What to Include in a HIPAA Business Associate Agreement
It’s becoming increasingly common for healthcare facilities to partner with third-party organizations that streamline electronic services for care delivery. But without entering a HIPAA business associate agreement (BAA), these facilities may be putting the privacy and security of their patients’ information at risk.
Before starting any business arrangement with a third party, it’s essential to write a strong BAA as a way to maintain HIPAA compliance and protect your patients. If you’re not sure where to start, we’ve got you covered. We’ll explain what a BAA is, why it’s important, and some of the key elements to include in your contract.
What Is HIPAA?
The Health Information Portability and Accountability Act (HIPAA) outlines a set of federal rules that protect sensitive patient information from being shared inappropriately. Under these rules, facilities must implement various administrative, physical, and technical safeguards to ensure that they’re meeting all HIPAA standards and keeping patient information secure.
What Is a HIPAA Business Associate Agreement?
A business associate agreement is a contract outlining how sensitive patient information can and cannot be used between HIPAA-beholden organizations and any third parties they partner with. Under HIPAA’s security rule, facilities are required to enter business associate agreements before working with organizations that will be accessing their patient’s information.
In contract terms, this agreement is typically made between a business associate and a covered entity, which are both broadly defined as follows:
- Business associate — Any person or entity that performs functions on the behalf of, or delivers services for, a covered entity involving access to protected health information.
- Covered entity — The facility, hospital, provider, or organization that is rendering services from a business associate for their patients’ care.
Who Needs a Business Associate Agreement?
A BAA can be implemented between a covered entity and a business associate or between two business associates. Here’s the bottom line: If your facility is partnering with an individual or organization that will use your patients’ information, you should enter a BAA. Common business associate examples include:
- EHR vendors
- Cloud storage providers
- Accountants
- Conferencing platforms
- Lawyers
- Billing services
Entering a BAA is an important way to protect your facility and patients. This agreement not only sets standards for how patient information should be handled, but also holds business associates accountable for potential security breaches. If a business associate fails to implement appropriate safeguards from their end, a well-written BAA would hold them responsible and protect you from liability.
What to Include in a BAA: 7 Recommended Elements
Since a BAA is a legal document, we recommend consulting with a lawyer prior to finalizing a contract. However, the Department of Health and Human Services (HHS) provides a HIPAA business associate agreement template that you can use as an initial reference. To help you get started, we’ll break down each of these sections below.
1. Definitions
This first section should define all the legal or technical terms that will be used in the agreement. These definitions set the foundation for who the contract covers and what type of patient information it will protect. Include a catch-all definition statement to ensure your contract follows the same terminology and definitions as HIPAA.
2. Obligations and Activities of the Business Associate
This section outlines the business associate’s commitment to upholding all relevant HIPAA guidelines and practices. More specifically, the provisions in this section should include:
- What HIPAA safeguards the business associate should agree to implement
- How the business associate must report unauthorized use or disclosure of protected health information (PHI)
- Whether any subcontractors should be expected to follow your agreement
- How PHI is transferred and accessed between you and the business associate
- Any HIPAA compliance records the business associate should maintain and provide
3. Permitted Uses and Disclosures by the Business Associate
This section outlines HIPAA business associate agreement requirements specifying the ways in which patient information can and cannot be used. You can cite HIPAA subsections or laws that the business associate is expected to follow and clarify uses that are aligned with the needs of your facility.
4. Provisions Informing the Business Associate About Privacy Practices and Restrictions
This section outlines how you will notify or inform your business associate of any changes, limitations, or restrictions on how PHI can be used. These provisions ensure that both parties communicate and remain aware of any modifications in practices or permissions.
5. Permissible Requests by the Covered Entity
This section holds you, the covered entity, accountable for making unlawful requests for PHI use. Essentially, this ensures that you don’t ask your business associate to do anything that violates the HIPAA privacy rule.
If there are particular instances that warrant an exception to these provisions, you can also clarify them here. This includes activities such as data management or aggregation.
6. Term and Termination
This section covers how long the agreement will be in place and any conditions warranting termination. Additionally, you should clarify all obligations that the business associate has upon termination, such as how they should dispose of patient information.
7. Additional Provisions for Flexibility
At the bottom of the template provided by HHS, there are a few more optional provisions that reinforce both parties’ commitment to flexibility. These provisions acknowledge that HIPAA rules may change from year to year and confirm both parties’ willingness to adapt the agreement accordingly.
Take Additional Steps to Maintain HIPAA Compliance
Need more help interpreting regulations that inform a HIPAA business associate agreement? IntelyCare has your back. Our team of healthcare and legal experts maintains a free hub of HIPAA compliance resources that’s readily available when you need it.
Legal Disclaimer: This article contains general legal information, but it is not intended to constitute professional legal advice for any particular situation and should not be relied on as professional legal advice. Any references to the law may not be current, as laws regularly change through updates in legislation, regulation, and case law at the federal and state level. Nothing in this article should be interpreted as creating an attorney-client relationship. If you have legal questions, you should seek the advice of an attorney licensed to practice in your jurisdiction.