If you are in any way involved with HIPAA, then you have likely heard of a Business Associate Agreement. Covered Entities know they need them but maybe not when they need them. There is too often a lot of confusion surrounding who needs a business associate agreement. In this post, we discuss what exactly a Business Associate Agreement is and then who needs a Business Associate Agreement. The answers may surprise you.
In the course of offering healthcare to patients, a Covered Entity may need to disclose Protected Health Information (PHI) to other entities. An example would be if a practice hired an outside billing service to bill its patients for services, then-then the outside billing service would be a Business Associate for the practice. The practice provided access to PHI and this creates a liability for the practice as a Covered Entity.
What is a Business Associate Agreement?
Enter the Business Associate Agreement. The HIPAA Omnibus Rule created requirements for how Business Associates were required to protect PHI. In the HIPAA Privacy Rule, it states:
“The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”
The BAA should lay out the way that each party will handle PHI under their care. How will the Business Associate protect the data it has access to from the Covered Entity? These can’t be a verbal agreement or an email. The Privacy Rule requires a written contract between the two parties.
Who needs a Business Associate Agreement?
The common belief is that when a Covered Entity needs to give assess to another entity outside of their practice, they need a Business Associate Agreement. While this is correct, did you know Business Associates also need them, not just with the Covered Entity? What if a Business Associate that performs billing also outsources the service of collections to a third party? The collection service is now a Business Associate of the first Business Associate. A Business Associate Agreement would need to be in place between the two to ensure that the appropriate controls were in place to protect the Covered Entity’s PHI.
Examples of entities that a Covered Entity would need a Business Associate Agreement with would include, but not be limited to, the following:
- Outside billing services
- Outside collection services
- IT service companies
- Cloud Services where PHI is stored
- Email services if PHI is sent via PHI
- Cloud EMR providers
- Cloud backup services
The Omnibus Rule made Business Associates liable on breaches of PHI under their control. Furthermore, the Covered Entity must make sure that once notified of a breach, that the situation has been addressed and resolved. A breach at a Business Associate is a reportable event for the Covered Entity.
In addition, even if the Business Associate has no direct access to the PHI, as in the example of a cloud storage provider who uses encryption on the data, a Business Associate Agreement would still be required as the PHI resides on the Business Associate’s computers.
Who doesn’t need a Business Associate Agreement?
The HIPAA Privacy Rule does outline some exceptions to who is required to have a Business Associate Agreement. A Covered Entity would not be required to have a Business Associate Agreement in place in the following exceptions:
- If a Covered Entity needed to Disclosure to a healthcare provider for treatment of the individual
- PHI collection and sharing by a health plan that is a public benefits program, such as Medicare
- Any Disclosures to a health plan sponsor, by a group health plan, the health insurance issuer, or HMO that provides health insurance benefits or coverage for the group health plan
- Individuals or organizations who transport or carry PHI, like the US Postal Service
Covered Entities may have the need to provide third parties with access to PHI to perform services. As a result, HIPAA guidelines Require a written agreement must be in a place that outlines how both entities will protect and handle the PHI. This is called a Business Associate Agreement. Any third party who will have access to PHI will need this in place. Even Business Associates of other Business Associates would need to have such an agreement in place. This is commonly overlooked. In other words, when a breach does occur, it is expensive due to fines.
Covered Entities are responsible for breaches of PHI by their Business Associates.
If you would like an example of a Business Associate Agreement for your practice, please reference the HHS website here – example the Business Associate Agreement.