If your organization provides services to healthcare entities, such as IT support, cloud storage, billing, or legal services—you may be legally required to sign a HIPAA Business Associate Agreement (BAA).
This agreement ensures that your organization complies with the Health Insurance Portability and Accountability Act (HIPAA) when handling or accessing protected health information (PHI).
Entering into a BAA means committing to partial or full HIPAA compliance, which includes conducting risk assessments, implementing security controls, and maintaining appropriate data protection policies.
Are you ready to fulfill the requirements of a HIPAA BAA? Schedule a consultation to find out!
HIPAA Business Associate Agreements 101
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) exists to define and safeguard protected health information (PHI). It applies primarily to covered entities within the healthcare field. However, it also contractually requires business associates to safeguard PHI.
Understanding and staying compliant as a business associate requires knowing:
- What a HIPAA business associate agreement is and to whom it applies
- Which requirements fall on parties to a business associate agreement
- What can happen if a business associate agreement is broken
The big takeaway of business associate considerations under HIPAA is that the regulation applies beyond the boundaries of healthcare to many stakeholders adjacent to the industry.
What is a HIPAA Business Associate Agreement?
A HIPAA Business Associate Agreement (BAA) is a legally binding contract that requires business associates to follow certain HIPAA compliance standards.
These associates, such as IT providers, billing services, or consultants, must either fully comply with HIPAA or support their covered entity partners in maintaining compliance.
The HIPAA BAA extends HIPAA’s privacy and security requirements beyond healthcare providers, ensuring that any third party with access to protected health information (PHI) also handles it responsibly.
These agreements are mandated and regulated by the Department of Health and Human Services (HHS) as part of HIPAA’s goal to safeguard patient data across the entire healthcare ecosystem.
To fully understand why these agreements are necessary, it’s important to know what qualifies as PHI. Protected health information includes any data that identifies an individual in connection with their physical or mental health, treatments received, or healthcare payments, whether in full documents or individual data points.
HIPAA Covered Entities and Business Associates
Business associate contracts are made between covered entities and their business associates, requiring the latter to (at minimum) help the former meet their HIPAA requirements. As for who these parties are, the HHS has established three categories of HIPAA covered entities:
- Healthcare providers, such as hospitals, pharmacies, and doctors
- Health plan entities, such as administrators and insurance companies
- Healthcare clearinghouses that process standardized health information
Business associates are any organizations that work with these entities in a way that requires them to come into contact with PHI.
There is no explicit restriction on which kinds of partners are considered business associates, but common examples include third-party administrators, accounting and legal services providers, consultants, and benefits managers working on plans.
Covered entities are the parties who produce, use, and otherwise come into contact with PHI the most. Business associates also come into contact with it regularly, so it applies to them too.
Business Associate Agreement HIPAA Requirements
HIPAA explicitly requires covered entities who work with business associates to operate under a business associate contract.
The specific requirements for what it must include are sparse, so covered entities have discretion over the particular terms. The only guarantee is that the contract ensures a business associate helps the covered entity ensure HIPAA compliance.
Under a business associate contract HIPAA can essentially apply to business associates as though they are HIPAA covered entities.
The practical upshot is that business associates need to prepare for HIPAA compliance just like covered entities to avoid any future complications.
Privacy Rule Requirements for Business Associates
The HIPAA Privacy Rule is the first and most fundamental part of the entire HIPAA framework. It defines both PHI and covered entities, along with their (and their business associates’) essential responsibilities with respect to safeguarding PHI.
Namely, PHI needs to be made available to its subjects (persons identified within the PHI) at their request. But it also needs to be protected such that no unauthorized disclosures or uses, except for a set of permitted ones, can happen.
Some practical examples of permitted disclosures include using limited data sets for approved research or making certain information available for disease prevention or other public benefits.
See the HHS’s summary of the Privacy Rule for a comprehensive list of permitted PHI uses.
Security Rule Requirements for Business Associates
The Security Rule builds on the Privacy Rule, adding specific controls organizations need to apply to ensure the confidentiality, integrity, and availability of PHI.
There are two major kinds of measures the Security Rule requires covered entities and business associates to implement.
The first prescriptive requirement is programmatic risk analysis and management, including regular risk assessments that document, address, and ideally neutralize threats to PHI.
The other prescriptive requirement is implementing three sets of safeguards:
- Administrative safeguards
-
-
- Formalizing security management processes
- Assigning security personnel and responsibilities
- Systematizing information access management
- Providing workforce training and management
- Conducting evaluations related to PHI security
-
- Physical safeguards
-
-
- Limiting and controlling access to facilities
- Limiting and controlling access to devices
-
- Technical safeguards
-
- Installing system-wide access controls
- Conducting and logging security audits
- Ensuring integrity and change management
- Securing PHI for network transmission
Originally, these protections applied only to electronic PHI (ePHI), but the HITECH Act extended its requirements to all PHI that covered entities and business associates come into contact with.
Breach Notification Requirements for Business Associates
Covered entities and business associates also need to comply with the Breach Notification Rule, which requires monitoring and communication infrastructure to be in place to report on breaches as swiftly as possible.
HIPAA considers a breach to have happened if identifiable PHI is accessed without authorization in any way beyond the permitted uses and disclosures.
If a breach has occurred, the covered entity or business associate who becomes aware of it needs to provide notice to one or more parties.
In particular, notice needs to be given to all pirates impacted by the breach. The secretary of the HHS must also be notified. And, if the breach impacts 500 or more people, media outlets serving their community must be notified.
If the breach is discovered by the business associate, their responsibility may be to provide these notices or to inform the covered entity proper to handle other required notices.
The business associate agreement will detail all specific responsibilities related to this rule.
The Stakes of Business Associate Compliance
Unlike some other regulatory contexts, HIPAA does not require a certification assessment to affirm compliance. Instead, the HHS mandates that organizations operating in the field are HIPAA compliant, and assessments happen if a breach or other non-compliance incident occurs.
If a covered entity (or business associate) is found to be in violation, one or both parties may be subject to HIPAA enforcement, including fines and criminal charges.
In particular, business associate contracts often distribute the liability for noncompliance issues between the business associate and covered entity, depending on the responsible party for the particular data breach or incident in question.
In practice, causing a HIPAA violation might be a breach of contract, and it can open the business associate up to the HHS’s enforcement arm.
To avoid these possibilities, covered entities and business associates are encouraged to work with third-party HIPAA advisors and assessors to optimize all elements of their cyberdefenses.
Achieve and Maintain Compliance
If your organization works directly in healthcare, or it partners with other organizations that are covered entities, you may need to comply with HIPAA—or at least help a partner comply. If that’s the case, you’ll need to ensure that your cyberdefenses meet HIPAA standards.
RSI Security has helped countless organizations in and adjacent to healthcare comply with HIPAA. We know that the right way is the only way to keep sensitive data and patients safe.
Protect your organization from costly HIPAA violations, download our HIPAA Checklist today to ensure you’re fully compliant