Business Associate Agreements: What's a BAA and When Do I Need One
Any 3rd party whose work gives them access to Protected Health Information (PHI) is considered a HIPAA Business Associate. As a covered entity it's important to take appropriate steps to safeguard your PHI, even when it leaves your organization. Business Associates are obligated to ensure the confidentiality, integrity, and availability of PHI, just like covered entities. But if you don't take the appropriate steps, you can be held responsible for HIPAA violations committed by your vendor.
There are some simple steps that can ensure your HIPAA business associate won't cause you any issues. It’s important to thoroughly vet any prospective business associate to ensure they’re implementing appropriate safeguards to PHI. Additionally, under the HIPAA Security Rule, Covered Entities must obtain a Business Associate Agreement (BAA) before allowing access to PHI to any vendor or 3rd party.
A BAA is a contract that specifies the business associate’s obligations in regard to PHI. They acknowledge that both covered entities and business associates are subject to HIPAA regulations.
The consequences of failing to procure a proper BAA can be significant. In 2016 an orthopedic surgeon hired an outside party to convert his X-Rays into digital files. When a breach report triggered an investigation, the Office of Civil Rights (OCR) discovered that the clinic failed to sign a Business Associate Agreement (BAA) with the vendor. The OCR imposed a $750,000 fine and a Corrective Action Plan on the clinic.
“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, the Director of the OCR at the time of the Resolution Agreement. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
Ensuring that you have proper contracts in place with your vendors in regards to PHI is one of the most fundamental elements of a HIPAA compliance program. A Business Associate Agreement ensure the following:
1. Establishes when and why the business associate can use and disclose PHI.
2. Ensures that the business associate will not use or disclose PHI beyond the scope of the contract or as required by law.
3. Requires the business associate will implement appropriate safeguards to prevent unauthorized use or disclosure of PHI. This includes implementing requirements of the HIPAA Security Rule in regard to electronic Protected Health Information (ePHI). Remember that BAA also must regularly conduct a HIPAA security risk analysis.
4. Requires the business associate report any unauthorized use of the PHI, including a breach, to the covered entity.
5. Requires the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to an individuals' Right of Access.
6. Ensures that, when applicable, the business associate will comply with the HIPAA Privacy Rule.
7. Requires that the business associate will make its internal practices and records related to the covered entity's PHI available to HHS, should HHS need to determine if the covered entity is in compliance with HIPAA.
8. If the vendor contract ends the business associate should return or destroy all PHI relating to the covered entity.
9. Requires the business associate to ensure that any subcontractors that have access to PHI agree to the same restrictions and conditions that apply to the business associate.
10. Authorizes termination of the contract by the covered entity if the business associate violates the terms of the contract in regard to PHI.
A Business Associate can be penalized directly for a HIPAA breach. So, a good Business Associate Agreement is in the best interest of both parties. It clearly outlines their obligations when it comes to Protected Health Information, and gives guidelines to operate within.