Do I Need a BAA?
As explained in our last post, a health care provider may permit a business associate to create, receive, maintain, or transmit electronic protected health information (PHI) on its behalf only if a HIPAA-compliant business associate agreement (BAA) is in place between them. Likewise, a business associate may only allow a subcontractor to create, receive, maintain, or transmit PHI on its behalf if they’ve signed a BAA.
Even though business associates can have direct liability under HIPAA for their violations of HIPAA, they are still required to have BAAs in place with the health care providers who share PHI with them.
In addition to this legal mandate, BAAs also serve important functions for business associates and health care providers. They not only notify business associates of their status and obligations under HIPAA, but they clarify and limit the division of responsibilities between the parties and set out what uses and disclosures of the PHI the business associate can make. And, BAAs create contractual liability and obligations that wouldn’t exist otherwise (such as duties of indemnification).
What Must Be Included in My BAA?
If your company needs a BAA, there are many terms that must be included under HIPAA. For example, the language should include an explanation of the permitted and required uses and disclosures of PHI by the business associate.
The business associate (or subcontractor) must also agree to:
- Comply with HIPAA
- Not use or further disclose the PHI other than as permitted or required by the contract or as required by law
- Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information
- Make available PHI in accordance with the provision of HIPAA that provides individuals the right to access their PHI in a designated record set
- Make available PHI for amendment and incorporate any amendments to PHI in accordance with the provision of HIPAA that generally provides individuals the right to request their health information be amended if they believe it is inaccurate
- Make available the information required to provide an accounting of disclosures in accordance with the provision of HIPAA that generally provides individuals the right to receive an accounting of disclosures of the PHI made by a health care provider
- To the extent the business associate is to carry out a health care provider’s obligation under HIPAA, comply with the requirements of HIPAA that apply to the health care provider in the performance of such obligation
- Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the business associate on behalf of, the health care provider available to the Secretary of Health and Human Services for purposes of determining the health care provider’s compliance with HIPAA
- Report to the health care provider any security incident of which it becomes aware, including breaches of unsecured PHI
- Authorize termination of the contract by the health care provider, if the provider determines that the business associate has violated material term of the contract
- At termination of the contract, if feasible, return or destroy all PHI and retain no copies of such PHI or, if such return or destruction is not feasible, extend the protections of the contract to the PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible
What If I Don’t Need a BAA?
Some service providers, such as janitorial or maintenance companies, could inadvertently or covertly obtain access to PHI even if it isn’t their job to access it. While BAAs would not be appropriate under these circumstances, confidentiality agreements are a good alternative to afford some protection for the PHI.
For more information about BAAs, please contact Atty. Lora L. Zimmer at McCarty Law LLP.
Latest posts by Lora L. Zimmer (see all)
- Client Alert: Updated Rule Narrows Definition of Health Care Provider Exempt from FFCRA Leave - September 21, 2020
- Title IX Corner: Meet Our Team! - September 18, 2020
- Title IX Corner: McCarty Establishes Team for Title IX Compliance - August 7, 2020
- Q&A on CARES Act Loans Available to Small Businesses and Non-Profits - April 2, 2020
- Businesses: Be Ready to Offer FFCRA Benefits on April 1 - March 31, 2020