Business Associate Agreements & HIPAA

The HIPAA Privacy Rule states that clearinghouses, covered entities, and business associates are required to follow the HIPAA security and privacy rules. According to the U.S. Department of Health & Human Services, the Privacy Rule “requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”

So, who is a business associate?  A business associate is any person or entity that creates, receives, maintains or transmits protected health information (PHI) from or on behalf of, or provides services to, a covered entity.  This distinction trickles down into sub-contractors as well.  Law enforcement and government agencies, however, are not considered business associates and may request PHI as needed.

A business associate agreement (BAA) fulfills the “in writing” stipulation of the Privacy Rule.  It is required for any business associate, and provides the covered entity with assurances that they will comply with HIPAA and maintain security of the PHI.  This is particularly important when facing a data breach that occurs with a business associate and not the covered entity.  If the covered entity can demonstrate due diligence in prevention of the breach, the BAA will transfer most of the financial liability of the data breach to the BA itself.

Here are three of the most common mistaken beliefs Datica hears about Business Associate Agreements:

  1. The vendor in question doesn’t necessarily need to be HIPAA-compliant because they aren’t storing data. Even though the vendor claimed they were not storing PHI, having data pass through their systems would still require protection under HIPAA. A BAA serves as a promise of this.
  2. They are HIPAA-compliant because they encrypted the data in transit and in storage. This is certainly crucial, but there is so much more to HIPAA than encrypting data. You can read about everything we do to be HIPAA-compliant in our policies. At a minimum, a vendor must encrypt data and ensure physical media meets HIPAA’s physical security requirements. As a result, that vendor would need to have a BAA signed with their hosting vendor to ensure legitimacy.
  3. The subcontractor doesn’t need to sign a BAA because the vendor they’re subcontracting for already has one in place with the covered entity. As of 2013, this is false. As soon as PHI passes through your system, you are also automatically considered a business associate and the vendor you subcontracted with will require a BAA from you. In fact, the latest rules state that covered entities MUST ensure they obtain satisfactory assurances from their business associates, and they must do the same with their subcontractors, and so on, no matter how far “down the chain” the information flows.