Do I need a Business Associate Agreement?

Your healthcare entity may need to enter into a signed Business Associate Agreement with certain vendors and contractors that you have contracted with depending on the type of services that will be provided to your healthcare entity. Failure to produce a signed Business Associate Agreement could lead to fines and/or penalties by the Office for Civil Rights (“OCR”) in connection with potential HIPAA violations.


What is a Business Associate?

A business associate is one that creates, receives, maintains or transmits protected health information (“PHI”). Companies that only store encrypted PHI are also considered Business Associates. Subcontractors may also have to sign a Business Associate Agreement if they create, receive, maintain, or transmit PHI on behalf of a business associate.

A healthcare provider is not considered a business associate if disclosure of PHI is required for treatment. A covered entity participating in an Organized Health Care Arrangement (“OHCA”) that performs a function or activity for or on behalf of the OHCA is not a business associate if it is acting on behalf of the OHCA as a whole.


Business Associates Restrictions and Requirements

Business associates may use or disclose PHI only as permitted or required by the Business Associate Agreement or as required by law. Business associates will be directly liable under the HIPAA Rules and subject to civil and criminal penalties for failing to comply with the Business Associate Agreement or the HIPAA Security Rule.

If a Business Associate becomes aware of a security incident they must report it. A “security incident” includes “attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

Business Associates are governed by rules that provide specific guidance regarding the sale of patient information. For example, information can be sold for public health, treatment and payment, or for the sale of an entity. Additionally, information can be sold for research, but compensation must be reasonable and cost-based. Any information or data that is sold must be de-identified to remove any and all identifiers of the individual, relatives, employers, or household members.


Business Associate Agreement Requirements

The following is a list of items that must be addressed in a Business Associate Agreement:

  1. Establish the permitted and required uses and disclosures of PHI by the business associate.
  2. Provide that the business associate will not sue or further disclose the information other than as permitted or required by the contract or as required by law.
  3. Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the PHI, including compliance with the Security Rule for ePHI.
  4. Require reporting to the covered entity of any improper use or disclosures including breaches.
  5. Require the business associate to make PHI available for access and amendment and require information for accounting.
  6. Require Privacy Rule compliance to the extent applicable.
  7. Require business associates to make books and records available to HHS.
  8. Require the business associate to return or destroy PHI at termination if feasible.
  9. Require the business associate to ensure that subcontractors agree to the same restrictions and conditions.
  10. Authorize termination of the contract by the covered entity if the business associate violates a material term.


Business Associate Agreement Regulatory Compliance

Periodically, Business Associate Agreements should be reviewed and updated as necessary to ensure that they are compliant with HIPAA and the HITECH Act or any other related laws.

OCR is responsible for auditing and only provide healthcare entities a narrow window to produce a list of its business associates. Therefore, it is critically important to maintain a list of business associates.


Things to consider

This is not an exhaustive list of a few things to consider when negotiating a BAA:

  1. Is this entity a Business Associate? If so, what will this BA be doing and does HIPAA allow for it?
  2. Do you want a stand alone BAA or will it be incorporated into other contracts?
  3. Has there been a discussion about indemnification and how much is required?
  4. Is a confidentiality agreement required for other information?
  5. Should we have a privacy official to design, implement and oversee privacy policy and procedure practices, including risk analysis and risk mitigation?


There are several other items to consider when drafting, negotiating and executing a Business Associate Agreement. If you have questions about Business Associate Agreements and how they work or whether yours incorporates the most recent legal requirements you should contact us today.


This post was authored by Jamaal R. Jones, Esquire  Jones Health Law, P.A. for more information contact me at (305) 877-5054; email me at JRJ@JonesHealthLaw.com, or visit our website at www.JonesHealthLaw.com.


It should be noted that I am not your lawyer (unless you have presently retained my services through a retainer agreement). This post is not intended as legal advice, it is purely educational and informational, and no attorney-client relationship shall result after reading it. Please consult your own attorney for legal advice. If you do not have one and would like to retain my legal services please contact me using the information listed above.


All of the information and references made to laws, regulations, and advisory opinions were accurate based on the law as it existed at this time, but laws are constantly evolving. Please contact me to be sure that the law which will govern your business is current. Thank you.

Does Blockchain Belong in Healthcare?

Healthcare providers have been slow to implement blockchain into their practice. Providers are hesitant due to: (1) unfamiliarity with this technology and how it works; (2) some don’t see its practical application to healthcare; (3) others are employing the wait and see approach to determine if it is financially rewarding; and (4) some are put off by the lack of regulation, which could expose their patient records to cybertheft.


What is Blockchain?

In 2009, blockchain stormed on the scene as the foundation for swapping digital currency. Blockchain is a permanent record of online transactions or exchanges that are logged publicly and in chronological order with corresponding time-stamps. A blockchain is comprised of a series of “blocks” or information that grows over time to create a chain. Blocks cannot be altered or deleted which allows users to follow the “crypto trail” or transaction record. Blockchain is appealing to many in the healthcare community because of its potential for data security.

Credentialed users can add to the transaction record, which can then be dispersed or shared across networks. Users on the network can validate and confirm each block of data in the chain. The key element of blockchain is that it is not housed in a central database and all transactions must be encrypted and verified by the network.


How will Blockchain revolutionize healthcare?

Data security and data interoperability are two of the most popular uses for blockchain in healthcare, but there is the potential for many other applications. Blockchain can be used to create a uniform database of protected health information (PHI) that is easily accessible by healthcare providers regardless of the type of electronic health systems that they use. Blockchain will provide greater security and privacy for patient records, it will reduce administrative processes which will allow for more time spent with patients, and it will facilitate the free flow of medical research from between providers in the treatment of diseases.

Blockchains do not have to be publicly available to everyone. A healthcare facility can limit its network to users that they authorize, such as HIPAA-covered entities and other trusted collaborators. To increase data security, a healthcare provider may place restrictions on what is on the blockchain while choosing to keep some data off the blockchain. Additionally, safeguards must be in place to protect personally identifiable information (PII) without significantly inhibiting the transfer of protected health information.

More functional data sharing between healthcare providers increases the likelihood of accurate diagnoses and better treatment while reducing the cost of delivery. Also, you can be sure that the information on the blockchain is accurate and secure. Blockchain will revolutionize health information exchanges by providing patients with direct continuous access to their records. Providers will be able to access healthcare databases on a large scale. It will also facilitate communication between primary care providers, specialists, and pharmacies who all coordinate care for a patient. All providers, payors, and pharmacies can record information about a specific patient, such as patient visits, prescribed treatment, and diagnosis onto the same ledger, which they all can access. This communication reduces abuse, misuse, and readmissions.


Is blockchain safe?

Transactions are conducted over several computers and not a single server, which makes it much more difficult to change, hack, or forge. Cybercriminals have already found a way to abscond with millions of dollars’ worth of coins in several creative ways, but experts believe that blockchain can be a much more secure method of storing patient records and other information. Blockchain wouldn’t eliminate data breaches but if the right procedures are implemented it could significantly reduce the occurrence on a large scale as we’ve seen in the past with companies like Target and Aetna.

However, many questions related to HIPAA and blockchain remain. For example, providers are unsure of how to incorporate patient bill of rights in HIPAA through blockchain and who would have right of access to records maintained on the blockchain. Many contracts will have to be amended to allow for blockchain before they can surmount many lingering legal obstacles.

As of today, federal and Florida legislators have not passed any laws that regulate blockchain in any meaningful way, but that will change as more providers adopt this technology.


You need an experienced healthcare attorney who understands blockchain and data privacy to ensure that your practice isn’t violating  HIPAA, HITECH and state/federal agency rules. For more information call or email Jamaal R. Jones Esq. at (305)877-5054 or jrj@joneshealthlaw.com