Do I need a Business Associate Agreement?

Your healthcare entity may need to enter into a signed Business Associate Agreement with certain vendors and contractors that you have contracted with depending on the type of services that will be provided to your healthcare entity. Failure to produce a signed Business Associate Agreement could lead to fines and/or penalties by the Office for Civil Rights (“OCR”) in connection with potential HIPAA violations.


What is a Business Associate?

A business associate is one that creates, receives, maintains or transmits protected health information (“PHI”). Companies that only store encrypted PHI are also considered Business Associates. Subcontractors may also have to sign a Business Associate Agreement if they create, receive, maintain, or transmit PHI on behalf of a business associate.

A healthcare provider is not considered a business associate if disclosure of PHI is required for treatment. A covered entity participating in an Organized Health Care Arrangement (“OHCA”) that performs a function or activity for or on behalf of the OHCA is not a business associate if it is acting on behalf of the OHCA as a whole.


Business Associates Restrictions and Requirements

Business associates may use or disclose PHI only as permitted or required by the Business Associate Agreement or as required by law. Business associates will be directly liable under the HIPAA Rules and subject to civil and criminal penalties for failing to comply with the Business Associate Agreement or the HIPAA Security Rule.

If a Business Associate becomes aware of a security incident they must report it. A “security incident” includes “attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

Business Associates are governed by rules that provide specific guidance regarding the sale of patient information. For example, information can be sold for public health, treatment and payment, or for the sale of an entity. Additionally, information can be sold for research, but compensation must be reasonable and cost-based. Any information or data that is sold must be de-identified to remove any and all identifiers of the individual, relatives, employers, or household members.


Business Associate Agreement Requirements

The following is a list of items that must be addressed in a Business Associate Agreement:

  1. Establish the permitted and required uses and disclosures of PHI by the business associate.
  2. Provide that the business associate will not sue or further disclose the information other than as permitted or required by the contract or as required by law.
  3. Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the PHI, including compliance with the Security Rule for ePHI.
  4. Require reporting to the covered entity of any improper use or disclosures including breaches.
  5. Require the business associate to make PHI available for access and amendment and require information for accounting.
  6. Require Privacy Rule compliance to the extent applicable.
  7. Require business associates to make books and records available to HHS.
  8. Require the business associate to return or destroy PHI at termination if feasible.
  9. Require the business associate to ensure that subcontractors agree to the same restrictions and conditions.
  10. Authorize termination of the contract by the covered entity if the business associate violates a material term.


Business Associate Agreement Regulatory Compliance

Periodically, Business Associate Agreements should be reviewed and updated as necessary to ensure that they are compliant with HIPAA and the HITECH Act or any other related laws.

OCR is responsible for auditing and only provide healthcare entities a narrow window to produce a list of its business associates. Therefore, it is critically important to maintain a list of business associates.


Things to consider

This is not an exhaustive list of a few things to consider when negotiating a BAA:

  1. Is this entity a Business Associate? If so, what will this BA be doing and does HIPAA allow for it?
  2. Do you want a stand alone BAA or will it be incorporated into other contracts?
  3. Has there been a discussion about indemnification and how much is required?
  4. Is a confidentiality agreement required for other information?
  5. Should we have a privacy official to design, implement and oversee privacy policy and procedure practices, including risk analysis and risk mitigation?


There are several other items to consider when drafting, negotiating and executing a Business Associate Agreement. If you have questions about Business Associate Agreements and how they work or whether yours incorporates the most recent legal requirements you should contact us today.


This post was authored by Jamaal R. Jones, Esquire  Jones Health Law, P.A. for more information contact me at (305) 877-5054; email me at JRJ@JonesHealthLaw.com, or visit our website at www.JonesHealthLaw.com.


It should be noted that I am not your lawyer (unless you have presently retained my services through a retainer agreement). This post is not intended as legal advice, it is purely educational and informational, and no attorney-client relationship shall result after reading it. Please consult your own attorney for legal advice. If you do not have one and would like to retain my legal services please contact me using the information listed above.


All of the information and references made to laws, regulations, and advisory opinions were accurate based on the law as it existed at this time, but laws are constantly evolving. Please contact me to be sure that the law which will govern your business is current. Thank you.