What is a Sample Business Associate Agreement?

Under HIPAA law, covered entities frequently hire what the law calls “business associates.”  A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information. Business associates create, receive, maintain, or transmit protected health information (PHI) on behalf of covered entities and other business associates (subcontractors). HIPAA regulations require covered entities to enter into written business associate agreements with business associates before business associates can perform the tasks the covered entity seeks to hire them for. Important components of a sample business associate agreement are discussed below.

What Should a Sample Business Associate Agreement Cover?

A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information. Provisions that must be contained in a sample business associate agreement include:

◈ A business associate may not use or disclose protected health information other than as permitted or required by the Agreement, or as required by law (such as OSHA or state workers compensation law).

◈ A business associate must comply with the administrative, technical, and physical safeguard provisions of the HIPAA Security Rule, to prevent unauthorized use or disclosure of electronic protected health information (ePHI).

◈ The business associate must report to the covered entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information, and any security incident of which it becomes aware.

Did you vet your vendors? If not you’re at risk! Learn how to send your vendors risk assessments here.

In a sample business associate agreement, the parties may wish to add some specifics about the business associate’s breach notification obligation. HIPAA breach notification law provides that a business associate must provide a notification of a breach to a covered entity “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” The parties can shorten this timeframe in a sample business associate agreement. A sample business associate agreement can provide that the outer limit for notification be 30 calendar days instead of 60. The HIPAA Breach Notification Rule gives the parties the option of permitting the business associate to provide notification to individuals, OCR, and the media, on behalf of the covered entity. A sample business associate agreement can contain a provision requiring the business associate (instead of the covered entity) to provide such notification. The sample business associate agreement can also require that the business associate cover the costs of providing notification.

The sample business associate should contain additional provisions. These include:

◈ A provision requiring the BA make available protected information in a designated record set to the covered entity, or individual requesting access to his or her PHI.

◈ A provision requiring the business associate to make any amendment(s) to protected health information in a designated record set, as directed by the covered entity.

◈ A provision requiring the business associate to maintain and make available the information required to provide an accounting of disclosures to a covered entity or individual who asks for such accounting.  

◈ A provision requiring the business associate, to the extent the business associate is to carry out one or more of the covered entity’s Privacy Rule obligations, to comply with those provisions of the Privacy Rule that apply to the covered entity in its performance of those obligations.

◈ A provision requiring the business associate to make its internal practices, books, and records available to the HHS Secretary for purposes of determining compliance with the HIPAA Rules.

◈ A provision covering the obligations of the business associate upon termination of the business associate agreement. An agreement can obligate the business associate to return or destroy all PHI when the agreement terminates. Alternatively, the agreement may authorize the business associate to retain PHI for specific, narrow purposes. These include use or disclosure of protected health information by the BA for its own management and administration, or use or disclosure by the BA to carry out its legal responsibilities.

What Else Should a Sample Business Associate Agreement Cover?

A business associate agreement is required when a business associate hires another business associate (subcontractor) to create, receive, maintain, or transmit PHI on its behalf. Therefore, a sample business associate agreement between business associates should 

contain language requiring subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate, to agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information.