Business Associate Agreement: Everything Explained (2024)

Table of Contents
What is a Business Associate Agreement? Understanding Who Your Business Associates and Business Associate Subcontractors Are Who are Your Business Associates? Who are Business Associate Subcontractors? Who is not considered a Business Associate/Subcontractor? Contractors and Confidentiality Agreements What Happens If My Business Associate/Subcontractor Discloses PHI? Where Can I Get a Business Associate Agreement? Sources

The HIPAA Privacy Rule requires all Covered Entities to have a signed Business Associate Agreement (BAA) with any Business Associate (BA) they hire that may come in contact with PHI.

The HIPAA Omnibus Rule changed how BAs and Business Associate Subcontractors (BAS) can be held liable for potential HIPAA violations. Therefore, it is in the Covered Entity’s and the BA’s best interest to maintain a thorough understanding of their relationship and how they expect one another to secure patient, client, or employee data.

But let’s face it, running a business without any help from third parties is difficult, if not impossible. Hiring outside help when you need extra hands or have special needs often makes good business sense.

Who is a Business Associate or a Business Associate Subcontractor and what needs to be in the agreement between these businesses?

This week, we discuss the requirements of a BA and BAS and the specifics of a Business Associate Agreement (BAA). Before we break down the details ofclassifying your vendors, take a look at this infographic to get an understanding of the differences among Covered Entities, Business Associates, and Business Associate Subcontractors.

Business Associate Agreement: Everything Explained (1)

What is a Business Associate Agreement?

A Business Associate Contract, or Business Associate Agreement, is a written arrangement that specifies each party’s responsibilities when it comes to PHI.

HIPAA requires Covered Entities to only work with Business Associates who assure complete protection of PHI. These assurances have to be in writing in the form of a contract or other agreement between the Covered Entity and the BA.1

HHS can audit BAs and Subcontractors for HIPAA compliance, not just Covered Entities. This means that organizations must have a Business Associate Agreement (BAA) for all three levels in order to meet the requirements of HIPAA. It’s in both of your best interests to have an agreement since all three classifications are responsible for protecting PHI.

See Also
HIPAA-Compliant Payments: Everything You Need to KnowWhat is a HIPAA Covered Entity? [A Quick Guide] - SprintoCovered Entities vs Non-Covered Entities Under HIPAA | Nightfall AIWho is Covered under HIPAA?

The Business Associate/Subcontractor Agreement must include the following information, according to HHS:

  • Describe the permitted and required PHI uses by the Business Associate/Subcontractor
  • Provide that the Business Associate/Subcontractor will not use or further disclose PHI other than as permitted or required by the contract or as required by law;
  • Require the Business Associate/Subcontractor to use appropriate safeguards to prevent inappropriate PHI use or disclosure

Once Covered Entities, Business Associates, and Business Associate Subcontractors have identified their relationship with one another, it is necessary to ensure that any third-parties will guard the PHI they receive. A signed agreement documents that the BA knows they must safely handle PHI.

Understanding Who Your Business Associates and Business Associate Subcontractors Are

Who are Your Business Associates?

You need to be able to identify the classification of your workforce before you know what HIPAA requires. As defined by the Health Information Portability and Accountability Act (HIPAA), a Business Associate is any organization or person working in association with or providing services to a Covered Entity who generates, handles, or discloses Protected Health Information (PHI).2

Potential Business Associates are people or companies like:

  • Accounting or consulting firms
  • Cloud vendors
  • Consultants hired to conduct audits, perform coding reviews, etc.
  • Lawyers
  • Medical equipment service companies handling equipment that holds PHI
  • Translator services
  • Shredding services
  • File sharing vendors
  • Information Technology vendors

According to HHS, Covered Entities may only disclose PHI to an entity to help carry out its healthcare functions, not for the Business Associate’s independent use or purposes.”1 For example, a Business Associate/Subcontractor cannot use the PHI from the Covered Entity for its own email campaign.

Who are Business Associate Subcontractors?

A Business Associate Subcontractor is a person or entity to which a Business Associate delegates a function, activity or service.3 While a Covered Entity receives help from a Business Associates, BAs employ their own help. HIPAA refers to these people and companies as Business Associate Subcontractors.

Similarly, Business Associates must have a Business Associate Subcontractor Agreement with their BASs. The BA and BAS Agreements are almost identical, so the primary difference is the definition of the category.

Who is not considered a Business Associate/Subcontractor?

Business Associate/Subcontractor exceptions include, but are not limited to, the following examples considered ‘conduits’ for PHI:

See Also
Covered Entities vs Non-Covered Entities under HIPAA | Metomic

  • Internet Service Providers
  • US Postal Service
  • and other courier services1

Contractors and Confidentiality Agreements

Contractors working exclusively for your company, individuals with other clients, and workers hired through a business are not Business Associates. However, your company is responsible if one of these individuals breaches PHI.

For these types of employees who are not Business Associates, Total HIPAA recommends this: If the “employee” is a contractor working exclusively for your company or a sole proprietor with other clients, you cannot expect the individual to generate policies and procedures for privacy and security like a BA or BAS. It is meaningless to ask them to sign a BAA or a Subcontractor BAA because they will not have the compliance infrastructure required by HIPAA.

Instead, ask them to sign a confidentiality agreement. We include these items in the confidentiality agreements we provide for our clients:

  • Firstly, clarify the type of information the agreement covers.
  • What type of information cannot be copied or modified?
  • Information must be returned upon employer’s request
  • Disciplinary action for persons responsible for a breach of confidential information

Additionally, we recommend that the entity includes important individuals in all training activities.

For more information on contractors, take a look at our blog post, Preparing Contractors for HIPAA Compliance, as well as our podcast, Should Employers Train Contractors Who See PHI?

What Happens If My Business Associate/Subcontractor Discloses PHI?

Finally, a Business Associate/Subcontractor’s failure to meet the requirements of an agreement could result in substantial ramifications:

“A Business Associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of Protected Health Information that are not authorized by its contract or required by law. A Business Associate/Subcontractor also is directly liable and subject to civil penalties for failing to safeguard electronic Protected Health Information in accordance with the HIPAA Security Rule.”4

When a Business Associate/Subcontractor breaches or violates a BAA, the Covered Entity must take reasonable steps to cure the breach or end the violation. “If such steps are unsuccessful, they must terminate the contract or arrangement,” HHS explains. “If termination of the contract or agreement is not feasible, a Covered Entity is required to report the problem to HHS Office for Civil Rights.”1

Where Can I Get a Business Associate Agreement?

Good news! We offer a FREE Business Associate Agreement template on our site. Click the button below and enter your email to receive your BAA today.

DOWNLOAD BAA TEMPLATE

Remember, having this agreement is only one piece of the compliance puzzle. To be fully compliant, you must complete a Risk Assessment, maintain current copies of all documents required by HIPAA, train your staff, and more. Our HIPAA Prime program does all this and more, ensuring compliance for your business.

To learn more or get started, email [email protected] today.

Our HIPAA compliance services help ensure that your business follows the basic HIPAA rules and guidelines to protect sensitive patient information. Our team of experts is dedicated to providing affordable rates and personalized solutions to help you become HIPAA compliant. We understand that navigating the complex requirements of HIPAA can be challenging, which is why we offer a comprehensive range of services to meet your unique needs. From risk assessments to employee training, we have the tools and expertise necessary to help your business achieve and maintain HIPAA compliance. Contact us today to learn more about how we can help you protect your patients, your employees, and your business.

Sources

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
http://searchsecurity.techtarget.com/definition/business-associate
https://www.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-regulations-affect-business-associates__
https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

Business Associate Agreement: Everything Explained (2024)
Top Articles
5 Tips to Improve Your Live Video Streaming Quality and Speed - Muvi One
Earn Free Money Using Freecash: Quick Guide
Uhauldealer.com Login Page
Joliet Patch Arrests Today
PRISMA Technik 7-10 Baden-Württemberg
Find All Subdomains
Geodis Logistic Joliet/Topco
Craigslist In Fredericksburg
King Fields Mortuary
Shaniki Hernandez Cam
Carter Joseph Hopf
Uvalde Topic
Alaska Bücher in der richtigen Reihenfolge
Transformers Movie Wiki
Jasmine Put A Ring On It Age
Amelia Bissoon Wedding
Mini Handy 2024: Die besten Mini Smartphones | Purdroid.de
800-695-2780
Craftology East Peoria Il
Kürtçe Doğum Günü Sözleri
Everything We Know About Gladiator 2
Weepinbell Gen 3 Learnset
Saritaprivate
Riherds Ky Scoreboard
Woodmont Place At Palmer Resident Portal
2013 Ford Fusion Serpentine Belt Diagram
The Tower and Major Arcana Tarot Combinations: What They Mean - Eclectic Witchcraft
Buying Cars from Craigslist: Tips for a Safe and Smart Purchase
Defending The Broken Isles
Hefkervelt Blog
fft - Fast Fourier transform
Nk 1399
Ihs Hockey Systems
Mercedes W204 Belt Diagram
Broken Gphone X Tarkov
Ravens 24X7 Forum
Xfinity Outage Map Lacey Wa
Six Flags Employee Pay Stubs
Solarmovie Ma
Ultra Clear Epoxy Instructions
How to Get Into UCLA: Admissions Stats + Tips
Pill 44615 Orange
Stanford Medicine scientists pinpoint COVID-19 virus’s entry and exit ports inside our noses
Tirage Rapid Georgia
Rush Copley Swim Lessons
Noh Buddy
Worland Wy Directions
Iron Drop Cafe
Mit diesen geheimen Codes verständigen sich Crew-Mitglieder
Craigslist Com Brooklyn
Pilot Travel Center Portersville Photos
OSF OnCall Urgent Care treats minor illnesses and injuries
Latest Posts
8 Ways To Promote Your Ecommerce Online Stor | Mailchimp
Are Your Drivers Using GPS Jammers? - Drivewyze
Article information

Author: Clemencia Bogisich Ret

Last Updated:

Views: 5547

Rating: 5 / 5 (80 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Clemencia Bogisich Ret

Birthday: 2001-07-17

Address: Suite 794 53887 Geri Spring, West Cristentown, KY 54855

Phone: +5934435460663

Job: Central Hospitality Director

Hobby: Yoga, Electronics, Rafting, Lockpicking, Inline skating, Puzzles, scrapbook

Introduction: My name is Clemencia Bogisich Ret, I am a super, outstanding, graceful, friendly, vast, comfortable, agreeable person who loves writing and wants to share my knowledge and understanding with you.