In the most basic sense, a Business Associate Agreement or BAA is a legal document between a healthcare provider and a contractor. A provider enters into a BAA with a contractor or other vendor when that vendor might receive access to Protected Health Information (PHI).
The guide below gives the basics of BAAs, including who needs them, when they’re required, what to put in one, and a HIPAA Business Associate Agreement Template (PDF) for 2017.
What is a BAA?
A BAA is a Business Associate Agreement. The HIPAA regulations call it a Business Associate Contract. They’re really the same thing.
BAAs satisfy HIPAA regulations, and create a bond of liability that binds two parties.
If one member violates a BAA, the other has legal recourse. If there’s no BAA or it’s incomplete, or if it gets violated, then both associates may find themselves in hot water with HIPAA and other FDA regulations.
What is a Business Associate?
The definition of a business associate is pretty simple. It’s anyone you contract out to who handles your Protected Health Information (PHI) for any reason. For a vivid example, in a famous HIPAA case, a clinic hired a vendor to convert their X-Ray films to digital form, and reclaim the silver from the films. They failed to sign a BAA, and got hit with a $750,000 payment order from the OCR.
Business associates are any organization or person that creates, transmits, receives, or maintains PHI on behalf of any covered entity, or on behalf of the business associate of a covered entity.
Do Employees Have to Sign a BAA?
Direct employees don’t have to sign a BAA. That’s because people who work for you are part of your organization and aren’t considered as business associates. That said, they still fall under HIPAA laws. As your agents, you’re responsible to train them in privacy and security. This applies not only to your regular full-time hires, but also to trainees, temporary staff, volunteers, and anyone else in your direct control.
Do Contractors Have to Sign a BAA?
Any contractor who will come in contact with any PHI will have to sign a BAA. Since those people and organizations aren’t in your direct control, they can’t be treated as employees. As such, they’re considered to be business associates. That means they have to be ready to comply with HIPAA. That includes accepting compliance liability and signing a HIPAA Business Associate Agreement.
Who Needs a Business Associate Agreement?
Any person or organization identified under HIPAA as a Business Associate must sign a BAA with you.
If you hire a contractor, and it handles PHI that passes through your company first, you need to sign a BAA with that contractor. Your business associates must then sign HIPAA Agreement Forms with their business associates.
For example, if you hire Company B to dispose of X-Ray films, you need a BAA with them. If they hire Company C to transport the films to the incineration facility, then B and C need a BAA to comply with HIPAA regulations. But your company doesn’t need a BAA with Company C.
BAA Template 2017
A HIPAA Business Associate Agreement doesn’t have to be a standalone contract. The language of a BAA can be rolled into data security agreements, master service agreements, or terms of service contracts.
We’ve included a sample 2017 BAA here (PDF), (tk insert link) based on the example BAA provided by HHS.gov here. The template linked to above should never be used without advice from legal counsel.
The BAA PDF above was designed as an agreement between a single covered entity and a single business associate. That said, it can be modified for use with a business associate and their subcontractor.
Click the image to download the sample BAA PDF.
What Kinds of Providers Must Sign a BAA?
BAAs must be signed by all Covered Entities, whenever their business associate will handle PHI that passes through the Covered Entity first. There’s a list of covered entities below. For more detailed information, see the HHS.gov page on HIPAA Covered Entities.
The following covered entities must sign BAA forms.
Health Care Providers
- Nursing Homes
- Health Insurance Companies
- Government Payers Like Medicaid and Medicare
Health Care Clearinghouses
- Including entities that convert PHI into electronic form.
Never Have a Vendor Handle PHI Without a BAA
If you haven’t signed a BAA with a vendor, keep PHI away from them at all costs. Healthcare providers who are tempted to look the other way on BAA regulations would be well advised to reconsider.
In 2016, OCR settled with North Memorial Health Care of Minnesota to the tune of $1.55 million.
The violation? North Memorial contracted with a vendor to perform various operations concerning a customer database. North Memorial neglected to sign a HIPAA BAA with the vendor.
Am I Liable for Non-Compliant Vendors Who Sign a BAA?
It’s not your fault if a vendor breaches the BAA and violates HIPAA in some way. When the vendor signs the document, the take on the liability for safeguarding the PHI. No company can be held responsible for policing another when it comes to HIPAA and a BAA.
That said, the tables turn when and if it can be proven that you knew about the breach of contract. HIPAA regulations state that businesses discovering a breach by a business associate must either correct the fault or terminate the BAA. If they don’t, they then share liability for the breach along with the associate.
HIPAA Business Associate Agreement Checklist
HHS simplifies the things a BAA should cover. The source of the regulations is the HIPAA Administrative Simplification. That’s a 115-page document, so just focus on the following two sections:
- P. 67, section C, subsection iii (164.314), “Business associate contracts with subcontractors.
- P. 81 (164.504), “Uses and disclosures: Organizational requirements.
For a more concise view, we’ve consolidated the top-level BAA must-haves in the list below. (To see the source of the list, see the second paragraph of the HHS document here.) Any BAA must:
- Establish the permitted disclosures of PHI.
- Require the Business Associate (BA) to safeguard PHI.
- Require the BA to report HIPAA breaches.
- Require the BA to release PHI as the Covered Entity or patient requests.
- Make sure the BA will return or destroy all PHI on termination of the agreement.
What Else Might Be in a BAA?
The BAA template provided here (tk insert link to pdf) is generalized. Any real use of an agreement like this will require tailoring it to the specific needs of the organization. Here are just a few additional considerations a business might take into account when drawing up its own specific contract.
- Specifics of the breach reporting window. Current HIPAA language calls for BAs to report breaches no later than 60 days and “without unreasonable delay.” That language can be tailored for a more specific guideline.
- Breach insurance requirements. That varies depending on the type of vendor and service.
- Changes to default rules for HIPAA incident reporting. Under HIPAA law, BAs are required to report all “security incidents” to their covered entities. That’s a very broad term that can benefit from some specificity to define what a breach actually is. For example, should it include all failed attempts at unauthorized logons to a patient database?
- Provisions for breach indemnification. The covered entity should only be responsible for breaches that are actually its fault.
Contractors of Contractors and the BAA
Does a contractor of a contractor have to follow every provision in your BAA? The Privacy Rule seems to say it does. The Rule states that all subcontractors of business associates have to agree to identical restrictions as the business associate.
This doesn’t mean, however, that your HIPAA Business Associate Agreement applies to your contractor’s contractor.
Rather, subcontractors have to adhere to the contractor’s BAA. Since all HIPAA Agreement Forms must contain the same basic rules (provided by HHS), the provisions for all are equal.
Reporting BAA Breaches
Covered entities (CE) may try to include language about very short breach reporting windows in their contracts. For instance, a CE may include something like, “The business associate will report all breaches within three days of the breach.” That sounds reasonable, except when we consider that the BA might not even know about the breach until several days later.
In that case, the BA has now run afoul of HIPAA in total innocence. For this reason, it’s better for BAs to push for language like, “as soon as the breach is discovered or should have been discovered” in the Breach Notification section.
Your Contractor is Not Your Legal Agent
A HIPAA Business Associate Agreement that forces contractors or subcontractors into legal agent status is dangerous and unnecessary. In the event of a breach, the legal consequences of the offending party would then fall on the agent of that party. In other words, if Company A creates a breach, and Company B is its agent, then Company B also shares the HIPAA penalties. It’s best to include language in the BAA that expressly defines the non-agent relationship between both parties.
BAA and Cloud Service Providers
The age of cloud-based data has created new considerations for covered entities and contractors who require a BAA. Some Cloud Service Providers (CSPs) have tried to evade responsibility under BAAs by escaping through certain loopholes.
The Conduit Clause is a HIPAA provision for certain entities or individuals like postal workers who deliver mail that might include PHI.
The Janitor Clause is another HIPAA rule that grants exceptions to those whose services or functions have only tangential exposure to PHI. For instance, a hospital janitor would be exempt from PHI liability.
However, the Omnibus Rule of 2013 clearly scuttles these excuses by enacting compliance in any entity which creates, transmits, receives, or maintains PHI.
A BAA is crucial for any person, company, or other organization that handles PHI that originates elsewhere. Any time a provider or contractor hires a vendor that then handles the provider/contractor’s PHI, both parties must sign a BAA.
This HIPAA Business Associate Agreement PDF (tk add link) is adapted from the HHS version here. As with all Business Associate Agreements, it establishes permitted disclosures, requires the disclosure of breaches to HIPAA, and sets up other guidelines for handling provider-originated PHI.
A BAA is a critical document that protects covered entities and their business associates alike. It also sets up liability and limitations on both parties, so advice of legal counsel is always required.