business associate agreement (BAA)—or business associate “contract”—records that commitment from third-party organizations to protect your PHI. Required by HIPAA rules, a BAA sets responsibilities and establishes the ways both organizations will work together to maintain security and privacy.
In this blog post, we’ll further define what a BAA is, clarify which organizations must use them, and highlight some types of failures that can occur with BAAs. We’ll also explore a few frequently asked questions surrounding BAAs.
What is a BAA?
A BAA is a contract between a covered entity (such as a provider, health plan, or healthcare clearinghouse) and one of its business associates. The contract affirms the shared commitment to safeguarding PHI and defines each side’s responsibilities. For example, a typical contract might specify:
- How the business associate can use and disclose PHI
- What types of security controls should be implemented
- How requests for PHI from patients should be addressed
- How the business associate will ensure that subcontractors safeguard PHI
- How the business associate should provide an accounting of disclosures
- How breaches should be reported
Who needs a BAA?
Covered entities need to sign BAAs with all individuals, partner organizations, and other vendors that might potentially access PHI in the course of their work.
Understanding business associates and business associate subcontractors
Your organization likely works with a wide variety of partner businesses and individuals. Many—but not all—of those entities are required to enter into a BAA to comply with HIPAA regulations.
Who are business associates and business associate subcontractors?
The Department of Health and Human Services (HHS) defines a business associate as a person or entity that accesses PHI while working for a covered entity. The business associate might create, receive, maintain, or transmit PHI. A business associate subcontractor is a person or entity that handles PHI while working for a business associate.
Business associates (and subcontractors) range from billing and claim-processing companies, accounting firms, and transcriptionists to cloud service providers (CSPs) and managed service providers (MSPs).
Who are not business associates and subcontractors?
Employees of covered entities are not business associates or subcontractors. In addition, individuals with incidental access to sensitive information—such as electricians or security guards—are also not business associates or subcontractors.
People and organizations that are “conduits” for transporting PHI but that do not access PHI do not count as business associates. So, for example, mailing, shipping, and messenger services are not business associates—nor are internet service providers, even though PHI might be transmitted electronically.
Contractors and confidentiality agreements:
Contractors working for covered entities are not considered business associates. However, covered entities can be held accountable if their contractors fail to comply with regulations. Some organizations sign BAAs with those contractors, but many organizations find that a confidentiality agreement is sufficient to cover liabilities.
Common covered entity BAA failures
Understanding what a BAA is and why it’s important are vital for complying with HIPAA rules. But organizations can still make critical errors in implementing BAAs. Some common BAA failures include:
Not having a HIPAA BAA for all companies that touch ePHI:
As you generate, store, and transmit electronic PHI (ePHI), information might pass through systems whose vendors need to enter into BAAs. For example, the software company that makes the email application you use to transmit PHI can be considered a business associate since the company’s servers retain ePHI sent by email.
Assuming a signed BAA means compliance with HIPAA:
Entering into BAAs with business associates is critical. But doing so is not a guarantee of compliance with HIPAA regulations. Let’s say you begin working with a CSP to store medical records. In addition to signing a BAA with that cloud provider, you still need be sure that you and the CSP have implemented all the proper controls to adhere to HIPAA security and privacy rules.
Common failures by business associates and their subcontractors
Business associates and their subcontractors are not immune to mistakes that can jeopardize your HIPAA compliance. Some of their potential failures include:
Failing to enter into BAAs with subcontractors:
Your business associates must have contracts in place with their subcontractors. Any entity that handles your PHI must enter into a BAA. Subcontractors must agree to the same types of rules and restrictions that are found in the BAAs between your organization and your business associates.
BAA template failures:
You can find free BAA templates on the internet. But ultimately it’s up to you to ensure that a template is up to date—covering all regulatory responsibilities—and relevant to your relationship with each business associate. You will likely need to customize any free templates to meet your specific requirements.
FAQs
What is the purpose of a BAA?
A BAA makes business associates accountable for complying with HIPAA security and privacy rules relating to PHI. The contract defines each party’s responsibilities for safeguarding PHI and establishes how organizations should work together to ensure compliance.
Is a BAA a confidentiality agreement?
No. A BAA is between a covered entity and a business associate that might access PHI. A confidentiality agreement is more appropriate for individuals—such as janitors, electricians, or other operational staff members—who might incidentally or accidentally encounter PHI.
What must be included in a BAA?
At a minimum, the contract should define the only acceptable conditions for a business associate to use and disclose PHI. It should also require the business associate to implement necessary safeguards to prevent misuse or inappropriate disclosure of PHI. In addition, the BAA should define other relevant aspects of the business relationship between the covered entity and business associate, such as how to keep track of disclosures and how to amend PHI. The HHS offers a model BAA on its website.
What happens when business associates violate HIPAA regulations?
Business associates can be fined directly by regulators for exposing PHI or failing to comply in some other way with HIPAA rules.
Cut through compliance complexity
For many healthcare organizations, working with outside experts is the most efficient and effective way to ensure your compliance with HIPAA regulations. Partnering with a healthcare-focused MSP such as Cloudticity can help you navigate the complexities of HIPAA compliance in the cloud. You can make sure you are selecting CSPs that are willing to enter into BAAs, and then streamline the process of achieving and maintaining compliance.
Learn more about how Cloudticity can help you comply with HIPAA regulations as you expand your use of cloud services, download the HIPAA Guide for AWS or the HIPAA Guide for Azure. Or schedule a free consultation to learn how we can work together to simplify HIPAA.
