Everyone who deals with the HIPAA sphere heard of the Business Associate Agreement, or shortly BAA. Covered entities (CEs) have to sign this agreement with third-party organizations, that deliver services to maintain operations on the ePHI of their patients securely. So, signing of Business Associate Agreement is a responsible step.
It is a common state of things today, that HIPAA-covered entities (CEs) decide to share these responsibilities with other organizations. The cybersecurity landscape is actively changing these days, so it becomes more and more difficult to monitor all tendencies and threats alone. So, third parties take this responsibility to maintain PHI and ePHI, although it is very risky. Data breaches have considerably increased in the few past years. That’s why it is important to sign a Business Associate Agreement between a healthcare organization and services provider to ensure the privacy and security of the healthcare data. But how should exactly signing of the agreement take place to be appropriate? Let’s find it out!
What is Business Associate Agreement (BAA) Under the HIPAA?
It makes sense to mention who Business Associates (BAs) are and a bit about their responsibilities. A business associate is a person or organization, that provides services or performs functions of a certain covered entity. These services or functions involve BA’s access to protected health information (PHI). It can’t be an internal worker.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires covered entities to sign Business Associate Agreements with their business partners. This type of agreement aims to guarantee that business associates protect PHI and ePHI properly. Also, it establishes conditions in what situations it is permissible to disclose PHI. A business associate can disclose PHI only when it is essential under the BAA or law. The business partner assumes direct responsibility for PHI security according to the HIPAA Rules. An associate is subject to administrative and criminal liability in case of unlawful use or disclosure of the PHI. Business associates are also subject to administrative liability for the inability to protect ePHI according to the HIPAA Security Rule.
Exceptions to the Rule
Of course, there are some exceptions when there is no need to sign Business Associate Agreement (BAA) to disclose PHI. For instance, it concerns situations when a covered entity (CE) reveals the protected health information (PHI) of an individual for a healthcare provider to ensure care. There are a lot of other examples, but generally, CEs can reveal PHI to individuals, that perform functions of BAs, to assist covered entities in performing healthcare functions. There is no aim to use it for BA’s purposes, except when it is indispensable for the proper administering and managing of a business partner.
You can find a Business Associate Agreement on the websites of any organizations providing HIPAA-compliant services. But it is also possible to take a look at the BAA sample on the HHS site.
Common Business Associate Agreement Mistakes
It is not a secret that covered entities (CEs) sometimes make some errors while signing the Business Associate Agreement (BAA) with their business partners. So, here is the list of the most usual mistakes, that CEs make:
Signing Business Associate Agreement with Every Partner
Naturally, covered entities want to be on the safe side and avoid unlawful data disclosures while collaborating with partners. But as we’ve mentioned before, sometimes it is unnecessary to sign BAA. California Healthcare Foundation sponsored an investigation, which revealed that a lot of healthcare organizations signed agreements with covered entities and providers that didn’t get access to PHI.
Signing Business Associate Agreement without Resorting to HIPAA Details
The investigation mentioned in the previous paragraph also has shown one interesting fact. A lot of covered entities don’t bother about checking the HIPAA compliance of organizations and providers with whom they are signing the BAA. Only a small amount of studied healthcare organizations have asked their future BAs for the risk assessment confirmation and documentation procedures in case of the PHI disclosure. It’s very dangerous to be indifferent to this detail because it can lead to severe penalties in the future.
Giving Permission to Third-Parties to Manage ePHI without Signing the BAA
A lot of service providers don’t handle PHI, but ePHI goes through their databases and systems. Numerous software influences ePHI. It means that the software supplier must be a business partner in such situations. Of course, there are some exceptions for a kind of organizations-channels for ePHI transmission. Nevertheless, the vast majority of software and cloud services are not released from HIPAA compliance. So, the Business Associate Agreement (BAA) is important.
Considering That ePHI Encryption is All that Is Necessary to Be HIPAA-Compliant
ePHI encryption is important to maintain HIPAA compliance so that business associates (BAs) could store and transmit it securely. But it is not enough to be HIPAA-compliant. It is necessary to develop, establish and maintain physical safeguards, administrative preventive actions, and documented policies and processes as well. These are necessary steps to ensure that non-authorized individuals can’t access ePHI.
Non-Complying with Subcontractors’ Business Associate Agreement
The BAA provides the PHI chain of custody availability. A supplier, that provides services to a HIPAA-covered entity, must sign a contract with the covered organization. In this way, subcontractors used by services suppliers must sign this contract as well. Although, they are business associates’ partners, not covered entities. That’s why they are not subject to the agreement between a covered entity and a business associate. In this way, before getting access to PHI it’s necessary to sign a different agreement. The farther ePHI is sent, the longer is the chain and the bigger the chance of BAA violation under HIPAA.
Using Business Associate Agreement Samples with Inaccuracies
There are a lot of BAA samples in the free access. But it’s necessary to review them before implementation. First of all, it is important to check for whom this sample was created. It will help to make sure that this example of agreement suits you. And after this, it is essential to put changes into this template considering all covered entity’s demands.
So, considering these mistakes you can sign the Business Associate Agreement (BAA) properly under HIPAA!
How Business Associates are Punished for HIPAA Violations?
As we’ve indicated before, business associates (BAs) can be punished for HIPAA violations as well as covered entities (CEs). Signing the BAA makes a business associate subject to legal liabilities for HIPAA non-compliance and related risks. BAs can be penalized for the following violations:
- Negligence of the HIPAA Security Rule. For example, a BA can be punished for risk analysis non-performance, etc.
- Not signing the Business Associate Agreement (BAA) with subcontractors, that have an access to PHI, and non-complying with specificities of its realization.
- Not taking appropriate measures to report fundamental breaches and violations of the BAA.
- Using and unacceptably revealing PHI doesn’t comply with the Business Associate Agreement.
- Not providing a copy of PHI to a covered entity (CE), when it is needed for CE’s compliance with the patient’s right of access.
- Not taking reasonable steps to minimize the request, usage, and revealing of the PHI. That is necessary to achieve the predictable aim of usage, revealing, and requesting.
- Not providing bookkeeping of disclosures. It is necessary for permitting a covered entity to comply with its duties to provide such bookkeeping when it’s needed.
- Not notifying a covered entity or other partners about PHI violation under the Breach Notification Rule.
- Revenging to individuals for filing complaints, taking part in the investigation or any other enforcement proceedings, or counteracting actions and practices, is impermissible under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
- Not providing the U.S. Department of Health and Human Services (HHS) with documentation and records proving the HIPAA compliance. Cooperating with complaints’ investigations and compliance controls. Giving HHS access to the information, that includes PHI, belonging to the compliance determination.
The Example of HIPAA Violation by the Business Associate
The most vivid example of the BA’s punishment for the HIPAA violation is the case of CHSPSC. It is a provider of management services for healthcare organizations, that belong to Community Health Systems. In 2020 the provider paid 2,3 million USD within the frames of the latest enforcement actions against a business partner by the HHS Office for Civil Rights (OCR).
Enforcement actions occurred in 2014 because of a data breach. More than 6 million patients and 230 covered entities suffered from these actions. Cyber villains stole Social Security numbers, dates of birth, and contact details, including emergency contacts. While the HIPAA Audit, OCR found a lot of violations, including risk analysis non-compliance, and non-performance of informational system actions control, security cases procedures, and access controls.
So, we’ve found out that it is not necessary to sign the Business Associate Agreement (BAA) with every partner. But it’s still necessary to pay attention to all details so as not to make common mistakes while signing the BAA. The covered needs to check the templates of the agreement before signing it and define the conditions of HIPAA compliance in advance to avoid possible future violations. Business associates should also be attentive and know about punishments for breaches of PHI.
Consider mistakes mentioned in this article before signing the Business Associate Agreement and feel free to contact us if you have any questions concerning this process!