Business Associate Agreements (BAA) are one of the requirements for a covered entity and their business associates and a key component to HIPAA compliance. This article will walk you through identifying where BAAs are required, describe the main components of a BAA, provide resources for BAA templates, and offer a cautionary tale as a reminder of the importance of maintaining BAAs where necessary. For more information on determining if you are a covered entity, CMS.gov provides this helpful tool.
Mapping Protected Health Information (PHI)
Before a company requests every vendor to enter into a BAA, it is best to identify who the applicable business associates are. This begins with an exercise of identifying and mapping the flow of PHI throughout the business. Once PHI is an electronic record, it becomes ePHI. Begin by answering these questions to create an idea of how PHI flows through the business and who touches it:
- How is PHI collected?
- Who has first contact with PHI?
- How is it entered into the system?
- Where is it stored physically and electronically?
- Who has access to the ePHI?
- Who is responsible for maintaining IT equipment which stores ePHI?
- Where is ePHI backed up?
- Who has access to and maintains backups?
If a business is dealing more with ePHI than physical hard copy PHI, some of these questions may have technical answers.
HIPAA Compliance: Identifying Business Associates
Once the flow of PHI and ePHI has been determined, a company can then identify any non-employee individuals, contractors, vendors, or subcontractors that potentially have physical or logical access to PHI or ePHI. A business associate is an individual or an entity performing activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. If a third party services provider or contractor is provided access to or could come into contact with your organization’s PHI, it is good business practice to treat them as a business associate.
Hhs.gov is very detailed and clear in describing business associate identification by giving bulleted examples and explaining the variety of services that could be provided which would classify an organization or individual as a business associate. According to hhs.gov, “business associate functions and activities include: claims processing or administration; data analysis, processing, or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.”
Components of the BAA
Once a business associate for HIPAA purposes is identified, a business associate agreement should be put in place. The BAA is a contractual agreement between the covered entity and the business associate, and it is important that both entities acknowledge they are beholden to HIPAA regulation. A well-worded BAA can protect both parties in the event of a breach, so it is in both party’s best interest if the BAA is executed using the proper language.
HIPAA Business Associate Agreement Requirements
In addition to acknowledging that both parties fall under HIPAA regulations, the BAA should contain the following components to achieve full HIPAA compliance for working with business associates:
- Describe the permitted and required uses of PHI by the business associate
- Provide that the business associate will not use or further disclose the PHI other than as permitted or required by the contract or as required by law
- Indicate the business associate must get BAAs for their relevant subcontractors
- Specify procedures for the business associate to return or destroy PHI
- Require the business associate to use appropriate safeguards to prevent a use or disclosure of the PHI other than as provided for by the contract
- Define circumstances where the business associate must disclose PHI, i.e. at the patient’s request or at the request of Health and Human Services
- Require the business associate to report breaches or disclosure of PHI not provided for in the contract to the covered entity in a timely manner
- Include rights to terminate and the business associate’s obligation upon termination
Again, hhs.gov provides descriptive, helpful guidance on BAAs. They also provide a sample template.
Monitoring your Business Associate: SOC 2 + HIPAA
Entering into a BAA reduces some liability of outsourcing business functions related to PHI, but it best to understand the controls the business associate has in place to safeguard PHI or ePHI. One of the easiest ways to do this is obtain and review any reports completed by a third party on the controls a business associate has in place.
Examples could be a SOC 1 report, a SOC 2 report, or a HIPAA compliance report. If your business associate performs functions related to ePHI, the ideal report would be a SOC 2 + HIPAA report. This report describes and reports on the design and operating effectiveness of the security controls in place at the business associate’s organization and includes controls that are directly related to the HIPAA security rule and ePHI. The report should be reviewed to identify and design and/or operating deficiencies and these should be evaluated based on how they affect the covered entity’s ePHI.
A Cautionary Tale About HIPAA Business Associate Agreements
A recent settlement between the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) and an orthopedic clinic highlights the importance of executing a HIPAA business associate agreement with appropriate third party services providers. In the OCR settlement, an orthopedic clinic agreed to pay $750,000 to settle charges that it violated HIPAA’s requirements concerning the safeguarding of the protected health information (PHI) of 17,300 patients.
According to the OCR, the clinic made an oral agreement with a vendor whose business involved salvaging silver from x-ray films. In exchange for the salvaged silver, the vendor agreed to transfer the x-ray images to electronic media. The clinic failed to execute a written agreement with the vendor prior to turning over the x-ray images and patient information. Such agreements are required under HIPAA.
As a covered entity, the orthopedic clinic should have recognized their obligation to execute a BAA with the silver-salvaging vendor prior to giving them the x-ray films and associated patient data. Likewise, if this had occurred and the silver-salvaging vendor was permitted to and decided to engage a subcontractor to scan the x-ray images, the vendor would have been obligated to execute a BAA with the subcontractor. The onus to obtain a BAA is on the entity sharing the PHI down the chain of custody.
In addition to the fine, the clinic agreed to revise its policies and procedures to:
- Establish a process for assessing whether entities are business associates,
- Designate a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate,
- Create a standard template business associate agreement,
- Establish a standard process for maintaining documentation of a business associate’s agreements for at least six (6) years beyond the date of termination of a business associate relationship, and
- Limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.
Don’t get caught in a situation such as this. Make sure your organization properly identifies business associates and executes a thoroughly written BAA with each one. Prioritizing compliance with HIPAA regulations and including BAAs in the contractor and vendor management process can prevent fines and reputational damage.
For more information regarding how Linford & Company may assist your organization with its compliance needs, see information on our related organizational auditing services: