A business associate is a term used for an individual or organization that interacts with PHI (protected health information) available from a covered entity or another business associate under HIPAA. The individual or organization is responsible for providing services or technology and, as a result, handles, processes, or transmits PHI. Under such circumstances, the business associate has to sign a contract, which is known as a business associate agreement (BAA). Now you know who needs a business associate agreement.
What Is a Covered Entity Under HIPAA?
According to the HIPAA Omnibus Rule, an organization that provides healthcare services or products that are used for medical treatment or collects health-related information of an individual or a group of individuals is known as a covered entity. Hence, dentists, physicians, optometrists, ophthalmologists, health insurance providers and carriers, healthcare clearinghouses, and health plan providers are deemed covered entities.
What Is the Purpose of HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act. It governs the US healthcare industry. It was first introduced in 1996 with the aim to ensure that employees continued receiving health insurance coverage while they were between jobs. After several new standards to improve the efficiency of the healthcare industry, HIPAA mandated the healthcare organization to have proper controls in place to protect patient data from averting healthcare fraud. The standards minimized the amount of paperwork that healthcare organizations had to do and streamlined the transfer of data between healthcare organizations and insurance providers.
Who Takes the Business Associate Agreement? People Involved
The HIPAA Rules require covered entities and business associates to enter into contracts that ensure the business associate takes the appropriate measures to safeguard protected health information. The HIPAA business associate agreement also clarifies and limits the permitted usage and disclosure of the protected health information (PHI) by the HIPAA business associate based on the activities and/or services provided by the business associate.
Who Needs a Business Associate Agreement?
Besides the covered entity, the following who are considered business associates require BAA.
- Medical billing company.
- Transcription service.
- Email encryption provider.
- Third-party administrator helping with medical claims settlement.
- File sharing vendor.
- Backup storage provider.
- IT support provider.
- Shredding company.
In addition, if the business associates have a sub-contractor to receive, maintain, and transmit protect health information, they too need to sign the business associate agreement.
Purpose of the HIPAA Agreement
HIPAA stands for Health Insurance Portability and Accountability Act. It governs the US healthcare industry. It was first introduced in 1996 with the aim to ensure employees continue receiving health insurance coverage while they were between jobs. After several new standards to improve the efficiency of the healthcare industry, HIPAA mandates that healthcare organizations have proper controls in place to protect patient data from averting healthcare fraud.
What Does PHI Stand for in HIPAA?
The PHI acronym refers to Protected Health Information, which is any data pertaining to a patient, payment for healthcare, and/or patient’s healthcare that is created, stored, and received by covered entities. It is commonly used in HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH).
If you are wondering which of the following would be considered PHI, you may be surprised to learn that all 18 identifiers mentioned below are protected health information.
- Geographic data.
- All elements of date.
- Telephone number.
- Fax number.
- Email address.
- Social Security number.
- Medical record number.
- Health plan beneficiary number.
- Account number.
- Certificate/license number.
- Vehicle identifiers and serial numbers, including license plates.
- Device identifiers and serial numbers.
- Web URLs.
- Internet protocol address.
- Biometric identifiers.
- Full face photos and comparable images.
- Any unique identifying number, characteristic, or code.
What Does ePHI Stand For?
Today, covered entities and business associates use technology and the internet to transfer and store data. ePHI stands for any data that is electronically transferred between the two entities. It covers all the PHI data identifiers that are electronically transferred between the covered entity and the business associate.
Purpose of the Business Associate Agreement: Why Do You Need It?
A business associate agreement ensures that the business associate knows what PHI and its uses are. Also, BAA HIPAA definition clearly states that the business associate cannot use or disclose PHI other than for what is permitted for or as needed by law. Since the HIPAA BAA is legally binding, it holds the HIPAA BA liable to the same repercussions as the covered entities in case of a data breach.
The agreement is designed to protect organizations from liability should a breach occur. Hence, a good business associate agreement will ensure that the party that caused the breach is held responsible for it.
Content of the Business Associate Agreement: Inclusions
Some of the inclusions in a business associate agreement are as follows:
- Name Names of the organization and business associate.
- Address: Addresses of both the organization and the business associate.
- Term: The duration that the agreement will stay in effect.
- HIPAA Assurances: States that the business associate will not disclose or use PHI that the covered entity shares with it.
- Termination: The covered entity can opt to terminate the agreement in case of a data breach.
- Destruction of Data: The business associate has to destroy all data on termination of contract and not retain any copy.
- Definition: The contract may choose to put in HIPAA definition and business associate definition, or just state that the definition is as per HIPAA Rules.
How to Draft Business Associate Agreement?
While drafting a business associate agreement, consider the following:
- The purpose of using PHI by the business associate.
- Data breach prevention methods as required by HIPAA.
- Terms for termination of the contract.
- What happens if there is a data breach?
- Remedial measures that the business associate needs to take after a data breach.
- What happens if the business associate does not take remedial measures?
- I am reporting the breach to OCR.
- The obligation of the business associate after the termination of the contract.
- Permissible request by the covered entity, who cannot ask the business associate to use PHI for anything else other than what is stated in the agreement.
It is necessary to read the content of the agreement carefully, particularly the terms and conditions to ensure you protect your organization as much as possible from the upshot of a data breach.
When negotiating a business associate agreement, the focus should be to protect your organization. Hence, you should negotiate the time-frame for reporting breaches and individual rights. Most covered entities have shorter frames provided by HIPAA, but business associates can negotiate it. Also, if business associates are not maintaining records for the covered entity, they can request the requirements related to individual rights not be made part of the agreement.
Benefits and Drawbacks of the Business Associate Agreement
A business associate agreement protects the rights of the business associate and the covered entity. It clearly highlights how the business associate interacts with the patient data and for what purpose. It also lists the instances where the BA cannot use or disclose the data.
The drawback of the agreement is that it can be one-sided, with the covered entity protecting itself from liability and penalty in case of data breach or non-compliance with the HIPAA Security Rules(1). This puts the entire onus on the BA, and it can result in the business associate facing civil and criminal penalties if things go wrong.
What Happens in Case of Violation?
If the BA discloses or uses PHI for anything not mentioned in the contract or permitted by law, they can face civil and criminal penalties, depending on the gravity of the matter. Furthermore, the business associate may have to pay civil penalties if they fail to safeguard PHI as per the HIPAA Security Rule.
If there is a breach or misuse of PHI, the business associate has to rectify the issue. The same holds true if the sub-contractor discloses or misuses PHI(2). In the case of the latter, the business associate has to take measures to resolve the issue, and it could involve terminating the contract of the sub-contractor.
In case the termination of the contract is not feasible, and the required measures to protect PHI in place are insufficient, the covered entity has the responsibility to report the issue to the HHS Office of Civil Rights.
A business associate agreement should be well-negotiated by the business associate and the covered entity. The terms and conditions, along with use and disclosure, should be clearly mentioned. It is prudent to remember that the HIPAA business associate contract is not a choice; it is the law, and hence, it is mandatory for covered entities and business associates.