- The transfer of data between two covered entities, each acting in their primary role as a covered entity (for instance, with provider referrals or insurance claims) is not considered a business associate relationship.
- Law enforcement and government agencies may request PHI, but they are not considered business associates.
Get my free SecurityMetrics HIPAA Guide
Important to understand: covered entity liability
CEs are responsible for knowing who their business associates are, and having proper agreements in place. They’re responsible for drafting BAAs that meet their own requirements, as well as HIPAA requirements. The business associate's responsibility includes adhering to whatever is in the contract, but the CEs must personally take measures to check on their BA’s patient data handling processes and security measures.
Even with the agreement in place, there’s still a shared liability between a covered entity and a business associate. If the covered entity drafts and signs the best possible agreement, and keeps it up to date—but doesn’t monitor compliance, there isn’t a high level of protection from data breaches and fines. And, in the event of a data breach, covered entities will be required to show that they’ve done their due diligence and given best efforts to prevent the breach.
Remember that while a properly executed business associate agreement will transfer most of the financial liability of a BA’s data breach to the BA itself, there remains the ever-present risk of damage to the covered entity’s public reputation.
What’s in a business associate agreement?
First of all, realize that you need to know the ins and outs of what’s in (and should be in) a business associate agreement. Most covered entities use a business associate agreement template, which is fine and even recommended. But regardless of who created it, you need to know what’s in it.
Some of the required elements:
- Permissible and required disclosures: what the business associate can and can’t do with the data, as well as what they’re required to do with the data
- Reference to “downstream” subcontractors: ensure that they are responsible to abide by the same terms as the BAs
- BA’s duty to safeguard the data: with reference to the security rule
- Reporting obligations: BA’s responsibility to notify CE of impermissible disclosures, which could include a data breach incident
- Termination clause: CE can terminate the contract for violation of terms, and in the event of termination, the BA must return or destroy the data
Elements that aren’t legally required but are still good to have:
- A “right to audit” clause: gives the covered entity right to monitor the business associate’s compliance with BAA
- Indemnification clause: each party will take respective responsibility for any financial harm caused
- Expiration dates: if you don’t regularly review your BAAs, they may have expiration dates of which you’re unaware. This puts them at risk of becoming invalid. Does HIPAA require expiration dates on business associate agreements? No. The agreements can be in force indefinitely. However, it’s crucial that you check on them periodically, so expiration dates are a great way to force the action of review.
The “minimum necessary” rule
This requirement is found in the HIPAA Privacy Rule and supports the foundational principle that parties shouldn’t create, use, disclose, or transfer more information than is needed to complete the task.
Many BAs believe that the covered entity takes care of the minimum necessary requirement. But, the business associate also has the responsibility to request and use only the minimum amount of information required to perform the task.
BAA contract negotiation
Sometimes business associates want to change parts of the agreement. Or, a larger organization might have a standard contract and won’t sign anyone’s but their own. In these cases, you can find yourself at a sticking point. Where do you dig in your heels and where do you give a little leeway?
If you find yourself in this situation:
- Create a checklist of items to address
- Understand that required elements are not negotiable
- Identify objectives and prioritize them to avoid getting stuck on non-important issues
If a business associate is not going to comply with certain things, that’s a good indication as to whether or not you should work with them.
HIPAA regulations require you to take action if you know or believe a business associate is not HIPAA compliant. And, covered entities should remember that they have purchasing power in relation to a business associate. In a recent SecurityMetrics poll, we asked covered entities if they would work with a business associate who would not sign a BAA. 100% of respondents answered, “no.”
HIPAA Compliance
Even if a business associate does not consider itself to be “within” the healthcare industry, the reality is that if they store, process, transmit, maintain and/or touch protected health information in any way—they must be HIPAA compliant. Covered entities may catch more heat from data breaches, but business associates are also legally bound to protect PHI.
The business associate agreement is the starting point for the covered entity-business associate relationship. It defines roles, places responsibilities, and—if properly followed + maintained—ultimately helps keep protected health information safe and secure.
