The Need-to-Knows About HIPAA Business Associate Agreements

HIPAA BAA FAQ

Most people whose work involves compliance with HIPAA regulations will agree that it can be difficult to fully understand. The role of business associates and the actions needed to fully satisfy the requirements of the law is one source of confusion.

To help clear up the confusion, we have prepared an overview of things to know about HIPAA Business Associate Agreements and the role of a Business Associate.

The Need-to-Knows About HIPAA Business Associate Agreements – Definition of a Business Associate

One of the primary reasons for the HIPAA regulation was to ensure the protection of patients’ protected health information. This information is generally created by medical providers, acting in their role as a covered entity.

Most businesses and medical practices that are required to follow the rules and regulations of HIPAA will need to utilize the services of a vendor at some point. If that vendor takes possession of protected health information on behalf of a covered entity or business associate in either a physical form (PHI) or electronic form (ePHI), HIPAA classifies that vendor as a business associate. 

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

The Need-to-Knows About HIPAA Business Associate Agreements – 10 Essential Elements

A business associate agreement (BAA) is a written contract between organizations that defines the appropriate uses of PHI and how that information must be secured. There are 10 elements that should be included in every business associate agreement:

(1) Defining the permitted and required uses and disclosures of protected health information by the business associate; 

(2) Ensuring that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law; 

(3) Requiring the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information; 

(4) Requiring the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information; 

(5) Instructing the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings; 

(6) Requiring the business associate to comply with the requirements applicable to the obligation, to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule; 

(7) Directing the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule

(8) Upon termination of the contract, if feasible, requiring the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity; 

(9) Requiring the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and 

(10) Authorizing termination of the contract by the covered entity if the business associate violates a material term of the contract.  Contracts between business associates and business associates that are subcontractors are subject to these same requirements.

The Need-to-Knows About HIPAA Business Associate Agreements – Exceptions

The HIPAA regulations are