What is a Business Associate Agreement?

A Business Associate Agreement is a contract between a covered entity and a business associate required by the Administrative Simplification Regulations of the Health Insurance Portability and Accountability Act (HIPAA) when Protected Health Information (PHI) is exchanged between the parties.
Download Business Associate Agreement Template (Word document)
The contract stipulates the permissible uses and disclosures of PHI in the business associateโs possession and provides that the business associate will not further disclose PHI except as permitted by the contract, will use appropriate safeguards to protect the confidentiality, integrity, and availability of PHI, and will comply with requests for access to, amendment of, and an accounting of disclosures if required.
What are Covered Entities and Business Associates?
Under HIPAA, a covered entity is a health plan, a health care clearinghouse, or a healthcare provider that conducts electronic transactions such as eligibility checks, authorizations, and reimbursement claims for which the Department of Health and Human Services (HHS) has published standards in 45 CFR Part 162 of the HIPAA Administrative Simplification Regulations.
When a covered entity outsources an activity to a third party that is not a member of its workforce, and the outsourced activity involves the receipt, storage, or transmission of PHI, the third party becomes a business associate of the covered entity. Before disclosing PHI to the business associate – or using the business associate to collect PHI on its behalf – the covered entity must enter into a Business Associate Agreement with the business associate.
What a Business Associate Agreement Must Contain
A Business Associate Agreement must contain the allowed uses and disclosures of PHI for the business associate to carry out an activity for or on behalf of the covered entity. It should also allow the business associate to use PHI in its possession for the management and administration of its business and to carry out its legal responsibilities, and prohibit the business associate from using PHI for any purpose not permitted by the Privacy Rule.
In addition, a Business Associate Agreement must explain how the business associate will respond to individuals exercising their rights to access, inspect, and request amendments to PHI, or request an accounting of disclosures. The explanation may depend on what access the business associate has to PHI (i.e., โno viewโ), whether data is maintained in designated record sets, and whether the covered entity would rather deal with the requests itself.
Other items a Business Associate Agreement must contain include:
- A requirement that the business associate will implement safeguards to prevent unauthorized uses or disclosures of PHI.
- A requirement for the business associate to report any uses or disclosures of PHI not allowed by the agreement.
- A requirement for the business associate to report โsecurity incidentsโ as defined in 164.304 of the Security Rule.
- A requirement for the business associate to make HIPAA-related records available in the event of an audit or investigation.
- A requirement for the business associate to return or destroy PHI received at the termination of the Business Associate Agreement.
- A requirement that any subcontractor with access to PHI agrees to the same conditions as apply to the business associate.
What a Business Associate Agreement Can Contain
Other than the mandatory requirements for Business Associate Agreements in ยง164.504 of the Privacy Rule, covered entities and business associates can add additional clauses into a Business Associate Agreement depending on the relationship between the covered entity and business associate and the nature of activity being performed by the business associate for or on behalf of the covered entity.
Examples include that a covered entity requires a business associate to implement security measures beyond those required by the Security Rule, or โ if, for example, the business associate is responsible for responding to individualsโ access and amendment requests โ that certain members of the business associateโs workforce undergo HIPAA Privacy Rule training in addition to mandated security awareness training.
Large software companies can also insert additional clauses into their โone-size-fits-allโ Business Associate Agreements. For example, Microsoft, Google, and IBM give notice of unsuccessful security incidents to avoid having to report every unsuccessful ping, port scan, or unsuccessful login attempt. Most also condition the agreement on โin-scopeโ services being correctly configured by the covered entity.
HIPAA Compliance Challenges with Agreements
There should not really be any HIPAA compliance challenges with Business Associate Agreements because HIPAA is clear about when a Business Associate Agreement is required, what it must contain, and what it can contain. However, a challenge for some covered entities is whether or not a relationship with a third party service provider requires a Business Associate Agreement due to the types of relationship that exist in healthcare.
For example, when a healthcare provider employed by a covered entity refers a patient to an external healthcare provider and shares PHI with the external healthcare provider for the purpose of treating the patient, the requirement to enter into a Business Associate Agreement can depend on whether the external healthcare provider qualifies as a covered entity in their own right and/or has an existing treatment relationship with the patient.
Other HIPAA compliance challenges may exist due to the โconduit exceptionโ, a covered entity being a member of an Organized Health Care Arrangements, or the failure to understand a cloud service providerโs โin-scopeโ services. Conversely, a covered entity can unnecessarily increase the administrative burden by entering into Agreements with third party service providers that do not qualify as business associates (i.e., landscape gardeners).
As HHSโ Office for Civil Rights can fine healthcare providers for not entering into a Business Associate Agreement when one is required โ or increase the size of a fine for other HIPAA violations when no Agreement exists – any individuals or organizations concerned about whether or not they are complying with the requirements for Business Associate Agreements should seek professional compliance advice.