The HIPAA Privacy Rule permits a covered entity to disclose protected health information (PHI) to a business associate, and allows a business associate to create, receive, maintain, or transmit protected health information on that covered entity’s behalf, if the covered entity first obtains satisfactory assurances that the business associate will appropriately safeguard the information.
The satisfactory assurances must be documented through a written contract or other written agreement or arrangement with the business associate. This written contract or arrangement typically takes the form of a HIPAA business associate agreement, or BAA.
What Must be Included in a Business Associate Agreement?
The BAA must contain specific content. The BAA must provide that the business associate will:
Not use or further disclose PHI other than as permitted or required by the
contract or as required by law.
Use appropriate safeguards and comply, where applicable, with the HIPAA Security Rule with respect to electronic protected health information (ePHI), to prevent use or disclosure of the ePHI other than as provided for by the BAA.
Report to the covered entity any use or disclosure of the information not provided for by the BAA that the business associate becomes aware of, including breaches of unsecured protected health information as required by the Breach Notification Rule.
Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information.
Make available protected health information in accordance with the Privacy Rule right of access provision.
Make available protected health information for amendment and incorporate any amendments to protected health information. in accordance with the Privacy Rule’s “Amendment to Protected Health Information” provision.
Make available the information required to provide an accounting of disclosures in accordance with the Privacy Rule’s “Accounting of Disclosures” provision.
To the extent the business associate is to carry out a covered entity's obligation under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the covered entity in the performance of that obligation.
Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the business associate on behalf of, the covered entity available to the HHS Secretary for purposes of determining the covered entity's compliance with the Privacy Rule.
At the termination of the BAA, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information, or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
Who Must Enter into a HIPAA Business Associate Agreement?
Covered entities (healthcare providers, healthcare clearinghouses, and health plans) often seek assistance from vendors to perform tasks involving protected health information (PHI). For example, a healthcare provider may engage a billing service to send bills to its patients. Vendors with which covered entities share PHI are known as business associates.
Examples of business associates include (among others):
Managed service providers; software providers; telehealth platforms; medical billing services; practice management software companies; cloud storage providers; physical storage providers; EHR providers; accountants; attorneys; and shredding services.
The HIPAA regulations require that covered entities enter into business associate agreements” with these vendors, if the vendor is to perform services, functions, or activities for, or on behalf of, covered entities, involving the creation, transmission, maintenance, or receipt of PHI. A business associate agreement must contain the above-mentioned satisfactory written assurances and other required language.
Business associates often themselves engage the services of their own vendors to perform tasks involving PHI. For example, the billing service business associate mentioned above may engage the services of a cloud hosting platform to store its billing data. Vendors with which business associates share PHI are known as business associate subcontractors.
The HIPAA regulations require that business associates enter into business associate agreements with business associate subcontractors - vendors who perform services, functions, and activities for, or on behalf of, business associates, involving the creation, transmission, maintenance, or receipt of PHI. The business associate agreement must contain satisfactory written assurances from the business associate subcontractor that it will safeguard the PHI that the business associate shares with it.
Business associate agreements must be entered into before a covered entity may share PHI with a business associate, and before a business associate may share PHI with a business associate subcontractor.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article