The Need-to-Knows About HIPAA Business Associate Agreements

HIPAA BAA FAQ

Most people whose work involves compliance with HIPAA regulations will agree that it can be difficult to fully understand. The role of business associates and the actions needed to fully satisfy the requirements of the law is one source of confusion.

To help clear up the confusion, we have prepared an overview of things to know about HIPAA Business Associate Agreements and the role of a Business Associate.

The Need-to-Knows About HIPAA Business Associate Agreements – Definition of a Business Associate

One of the primary reasons for the HIPAA regulation was to ensure the protection of patients’ protected health information. This information is generally created by medical providers, acting in their role as a covered entity.

Most businesses and medical practices that are required to follow the rules and regulations of HIPAA will need to utilize the services of a vendor at some point. If that vendor takes possession of protected health information on behalf of a covered entity or business associate in either a physical form (PHI) or electronic form (ePHI), HIPAA classifies that vendor as a business associate. 

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

The Need-to-Knows About HIPAA Business Associate Agreements – 10 Essential Elements

A business associate agreement (BAA) is a written contract between organizations that defines the appropriate uses of PHI and how that information must be secured. There are 10 elements that should be included in every business associate agreement:

(1) Defining the permitted and required uses and disclosures of protected health information by the business associate; 

(2) Ensuring that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law; 

(3) Requiring the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information; 

(4) Requiring the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information; 

(5) Instructing the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings; 

(6) Requiring the business associate to comply with the requirements applicable to the obligation, to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule; 

(7) Directing the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule

(8) Upon termination of the contract, if feasible, requiring the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity; 

(9) Requiring the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and 

(10) Authorizing termination of the contract by the covered entity if the business associate violates a material term of the contract.  Contracts between business associates and business associates that are subcontractors are subject to these same requirements.

The Need-to-Knows About HIPAA Business Associate Agreements – Exceptions

The HIPAA regulations are very specific about the need for business associate agreements and what must be included in them. It also defines situations that are excluded from the definition of a business associate.  The following are not considered business associates with examples: 

  1. Entities that do not create, receive, maintain, or transmit PHI. – If you do not handle PHI, you are not considered a business associate. The accidental disclosure of PHI does not create a business associate relationship (such as a maintenance contractor that happens to see PHI while in an office).
    Software companies or service providers who do not have access to PHI would not be considered business associates. Many times, these organizations will place provisions in their service agreements prohibiting customers from providing PHI without prior agreement. 
  2. Members of an entity’s own workforce. – Contractors hired by a covered entity are not considered business associates if the covered entity classifies them as members of their workforce.
  3. Members of an organized health care arrangement (OHCA). – Examples of OCHAs include hospitals and their medical staff, provider networks, and certain arrangements between group health plans and insurers. The OCHA exemption applies only to covered entities; it does not apply to other businesses that require PHI to provide services for the OHCA.
  4. Healthcare providers who receive PHI for the treatment of patients. – The HIPAA Privacy Rule specifically excludes disclosures from a covered entity to a healthcare provider needed for treatment from the need for a business associate relationship.
  5. Entities acting on their own behalf or on behalf of the patient. – A financial institution that processes patient payments for the purpose of treatment is not considered a business associate because it is performing its normal banking services to customers. It is not acting on behalf of a covered entity or business associate.
    An attorney who requests PHI in order to represent a patient also would not be considered a business associate.
  6. Entities performing management or administrative functions for business associates. If the business associate is using PHI for their own administrative, legal, or managerial functions, that does not create a business associate relationship.  
  7. Entities who are mere “conduits” for PHI. This is a narrow exception intended to exclude courier and transmission services such as the U.S. Postal Service, U.P.S, and their electronic equivalents. A phone company or internet provider who simply transmits PHI through their system and does not routinely have a need to access PHI is exempt from a business associate requirement. 

The Need-to-Knows About HIPAA Business Associate Agreements – Final Thoughts

For many of the excepted cases, a confidentiality agreement would be enough to protect the use of PHI. In fact, using a BAA when it’s not needed may actually lead to increased liability for covered entities and business associates if it indicates that a contractor is acting as an agent of the covered entity.

In all instances when a BAA is needed, it must be signed by both parties before PHI is transferred. Failure to do so, or to have a BAA when needed is a violation of HIPAA rules and exposes an organization to serious financial penalties if discovered as the result of a breach, complaint, or audit.