What is a Business Associate Agreement?
A business associate agreement is a contract whose use is mandated under the HIPAA Privacy Rule. The text of the HIPAA Privacy Rule applies only to covered entities – healthcare organizations and healthcare plans.
Do you have signed business associate agreements? If not you’re at risk! Learn more about business associate agreements here.
In practice, most providers do not carry out every healthcare activity and function related to administration of their business, all by themselves. Rather, providers frequently use a variety of other persons, services, or businesses to carry out these tasks. Under HIPAA, a covered entity is permitted to delegate these tasks to another entity, but only if certain conditions are met.
If the entity to which a function has been delegated will access protected health information (PHI) as part of the entity’s providing a service to the covered entity, the entity is known as a business associate. The Privacy Rule only allows healthcare providers to disclose PHI to a business associate, if, before any PHI is shared between the two, the provider obtains satisfactory assurances from the business associate. The business associate must provide assurances that the business associate will use the PHI only for those purposes for which the business associate was engaged by the covered entity.
A business associate agreement is a contract between the covered entity and business associate that puts these assurances in writing. Under a business associate agreement, the parties must indicate what kinds of PHI and access to PHI a business associate will have (and what kinds of access and access it may not have), as well as what safeguards the business associate will use to maintain the integrity and confidentiality of the PHI.
A business associate agreement is a useful tool for apportioning liability as well. A series of 2013 modifications to the HIPAA regulations make business associates directly liable for unauthorized use or disclosure of PH, if that unauthorized use or disclosure violates the HIPAA law or the terms of the business associate agreement. Since business associates are now subject to direct liability, the business associate agreement can contain a provision incorporating that direct liability, requiring that the covered entity be legally responsible for its own breaches, and the business associate be liable for its own breaches.
What is a Data Use Agreement?
In contrast, a data use agreement is an agreement between a covered entity and a researcher, such as a genetics researcher or infectious disease researcher. Under the HIPAA Privacy Rule, a covered entity is allowed to disclose medical information to a researcher. “Research” is defined as any systematic investigation designed to develop or contribute to generalizable knowledge.
The Privacy Rule permits a covered entity to disclose what the rule calls a “limited data set.” A limited data set is a set of identifiable healthcare information that covered entities are permitted to share with certain entities for research purposes, public health activities, and healthcare operations, without obtaining prior patient written authorization.
What Information is Excluded from a Limited Data Set?
A limited data set excludes specified direct identifiers (identifiers constituting protected health information, or PHI, that directly identifies research subjects) of the individual or of relatives, employers, or household members of the individual.
When Can a Limited Data Set be Used or Disclosed?
A covered entity may use or disclose a limited data set only if the covered entity obtains satisfactory assurance, in the form of a data use agreement, that the limited data set recipient will only use or disclose the protected health information for limited purposes.
What Provisions Must a Data Use Agreement Contain?
A data use agreement between the covered entity and the researcher must:
- Establish the permitted uses and disclosures of such information by the limited data set recipient. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the Privacy Rule;
- Establish who is permitted to use or receive the limited data set; and
- Provide that the limited data set recipient (the researcher) will:
- Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law;
- Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement;
- Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware;
- Ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the the researcher with respect to that limited data set; and
- Not identify the information or contact the individuals who are the research subjects.