Covered entities must ensure that they have a current HIPAA BAA in place with each of their partners to maintain PHI security and overall HIPAA compliance.
As healthcare data usage and collection continues to grow, and interoperability between systems, vendors, and partners increases, HIPAA covered entities will need to form partnerships with these partners and vendors to ensure the security of their data assets. These partnerships are known as business associate agreements (BAAs).
But what exactly are HIPAA business associates? Are they held to the same healthcare privacy and security requirements as covered entities? What happens when they violate their obligations?
In this blog post, we take a deeper look at these essential members of the healthcare security ecosystem and explains why HIPAA business associate agreements are vital to healthcare organizations.
WHAT IS A BAA?
Any individual or entity that performs functions or activities on behalf of a covered entity that requires the business associate to access PHI is considered a business associate, according to HHS.
This individual or organization may also provide services to a covered entity. Examples include a consultant who does hospital utilization reviews or an attorney who has PHI access as he provides legal services to a healthcare provider.
Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions.
However, there are exceptions to the business associate standard, HHS says, where “a covered entity is not required to have a business associate contract or other written agreement in place before protected health information may be disclosed to the person or entity.”
These exceptions include but are not limited to the following situations:
- Disclosures by a covered entity to a healthcare provider for treatment of the individual
- PHI collection and sharing by a health plan that is a public benefits program, such as Medicare
- Disclosures to a health plan sponsor, by a group health plan, the health insurance issuer, or HMO that provides health insurance benefits or coverage for the group health plan
- With individuals or organizations that are a conduit for PHI, like the US Postal Service
Once a covered entity has identified their applicable business associates, it is necessary to ensure that these third-parties will only use any provided PHI in a secure and established manner.
“Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate,” HHS maintained on its website.
Here is where business associate agreements, or business associate contracts come into play.
UNDERSTANDING THE INTRICACIES OF BUSINESS ASSOCIATES AND BAAS
The HIPAA Omnibus Rule changed how business associates are expected to maintain PHI security.
“The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity,” HHS states on its website. “The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”
Business associates can also now be held liable to similar repercussions as covered entities can under HIPAA regulations should PHI become compromised in a healthcare data breach.
A business associate contract, or business associate agreement, is a written arrangement that specifies each party’s responsibilities when it comes to PHI.
The contract must describe permitted and required PHI uses for the business associate, and also state that the business associate “will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.”
The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.
Appropriate safeguards need to be established, ensuring that the business associate will prevent PHI disclosure outside of what is permitted in the contract.
“Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement,” HHS explains. “If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to [OCR].”
A sample business associate agreement can be found on HHS’ website here.