In order to maintain HIPAA compliance and ensure that sensitive health information remains secure, all healthcare providers must maintain a type of contract called a Business Associate Agreement with their technology vendors and service providers. In this guide, we’ll help you get a better understanding of what it means to establish a business associate agreement. What do these terms mean and how do they help protect your clients, your business, and protected health information? Here we’ll look at everything there is to know about business associate agreements.
What are Covered Entities and Who Counts as a HIPAA Business Associate?
HIPAA is the Health Insurance Portability and Accountability Act. It is the US federal law that regulates the protection of sensitive patient health information relating to PHI (protected health information) such as doctors’ notes or lab test results, medical histories, and other information that is stored and transmitted between covered entities and their business associates.
Under HIPAA a “covered entity” is any healthcare provider, but the definition also includes healthcare plans and healthcare clearinghouses. Such as:
- Claims processing
- Data analysis
- Quality assurance
- Practice or benefit management
HIPAA “business associates” are defined as persons or entities that use, disclose, maintain, create, receive, or transmit PHI on behalf of the covered entity for a healthcare function or other related purpose. They may also be entities that provide professional services to covered entities. This can include tech vendors, providers, and SaaS products. Such as:
- Legal services
- Financial services
Increasingly as practices digitize their workflows, more and more third-party vendors such as B2B Saas companies are selling to covered entities. In these cases, Business Associates might refer to a tech vendor providing a file-sharing vendor, CRM, or IT support vendor.
What is a Business Associates Agreement?
A Business Associates Agreement (BAA) is required between a covered entity like a hospital or other healthcare provider and each business associate. It is a contract that outlines each party’s responsibilities as it relates to protected health information and makes responsible the service provider who is now entrusted with the protected health information. This means that if you are transmitting PHI to another service provider, having that service provider sign a BAA makes them responsible for that information.
This applies to outside vendors which are used in the transfer, use, storage, or maintenance of PHI which can include IT vendors or cloud storage. An agreement is made between your organization and the outside party that handles this data which ensures that HIPAA guidelines will be complied with.
Any time a covered entity intends to disclose PHI to a business associate under the right circumstances, a BAA must be in place before the disclosure.
It is important to note that even if there is no contract involved an entity may still fall under definition as a business associate and remain liable in the event of potential mishandling of protected health information and thus HIPAA compliance. As such, your organization should do everything in its power to maintain a separate business associate agreement for each business associate that it does business with in relation to PHI. The same would be maintained for business associates and their subcontractors down the chain. If you meet the definition of a business associate you must comply.
Get the HIPAA Compliance Checklist for Business Associates
What is Required in a Business Associate Agreement?
A Business Associate Agreement is a written contract provided by vendors which outlines how a business associate will use and disclose protected health information. It must outline what is considered as permitted uses and disclosures of PHI. This will depend on what the covered entity has hired the business associate for. How is the information going to be used in healthcare business functioning or shared by the business associate to other subcontractors if necessary? As well, the BAA must prohibit all other use and disclosure other than what is permitted in the contract or by law.
For example, a healthcare provider who is a covered entity is providing treatment to a patient and wishes to share that patient’s information to a pharmacy, the business associate, for prescription coverage. In this example, the information can only be shared for this exact purpose and no other.
The BAA must require the business associate to employ appropriate physical, administrative, and technical security safeguards to protect the PHI from improper disclosure or use. Best practice here would be to follow the three pillars of the Security Rule. Ensure that there are proper controls and infrastructure in place to offer technical and physical safeguards and further safety protocol through administrative safeguards in establishing the proper policies and procedures that also encourage security and privacy.
Examples of technical safeguards include authentication and encryption where physical safeguards relate to facility access and physical locking mechanisms for cabinets or electronic key card readers for door entries. Administrative safeguards include policies, procedures, and training initiatives.
Finally, business associates must notify covered entities in the event of a breach.
A BAA ensures that all parties involved, including subcontractors which are also included in the definition of a business associate, know how they must handle and safeguard PHI.
Three Important Rules of HIPAA
- Privacy Rule: This rule applies to covered entities which are defined as health plans, healthcare clearinghouses, and healthcare providers. It allows for these covered entities to employ the use of outside business associates to enhance their business function so long as they can ensure that business associates only use PHI for the purposes stated in the business associate agreement. Business Associates must safeguard the PHI from any unauthorized access or misuse and assist the covered entity in compliance with the privacy rule. This rule also gives rights to the patient to access or make corrections to their information when necessary. It must be complied with in writing throughout the business associate agreement.
- Security Rule: This rule also applies to covered entities and their business associates in the protection of ePHI (PHI held or transferred in electronic form) and requires the appropriate physical, technical, and administrative safeguards to be in place for its protection. It does not apply to information transmitted in other forms such as in writing.
- Omnibus Rule: While HITECH put changes in place to ensure that Business Associates would be liable to HIPAA compliance in 2009, the Omnibus Rule put strength behind that leaning and made it enforceable in 2013. Once this rule was put in place, Business Associates and their subcontractors would have to follow the same standards as Covered Entities when it came to the protection of PHI. Covered Entities would no longer be held responsible on behalf of BAs.
The Omnibus Rule also set a new standard for breach notification. No longer was it required to report breaches that caused significant potential harm to over 500 people but instead any unauthorized use or sharing of protected health information would be considered a breach. Other aspects of the Omnibus Rule include allowing individuals better access to their ePHI and increasing limitations on sharing protected health information.
How Carbide can Help?
Carbide automatically generates custom policies, procedures, designates key officers, and tracks your progress towards compliance. Check out our guide on HIPAA business associate compliance and book a demo to learn from our experts how Carbide can help you get HIPAA compliant.