There may be times when organizations in the healthcare industry need to use the services of other businesses to carry out certain functions. HIPAA regulations allow providers to disclose protected health information (PHI) to these business associates. A written compliant contract between the business associate and the covered entity, known as a Business Associate Agreement (BAA), will be needed to be put into place to ensure all information will be appropriately safeguarded. A BAA establishes a clear line of responsibility in regards to the security of data and the liability of the business associate in case of any breaches.

Examples of a Business Associate:

  • A medical transcriptionist that provides transcription services to a doctor’s office.
  • A third party entity that helps a health plan with processing claims.
  • A third party IT entity that handles hosting or managing the technology and data of a covered entity.

Department of Health and Human Services (HHS) requires that the following be included in the written contract between the HIPAA covered entity and the business associate:

  • Establish how the business associate is permitted to use or disclose the protected health information.
  • State that the information may not be used or further disclosed by the business associate other than as permitted or required by the contract.
  • Require that appropriate safeguards be put in place by the business associate to prevent unauthorized use or disclosure of the protected information.
  • Require any breach or use of the information not outlined in the contract be reported to the covered entity.
  • Require that the business associate destroy or return any protected health information (PHI) it received from the covered entity at the termination of the contract.
  • Any internal practices or materials relating to the use and disclosure of PHI must be made available to the HHS by the business associate to determine the compliance of the covered entity.
  • Any subcontractors that the business associate may use that will have access to the PHI must agree to the same conditions as the business associate.
  • If the business associate violates a material term of the contract, the contract may be terminated by the covered entity.

Business associates are subject to civil and/or criminal penalties if they use or disclose the PHI in any way that is not outlined in a contract. They can also face penalties for failing to safeguard the PHI. It is important that the contract contains those requirements in order to remain compliant with HIPAA. Without a business associate agreement, the covered entity is liable for any improper actions made by the business associate.

If you are not sure if your business associate agreements are up to standards, contact us. Our advisory team is certified to audit HIPAA compliance in order to find any vulnerabilities. We take 100% accountability for the results of our audits.