Business Associate Agreements for Lawyers

Under HIPAA, a business associate agreement is a contract that covers the relationship and sharing of protected health information between a covered entity and business associate. A primer on business associate agreements for lawyers is offered below.

What is Protected Health Information?

The HIPAA Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information” (PHI).

“Individually identifiable health information” is information, including demographic data, that relates to:

• the individual’s past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). 

What are Covered Entities?

Covered entities include:

• Health plans
• Health care clearinghouses
• Healthcare providers who transmit health information in electronic form, in connection with a HIPAA-covered transaction.  HIPAA-covered transactions are transactions involving the transmission of information between two parties to carry out financial or administrative activities related to health care.

What are Business Associates?

In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity.

These functions and activities involve the use or disclosure of individually identifiable health information. 

Business associate functions or activities on behalf of a covered entity include:

• Claims processing
• Data Analysis
• Utilization Review
• Billing

Business associate services to a covered entity are limited to:

• Legal services
• Actuarial services
• Accounting services
• Consulting services
• Data aggregation services
• Management services
• Administrative services
• Accreditation services
• Financial services  

Business Associate Agreements for Lawyers: What Lawyers Need to Know

If a lawyer were to pick up a treatise entitled “Business Associate Agreements for Lawyers,” the treatise, to be worth its salt, should cover the fundamentals of business agreements: whether they are required, what they must contain; what happens in the event of a breach of the agreement; and what they can or may contain (as opposed to what they must contain).

Fundamental #1: Does a Covered Entity Have to Enter into a Business Associate Agreement?

When a covered entity and business associate decide to do business with each other,  a business Associate relationship has been created, as a matter of law. Once the legal relationship is established, actual execution of a BAA is not necessary. Rather, the covered entity must make a reasonable effort to obtain an executed BAA from the business associate. In an agreement memorializing the legal relationship, cannot be forced upon the business associate. There is no “federal contract law” lurking about that requires execution of this agreement.  

Fundamental #2: What Must be Included in a Business Associate Agreement?

If a business associate agreement IS executed, HIPAA requires the agreement to contain certain provisions. These provisions include: 

1. A description of the permitted, required, and prohibited uses of protected health information by the business associate (BA).
2. A provision that provides that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.
3. A provision requiring the business associate, per the HIPAA Security Rule, to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.
4. A provision requiring that any subcontractors of the business associate must abide by the same terms by which the BAs must abide. Subcontractors of business associates that perform certain functions or activities on behalf of, or provides certain services to, those business associates, which functions and activities involve use or disclosure of individually identifiable health information, are themselves business associates. As such, subcontractors are contractually bound just as a “primary BA” would be.  
5. A provision requiring the business associate to notify the covered entity of an impermissible disclosure.
6. A provision that states that the covered entity can terminate the agreement for violation of its terms, and upon such termination, the BA must return or destroy all PHI.

Fundamental #3: What Happens When One Party Breaches the Agreement?

Once a validly executed agreement is in place, a party may, of course, commit a material breach. Under HIPAA, when a covered entity knows of a material breach or violation of the agreement by the business associate, the covered entity must take reasonable steps to cure the breach or end the violation. If such reasonable efforts are not successful, the covered entity must terminate the agreement. In some instances, termination may not be feasible (e.g., in circumstances where there are no other viable business alternatives for the covered entity). When termination is not feasible, the covered entity has an affirmative duty to report the problem to the Department of Health and Human Services’ Office for Civil Rights. 

Fundamental #4: What May Be Included in a Business Associate Agreement?

Elements that are not required to be in the agreement, but which should be considered for inclusion, include: 

• A “right to audit” clause. Such a clause gives the covered entity a specific right to monitor the business associate’s compliance with the business associate agreement (BAA).
• A clause that clearly indicates the business associate is an independent contractor of the covered entity, not an employee of the covered entity. 
• An Indemnification clause, providing that each party will take respective responsibility for any financial harm caused by a breach of the agreement. NOTE: Indemnification clauses are not required. However, covered entities should strongly consider including one. In the event a court finds, based on the language of the agreement, that the business associate was an employee of the covered entity, the court may find the covered entity subject to the doctrines of vicarious liability and respondeat superior. 
• An expiration date. If you, as a covered entity, don’t regularly review your BAAs, they may have expiration dates of which you’re unaware. As such, a court may find their provisions invalid. While HIPAA does not require expiration dates on BAAs, periodic monitoring of the agreements is crucially important; insertion of an expiration date is a good way of “forcing” review.