Compliance and the BAA: Why It Matters

Previously in our talks about HIPAA, we’ve talked a lot about the Privacy, Security and Breach Notification Rules and the definitions of Covered Entities and Business Associates . Yet there’s one place all of those come together that we haven’t discussed in detail yet: the business associate agreement (BAA).

As I’m sure you remember, a Covered Entity is the healthcare organization while the Business Associate, or BA, is the vendor or service provider. That means a BA can be anyone from a cloud provider to an accountant to a claims processor or medical transcriptionist. When you consider the range of possibilities in the services BAs can provide, it becomes clear why BAAs are so important in protecting healthcare organizations and their data.

Another reason these agreements matter: a shift in compliance responsibilities has occurred in recent years, and it’s important to understand what’s changed and what the BAA must cover.

Previously, before the Omnibus rule, the HIPAA compliance ball was primarily in the Covered Entity’s court. For the most part, BAs were only accountable for the terms dictated by their contracts. That’s changed; these days compliance responsibility has shifted to both parties. Every BA is subject to audits by the Office for Civil Rights (OCR) and can be held accountable for noncompliance. That includes potential civil and criminal penalties for some violations – such as unauthorized uses and disclosures of protected health information (PHI) or data breaches.

All of this means that the BAA has become increasingly important: a contract that guarantees vendors are handling all medical records and ePHI appropriately and are compliant with HIPAA requirements. They’re not just for the BA, either. Any subcontractors the vendor is using must also sign BAAs.

What BAAs Do

Business associate agreements must clearly spell out all compliance responsibilities, but two Rules in particular need to be understood and articulated: the Breach Notification Rule and the Privacy Rule. The Breach Notification Rule details the notification policies for all impacted parties in the event of a breach, such as dealing with the Health and Human Services (HHS) Secretary and media. The Privacy Rule deals with the collection and use of medical records and PHI.

Each agreement must explicitly spell out specific elements, such as:

  • How the BA will report and respond to a data breach, including those caused by any subcontractors they’ve used.
  • How the BA will respond to an OCR investigation.
  • A guarantee the BA will appropriately safeguard PHI.
  • The permitted and required uses and disclosures of PHI, including all limitations of the permissible uses and disclosures by the BA.
  • Details regarding the safeguards implemented to prevent unauthorized use or disclosure of the information.
  • A promise to report any unauthorized uses or disclosures of PHI to the covered entity.
  • A guarantee the BA will carry out a covered entity’s obligations as mandated under the Privacy Rule and Security Rule.
  • An agreement to share the BA’s internal practices, books, and records relating to the use and disclosure of PHI with HHS, as requested.
  • A guarantee that any subcontractors with access to the PHI will comply with the same restrictions and conditions.

Remember, HIPAA impacts every aspect of your business. Just as compliance regulations influence almost every department in your organization, you’ll need to get BAAs in place with every vendor or service provider who has any interaction with PHI. It’s a mandatory part of getting compliant – and a smart component of your organization’s security program.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals