Earlier this month, I wrote an article HIPAA: Back to basics with the BAA, where I promised to write about the nuances of the requisite business associate agreement (BAA). Unless someone is new to the healthcare industry or a business associate (which includes subcontractors) that recently started creating, receiving, maintaining, or transmitting (including storage) protected health information (PHI), by now there should be an awareness that a business associate is directly liable under the HIPAA Rules. Like covered entities, business associates may be subject to civil, and in egregious cases, criminal penalties.
This leads us to the BAA—a written agreement between the parties that serves three primary purposes:
- assurances that both parties are adhering to the Privacy Rule and Security Rule’s requirements;
- the parties address the steps of a reportable event in accordance with the Breach Notification Rule, which includes notifying the other party within a specified time; and
- setting forth how the data will be returned and/or disposed of when the relationship between the parties ends, provided there are no other circumstances such as a legal hold or government investigation.
Notably, after having read and drafted numerous BAAs, one quickly learns that all BAAs contain very similar, if not identical language. That’s because BAAs have certain content requirements, which must be included. Other items, such as particular state law, venue/jurisdiction, and indemnification (just to name a few) are not compulsory but are often seen.
As HHS explains on its website, a BAA is “[a] written contract between a covered entity and a business associate [or a business associate and its subcontractor that] must:
- establish the permitted and required uses and disclosures of protected health information by the business associate;
- provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
- require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;
- require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;
- require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings;
- to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation;
- require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
- at termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity;
- require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and
- authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.
Armed with this information (and after reviewing the HHS website link), hopefully it provides a renewed appreciation for what will be included in a BAA and what may be included. It never ceases to amaze me when I receive (often caustic) questions or push back on the compulsory items that HHS has set forth. This article may serve as a basis for a polite way to push back if faced with a similar situation.
About the Author
Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.