There are general principles that covered entities and business associates must follow when entering into contracts or agreements to guarantee that business associates’ health information is kept safe. Furthermore, a business associate contract or agreement, to be precise, aims to clarify and limit the business associate’s disclosure of protected health information. This has something to do with the relationship between the two parties and the activities and services provided by the business associate. This contract gives the business associate peace of mind when it comes to the health information that is being given to the person. All Covered Entities must have a written Business Associate Agreement (BAA) with each Business Associate (BA) they hire who may encounter PHI under the HIPAA Privacy Rule. Healthcare providers and anyone who deals with PHI must sign business associate agreements. They are part of a larger effort to ensure that PHI and ePHI are not accidentally or intentionally shared with unauthorized people. A business associate agreement must be signed by certain parties who accept all applicable laws.

18+ Sample HIPAA Business Associate Agreement

What Is a HIPAA Business Associate Agreement?

Business contract agreements are frequently considered, especially when two parties are involved. People frequently sign business contracts to agree to the terms and conditions specified on them. A business associate agreement is a formal contract that outlines a party’s or both parties’ duties and responsibilities when it comes to protected health information. The covered entities and their business associates are equally responsible for preserving the health information under this business agreement. In the event of a breach by an associate, having this type of agreement is the finest and safest way to safeguard a company as well as the practice.

A business associate may only reveal protected health information if he or she is authorized to do so or if the law requires it. However, because it complies with the law, they are unable to directly release information from it, and penalties may be imposed as a result. All covered companies must sign a Business Associate Agreement (BAA) with each Business Associate (BA) they hire who may meet Protected Health Information under the HIPAA Privacy Rule. The HIPAA Omnibus Rule altered the way in which Business Associates and Business Associate Subcontractors (BAS) might be held accountable for HIPAA violations. With this finding, it’s critical that the Covered Entity and the Business Associate have a clear understanding of how they plan to protect patient, client, and employee data.

What Are the Common Terms in a Business Associate Agreement?

1. Covered Entity

This could be a doctor, a specialist, a health plan, a health insurance company, or a healthcare clearinghouse. In most cases, these transactions are related to billing and payment services, as well as insurance coverage.

2. Business Associate

This is the company that, on behalf of the Covered Entity, generates, retains, transmits, or receives patient health information. Medical billing firms, accountants, attorneys, transcription services, email encryption providers, file sharing vendors, backup storage providers, and so on are all aspects of this. Before you can figure out what HIPAA demands, you must first be able to classify your employees. A Business Associate is any business or person who generates, processes, or discloses Protected Health Information in conjunction with or delivering services to a Covered Entity, as defined by the Health Insurance Portability and Accountability Act (HIPAA) (PHI). According to HHS, Covered Entities may only disclose PHI to a Business Associate for the Business Associate to assist them in carrying out their healthcare activities, not for the Business Associate’s own use or purposes. A Business Associate/Subcontractor, for example, cannot use the Covered Entity’s PHI for its own email campaign.

3. Business Associate Subcontractor

This is the company that, on behalf of a Business Associate, creates, receives, transmits, or keeps patient health information. An accountant, attorney, transcribing service, file sharing vendor, IT support vendor, shredder provider, and so on are examples of such professionals. A person or company to whom a Business Associate delegated a role, activity, or service is known as a Business Associate Subcontractor. While a Covered Entity is assisted by a Business Associate, BAs provide their own assistance. These people and businesses are known as Business Associate Subcontractors under HIPAA.

What Is Liability?

In the case of a PHI breach, a solid HIPAA Business Associate Agreement will insulate businesses from responsibility. If one of the two parties is to blame for a breach, the BAA should make it clear who is to blame, with language in the contract that makes that clear. Business Associate Agreements are not only required by the federal government, but they are also in the best interests of protecting an organization’s reputation, as breaches can permanently damage your reputation.

Privacy Rule Considerations

The privacy rule established by HIPAA establishes criteria for securing PHI and regulates its use and dissemination without patient authorization. It also offers patients the right to receive a copy of their medical records and to request that their PHI be corrected. As business associates, cloud service providers may only use and disclose PHI in accordance with their BAA and the privacy regulation. Even cloud providers that do not have control over PHI viewing must employ encrypted data only when the BAA and privacy law allows it.  Business Associate Agreements must contain clauses requiring business associates to give the covered company access to PHI in order to fulfill their client commitments. Individuals must be allowed to access, correct, and get an accounting of certain disclosures of PHI. In addition, BAAs should always specify the steps that must be taken by no-view cloud service providers in order to meet their privacy rule requirements.

What Are the Penalties for Business Associates in Violation of HIPAA Rules?

The Office of Civil Rights (OCR) has the authority to impose financial fines and/or remedial action plans for business associate breaches. Fines range from $114 to $57,051 each infraction, with fines ranging from $114 to $57,051 per violation. The severity of monetary penalties is determined by the offender’s knowledge of the offense. In addition to the fines imposed by the OCR, BAs may face legal action if they violate the provisions of their BAA. The basic line for cloud service providers and all companies in a BA role is clear: you will be held to the letter of HIPAA regulation, which might result in harsh penalties, thus you must take HIPAA compliance seriously.

What Happens if the Business Associate or Subcontractor Discloses PHI?

For making uses and disclosures of Protected Health Information that are not authorized by its contract or required by law, a Business Associate is directly accountable under the HIPAA Rules and susceptible to civil and, in some situations, criminal penalties. For failing to safeguard electronic Protected Health Information in compliance with the HIPAA Security Rule, a Business Associate/Subcontractor is also directly accountable and susceptible to civil fines. When a Business Associate/Subcontractor breaches or violates a BAA, the Covered Entity is required to take reasonable steps to remedy the breach or terminate the violation. If such efforts fail, the contract or agreement must be terminated, according to HHS. “If it is not possible to terminate the contract or arrangement, a Covered Entity must notify the problem to the HHS Office for Civil Rights.

Elements of a HIPAA Business Associate Agreement

A basic BAA usually has five to seven sections that cover various aspects of the contract. The following sections are frequently found in BAAs:

Definitions: This is usually the first portion of the agreement that defines the terms. Business associates, covered entities, and HIPAA rules are examples of these concepts.Obligations: This section outlines all the BA’s requirements.Permitted Uses and Disclosure by Business Associate: The agreement’s most important section, which delves into the specifics of the BA’s PHI usage and disclosure.Provisions for the Covered Entity to Inform Business Associate of Privacy Practices, Restrictions: This section describes when a covered entity may need to notify the BA about a restriction, change, or limitation.Permissible Requests by the Covered Entity: This part is optional; however, it can include examples of requests that the covered organization will accept.Terms and Termination: This section discusses the agreement’s start and end dates, termination for cause, BA obligations in the event of termination, and the BA survival protocol.Miscellaneous: Another optional part to discuss the nature of modifications or how to deal with ambiguity in the contract.

How to Create a Business Association Agreement?

There are several templates and conditions available online for constructing a business associate agreement. When you choose to download a business agreement, certain information is taken into consideration. In just a few simple steps, you will be able to create a business associate agreement in this section.

1. Access Template

Business Association Agreement Templates are easily accessible; all you have to do is find them and download them. This is useful for organizations or businesses that work with subcontractors and business associates.

2. Identify Roles

There are two parties that are directly involved in the Business Association Agreement. Furthermore, a business association agreement frequently contains the necessary language to comply with HIPAA. The people to whom it is directly related must be mentioned in the first paragraph. The role of the covered entity should be addressed first. The covered entity’s job is to give someone else access to and control over his or her medical records. The cover entity’s basic information must be mentioned in the agreement’s first blank line. The name must be reported exactly as it appears on the official identification card of the covered entity. The name of the business associate who will have access to the covered entity’s medical data is the next item to enter. His or her name must be written on the second blank space after the cover entity in the first paragraph. You must also ensure that the business associate’s name matches that on his or her identification card, such as a driver’s license, passport, or any other government-issued ID card.

3. Review Paperwork

The cover entity and business associates should check the business agreement to ensure that there are no errors or misleading information in the agreement. It will go over what each party should expect, how the Business Associate should behave, how the Agreement should be used, and other pertinent information. If both parties agree that all written outputs are accurate and that no corrections are visible and implicated, then each must take part in the execution. Following that, both parties should sign the blank spaces labeled “Signature” and “Date,” respectively, with their signatures. The business associate has been reserved once both signatures have been attached so that the entity accepting the obligations and approvals granted by this form can sign his or her name.

This article contains a sample business associate agreement provision that may make it easier for covered companies and business associates to meet all contract requirements. The goal of these sample templates is to have a clear and simple provision between the cover entity and the business associate. Business associate agreements, as you can see, are highly technical and complex. When forming this type of relationship with a covered entity, it is critical to understand the function of HIPAA compliance and BAAs. If you have any questions, you can contact a privacy lawyer for particular legal guidance.

FAQs

Where Can I Get a Business Associate Agreement?

There is a lot of free business contract templates available online. Having this agreement is only one piece of the compliance puzzle. To be fully compliant, you must complete a Risk Assessment, maintain current copies of all documents required by HIPAA, train your staff, and more.

What Makes a Vendor a Business Associate in HIPAA?

Electronic PHI (ePHI) passes through the systems used by vendors as part of their services. Prior to allowing a business associate to contact PHI or ePHI, the covered entity must obtain a signed HIPAA business associate agreement.

Why Is a Business Associate Agreement Required by HIPAA?

To allow a third party (“business associate”) access to protected health information (“PHI”) from a medical office (“covered entity”), HIPAA mandates the Business Associate Agreement.

An employer can have a business associate who works as a member of a covered entity’s workforce when managing a business or a corporation. Simply put, a business partner is similar to a pawn in a chess game who serves as a guard to defend someone behind them. However, in order for them to perform their functions properly, all parties must sign an agreement, ensuring that there are no prejudices in having such responsibility and obligation. If there are any errors, incorrect information, or breach modifications, the covered entity can bring a lawsuit, keeping in mind that the protected health information has been exposed to a third party or is required by law. If such an incidence occurs in a certain circumstance, a business associate has been declared directly accountable and susceptible to legal fines for failing to protect health information.