The HIPAA business associate agreement (BAA) lays out your business associate’s obligations to protect your data. The previous blog gave an overview of BAAs. Let’s hone in on six important BAA provisions:
- Permissible uses and disclosures of protected health information (PHI) – REQUIRED
- HIPAA Security Rule compliance – REQUIRED
- Audit rights – OPTIONAL
- Termination procedures – REQUIRED
- The indemnification clause – OPTIONAL
- Subcontractors under a business associate – REQUIRED
But first, get caught up on our blogs about HIPAA-compliant vendor management:
How to Know if Your Vendor is a Business Associate Under HIPAA (Decision Tree Included)
How Should I Conduct Due Diligence for Vendors and Business Associates?
Address These 6 Things in Your Vendor Contract to Reduce Risk
7 Quick Facts About HIPAA Business Associate Agreements
1. Permissible Uses and Disclosures of PHI
What will you consider a permissible or impermissible use or disclosure of PHI? This depends on the service you hired the vendor for. You’ll specify these responsibilities in your BAA. Any use or disclosure outside of what you specify is a privacy breach.
45,000 Rush patients had their information #breached after a vendor improperly disclosed a file containing #PHI. It’s important for #healthcare organizations to properly implement Business Associate Agreements #BAAshttps://t.co/c5wGycfvk6
— HIPAAtrek (@hipaatrek) May 13, 2019
Example: Some BAs, like cloud service providers, only maintain your ePHI and never use or disclose it. Other BAs maintain medical records yet must be able to disclose them. For example, they may disclose PHI to amend a medical record or provide patient copies. Though both are still BAs, their need to use and disclose your PHI are very different.
2. HIPAA Security Rule Compliance
Oftentimes, BAs focus on deliverables and fail to discuss security or compliance with the hiring covered entity. Don’t let the focus shift solely to deliverables in your vendor relationship.
In fact, HIPAA now requires all BAs to meet applicable HIPAA security standards and implementation specifications. Therefore, you must require your BA to:
- Put in place reasonable safeguards to secure your PHI (this goes beyond simply encrypting PHI)
- Complete a security risk analysis and provide evidence of it (you may require them to complete a risk assessment every year and report the findings to you)
Your BA is liable under the HIPAA rules. Any impermissible use or disclosure of PHI – or failure to secure PHI – could result in civil and criminal penalties. Your organization also stands to lose a lot if your vendors breach your data. Therefore, prioritizing security is a win-win for both you and your BA.
HIPAA security compliance with your business associates isn’t a “set it and forget it” event. Make security a top priority in your ongoing communication with your BA. Remember, vendors are an extension of your own organization.
READ MORE: 5 Key Questions About HIPAA Violations, Fines, and Penalties
Business Associate Breach Notification Requirements
Breaches at the hands of business associates are all too common. Bank Info Security found some alarming trends in what causes healthcare breaches:
“So far in 2019, business associates were reported to be involved in more than a quarter of the major health data breaches added to the federal tally. Those 27 incidents reported as involving BAs so far in 2019 impacted a total of nearly 690,000 individuals, according to the HHS site.”
If your BA causes a breach, the HIPAA breach notification rule requires them to notify your organization no later than 60 days after discovering the breach. However, in your BAA, you can impose a shorter notification timeframe. Your BAA must clearly identify when the BA should notify you of security incidents that compromise your PHI. The sooner the better.
State law. Furthermore, State laws may require you to notify the individual affected by the breach sooner than federal law. For example, some States require breach notification within 15 or 30 days. If your BA notified you on the 60th day, you would be late. Check with your State law and base your notification timeframe on that (preferably as short as possible).
READ MORE: HIPAA Breach Notification: Who, When, and How
3. Audit Rights
Many covered entities choose to establish audit rights in their BAA. This means that you retain the right to conduct an annual or biannual HIPAA compliance audit of your business associate. The purpose of ongoing audits is to make sure your BA is complying with HIPAA and fulfilling its obligations. Compliance audits may be especially useful in new vendor relationships. However, they are not required.
You can either conduct the audit internally, employ a third-party vendor that specializes in compliance audits, or require your BA to employ a vendor. You will need to negotiate audit rights and specify the arrangement in your BAA.
4. Termination Procedures
In your BAA, you must also clarify termination procedures, including:
Data transfer. What should your BA do with your PHI once the contract period is over?
- The BA should return all the PHI that it received or created on behalf of your organization.
- If this isn’t possible, the BA must destroy all PHI and give you a letter that attests to the destruction.
- If the BA can’t return or destroy the PHI, they must extend the BAA’s protections and stop any further use or disclosure of PHI.
Unacceptable performance. According to Phillips and Sanchez in their Health Care Compliance Association presentation on vendor oversight, the BAA should also document your expectations about confidentiality, audit rights, and contract termination in the event that the vendor’s performance is unacceptable.
Breach of contract. If your BA breaches the contract or violates their obligations under the contract, you must cure the breach or end the violation. If you’re unsuccessful, your organization must end the contract, if feasible.
5. The Indemnification Clause
In an indemnification clause, the indemnifying party (the BA) commits to cover your organization’s obligations should the BA’s actions lead to damages. You aren’t required to have an indemnification clause in your BAA. However, some organizations include this clause to protect themselves from losses caused by the BA’s failure to comply with HIPAA. As you negotiate your BAA, you should consult with a lawyer on whether to include the indemnification clause.
6. Subcontractors Under a Business Associate
We touched on subcontractors in a previous blog, but it’s worth restating: you are not responsible for your BA’s downstream subcontractors. You should not enter a BAA with a subcontractor, even if they have access to your PHI.
However, your business associate must sign a BAA with their subcontractors. Require your BA to get assurances from their subcontractors that handle your PHI (like how you get assurances from your BA). The subcontractor must agree to the same restrictions that the BA has agreed to.
Keep in mind that subcontractors are liable for breaches that they cause in the same way that BAs are liable for their breaches.
Need Help? Grab Our BA Decision Tree!
A quick & easy cheatsheet to help you determine whether a vendor is a Business Associate under HIPAA.
A Final Word on Vendor and Contract Management
The business associate agreement is an important part of HIPAA-compliant vendor management. Effective vendor and contract management will help you reduce operating costs and risks, stay compliant, and develop quality vendor relationships.
However, many healthcare organizations manage hundreds of contracts. It’s not enough to rely on binders and manual workflows. In fact, according to a Journal of Contract Management study, 70% of companies can’t find 10% or more of their signed contracts.
Business associate management doesn’t have to be a juggling act. Create, negotiate, and sign your BAAs from the HIPAAtrek platform. In our platform, you can have peace of mind knowing you didn’t miss any steps with your vendors.
Keep an eye out for HIPAAtrek’s NEW Contract Management Module. This module simplifies and streamlines contract management with a fully customizable workflow. Manage your contracts from negotiation to termination with custom stages, so you will always know where your vendor contracts stand. Contact us to learn more about this up-and-coming feature or request a demo of HIPAAtrek today.
The goal of this five-part series is to show healthcare CEOs and CFOs that effective, HIPAA-compliant vendor management is vital to the finances, performance, and reputation of their organizations. Furthermore, healthcare organizations will see a positive ROI when they foster successful vendor relationships that yield high-quality, secure services.