HIPAA Highlights: Business Associate Agreement Provisions

Editor's Note: This is the third in a five-part series on modifications to HIPAA recently unveiled by HHS on January 17, 2013.

Of the multiple areas associated with the HHS HIPAA Omnibus Rule, one that has been given heightened attention relates to business associate agreements (BAAs).

Before delving into the nuances of BAAs and HHS-recommended provisions, it is necessary to address 45 C.F.R. §160.103. This section provides the definitions of covered entities, business associates, and subcontractors. Notably in this section, HHS' Office for Civil Rights (OCR) rejected comments that the definition of a business associate was too broad as it includes business associate contractors and therefore, outside the scope of its statutory authority. For providers, this means understanding the definitions of a business associate (BA), a subcontractor, and a BAA. From there, providers should focus on including specific BAA provisions recommended by HHS.

A business associate is directly liable under the HIPAA/HITECH Act rules and, therefore, subject to both civil and criminal penalties for failing to safeguard protected health information (PHI) and using or disclosing PHI in a manner not authorized by law, contract/BAA. This is consistent with the applicability to covered entities.

A business associate is “a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associate, based on the relationship between the parties and the activities or services being performed by the business associated.” (http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html).

Contracts between covered entities and business associates and business associates and their subcontractors are subject to the same mandates. Considered in the context of federal agency law and the risk assessment requirement, this means that liability can flow from a subcontractor to a covered entity, which is significant. In light of this, providers need to make certain that comprehensive risk assessments are conducted and assurances are included in BAA agreements.

When assessing a BAA, it is prudent to follow the standards set forth by HHS for what must be included in the written contract. (Ibid. emphasis added). Ten items are set forth, including:

• Establishing permitted and required uses and disclosures of PHI;

• Assuring that the BA will not exceed the parameters set forth by law or contract for disclosure;

• Requiring appropriate PHI implementation safeguards; and

• Mandating that the business associate ensure that any subcontractors will comply with the same standards. (Ibid)

Building on these requirements, HHS provided sample provisions, which individuals may wish to follow. It is advisable to note that the sample provisions are not exhaustive and other items, such as defining the HITECH Act in addition to HIPAA, should be considered. The headings provide a good roadmap and include:

• Definitions,

• Obligations and Activities of a Business Associate,

• Permitted Uses and Disclosures by Business Associate,

• Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions,

• Permissible Requests by a Covered Entity,

• Term and Termination, and

• Miscellaneous

Physicians should take care when considering the nature of the business associates’ role and provided service in relation to the BAA. For example: Is the contract with a law firm, a consulting firm, a medical device company, or a cloud computing company?

The BAA should reflect the nuances of how the PHI is utilized and a separate external risk assessment should be conducted as part of due diligence to ensure that adequate assurances are given. By doing so, providers can reduce the risk of liability exposure.