What is a Business Associate Agreement for Medical Office?

Business Associate Agreement for Medical Office

Healthcare providers often contract with third parties for accounting, billing, legal, and other financial services. If the arrangement involves the third party’s creating, transmitting, maintaining, or receiving protected health information (PHI), the third party is considered to be a business associate under HIPAA. Under the HIPAA Privacy Rule, before a healthcare provider shares PHI or electronic protected health information (ePHI) with a business associate, the parties must enter into a written business associate agreement. Among other things, the agreement requires that the business associate make specific assurances that it will maintain the confidentiality, integrity, and availability of PHI. The business associate agreement requires other specific content. The topic of what is a business associate agreement for medical office is discussed below.

What is a Business Associate Agreement for Medical Office: The Ten Commandments

A business associate agreement for medical offices must contain ten specific provisions. These provisions dictate what business associates can, must, and cannot do with respect to provider PHI. The business associate agreement must:

1. Establish the permitted and required uses and disclosures of protected health information by the business associate;

2. Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law; and

3. Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information

These first three provisions set the ground rules for the contract. The provisions make clear what PHI the business associate may or must use or disclose. The third provision’s safeguard requirement states what BA must do to ensure it will not violate the second provision, under which it may not use or disclose PHI other than as the contract or law permits.

What is a Business Associate Agreement for Medical Office: Reporting and Disclosure

Covered entities are required to report breaches of unsecured protected health information, and to provide individuals with access to their PHI. Business associates that have PHI in their possession must furnish the information to covered entities, so covered entities can respond to requests for amendments, and requests for accountancy for disclosure. These requirements are embodied in provisions four and five:

4. The BAA must require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information; and

5. The BAA must require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings.

What is a Business Associate Agreement for Medical Office? Core BA Duties

During the length of the contract, the business associate may be required to perform specific tasks. A business associate is allowed to directly respond to individual requests for PHI amendment or accounting. The parties can agree that the breach notification responsibility will be taken on by the business associate. Whenever the business associate performs a task regulated by the Privacy Rule, the business associate must comply with the Privacy Rule. Whenever the business associate engages a subcontractor to perform PHI-related functions, the BAA must require the subcontractor to follow the same restrictions with respect to PHI that the BA must follow. To ensure compliance, the business associate must agree to open up its books to HHS when HHS investigates the covered entity. These requirements are embodied in provisions six, seven, and eight: 

6. To the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, the business associate agreement must require the business associate to comply with the requirements applicable to the obligation; and

7. The business associate agreement must require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, created, or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule.

8. The business associate agreement must require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information.

What is a Business Associate Agreement for Medical Office? Winding Down and Termination

A business associate agreement contains an end date. When the end date is reached, the business associate must return or destroy PHI. Sometimes the end date is not reached. If the business associate, at any point, violates the BAA terms, the covered entity is authorized to terminate the agreement. These requirements are embodied in provisions nine and ten:

9. The BAA must provide that, at termination of the contract, if feasible, the BA return or destroy all protected health information received from, created, or received by the business associate on behalf of, the covered entity; and 

10. The BAA must authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.

Modernize Your Compliance

Say goodbye to spreadsheets and hello to automated software!

Global CTAs Image