Business Associate Agreement: Everything Explained

The HIPAA Privacy Rule requires all Covered Entities to have a signed Business Associate Agreement (BAA) with any Business Associate (BA) they hire that may come in contact with PHI.

The HIPAA Omnibus Rule changed how BAs and Business Associate Subcontractors (BAS) can be held liable for potential HIPAA violations. Therefore, it is in the Covered Entity’s and the BA’s best interest to maintain a thorough understanding of their relationship and how they expect one another to secure patient, client, or employee data.

But let’s face it, running a business without any help from third parties is difficult, if not impossible. Hiring outside help when you need extra hands or have special needs often makes good business sense.

Who is a Business Associate or a Business Associate Subcontractor and what needs to be in the agreement between these businesses?

This week, we discuss the requirements of a BA and BAS and the specifics of a Business Associate Agreement (BAA). Before we break down the details of classifying your vendors, take a look at this infographic to get an understanding of the differences among Covered Entities, Business Associates, and Business Associate Subcontractors.

Infographic of the differences among Covered Entities, Business Associates, and Business Associate Subcontractors

What is a Business Associate Agreement?

A Business Associate Contract, or Business Associate Agreement, is a written arrangement that specifies each party’s responsibilities when it comes to PHI.

HIPAA requires Covered Entities to only work with Business Associates who assure complete protection of PHI. These assurances have to be in writing in the form of a contract or other agreement between the Covered Entity and the BA. 1

HHS can audit BAs and Subcontractors for HIPAA compliance, not just Covered Entities. This means that organizations must have a Business Associate Agreement (BAA) for all three levels in order to meet the requirements of HIPAA. It’s in both of your best interests to have an agreement since all three classifications are responsible for protecting PHI.

The Business Associate/Subcontractor Agreement must include the following information, according to HHS:

Once Covered Entities, Business Associates, and Business Associate Subcontractors have identified their relationship with one another, it is necessary to ensure that any third-parties will guard the PHI they receive. A signed agreement documents that the BA knows they must safely handle PHI.

Understanding Who Your Business Associates and Business Associate Subcontractors Are

Who are Your Business Associates?

You need to be able to identify the classification of your workforce before you know what HIPAA requires. As defined by the Health Information Portability and Accountability Act (HIPAA), a Business Associate is any organization or person working in association with or providing services to a Covered Entity who generates, handles, or discloses Protected Health Information (PHI). 2

Potential Business Associates are people or companies like:

According to HHS, Covered Entities may only disclose PHI to an entity to help carry out its healthcare functions, not for the Business Associate’s independent use or purposes.” 1 For example, a Business Associate/Subcontractor cannot use the PHI from the Covered Entity for its own email campaign.

Who are Business Associate Subcontractors?

A Business Associate Subcontractor is a person or entity to which a Business Associate delegates a function, activity or service. 3 While a Covered Entity receives help from a Business Associates, BAs employ their own help. HIPAA refers to these people and companies as Business Associate Subcontractors.

Similarly, Business Associates must have a Business Associate Subcontractor Agreement with their BASs. The BA and BAS Agreements are almost identical, so the primary difference is the definition of the category.

Who is not considered a Business Associate/Subcontractor?

Business Associate/Subcontractor exceptions include, but are not limited to, the following examples considered ‘conduits’ for PHI:

Contractors and Confidentiality Agreements

Contractors working exclusively for your company, individuals with other clients, and workers hired through a business are not Business Associates. However, your company is responsible if one of these individuals breaches PHI.

For these types of employees who are not Business Associates, Total HIPAA recommends this: If the “employee” is a contractor working exclusively for your company or a sole proprietor with other clients, you cannot expect the individual to generate policies and procedures for privacy and security like a BA or BAS. It is meaningless to ask them to sign a BAA or a Subcontractor BAA because they will not have the compliance infrastructure required by HIPAA.

Instead, ask them to sign a confidentiality agreement. We include these items in the confidentiality agreements we provide for our clients:

Additionally, we recommend that the entity includes important individuals in all training activities.

For more information on contractors, take a look at our blog post, Preparing Contractors for HIPAA Compliance, as well as our podcast, Should Employers Train Contractors Who See PHI?

What Happens If My Business Associate/Subcontractor Discloses PHI?

Finally, a Business Associate/Subcontractor’s failure to meet the requirements of an agreement could result in substantial ramifications:

“A Business Associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of Protected Health Information that are not authorized by its contract or required by law. A Business Associate/Subcontractor also is directly liable and subject to civil penalties for failing to safeguard electronic Protected Health Information in accordance with the HIPAA Security Rule.” 4

When a Business Associate/Subcontractor breaches or violates a BAA, the Covered Entity must take reasonable steps to cure the breach or end the violation. “If such steps are unsuccessful, they must terminate the contract or arrangement,” HHS explains. “If termination of the contract or agreement is not feasible, a Covered Entity is required to report the problem to HHS Office for Civil Rights.” 1

Where Can I Get a Business Associate Agreement?

Good news! We offer a FREE Business Associate Agreement template on our site. Click the button below and enter your email to receive your BAA today.

Remember, having this agreement is only one piece of the compliance puzzle. To be fully compliant, you must complete a Risk Assessment, maintain current copies of all documents required by HIPAA, train your staff, and more. Our HIPAA Prime program does all this and more, ensuring compliance for your business.

To learn more or get started, email info@totalhipaa.com today.

Our HIPAA compliance services help ensure that your business follows the basic HIPAA rules and guidelines to protect sensitive patient information. Our team of experts is dedicated to providing affordable rates and personalized solutions to help you become HIPAA compliant. We understand that navigating the complex requirements of HIPAA can be challenging, which is why we offer a comprehensive range of services to meet your unique needs. From risk assessments to employee training, we have the tools and expertise necessary to help your business achieve and maintain HIPAA compliance. Contact us today to learn more about how we can help you protect your patients, your employees, and your business.