Business Associate Agreements (BAAs) are a particular type of contract, dictated by HIPAA, which outlines the responsibilities of another party you’re doing business with when it comes to Protected Health Information (PHI).
While it may seem straightforward—this HIPAA requirement applies to any third party that handles PHI—there can be some grey area and confusion when it comes to BAAs.
That’s why today, we’re going through seven of the most common questions our clients ask us about BAAs—so you have a resource to refer to, (and BAAs explained, finally).
Ready? Let’s take a deep dive into BAAs and learn why they are so critical to HIPAA covered entities of all kinds.
1. What is a Business Associate Agreement?
“A business associate contract, or business associate agreement, is a written arrangement that specifies each party’s responsibilities when it comes to PHI (protected health information.)” – HealthITSecurity.com
For vendors that create, receive, maintain, or transmit PHI on your organization’s behalf (called business associates) you must have a business associate agreement.
The BAA contract is unique to HIPAA. In it, your BA provides assurances that they will protect the PHI of your patients, and you require your BA to take specific actions and restrict how they may use or disclose PHI.
Keep in mind, even if your vendor can’t actually view the PHI (because it’s encrypted, for example), you are still required to have a BAA with them.
For vendors that do not qualify as a BA, you only need a service level agreement (SLA), but keep in mind that for BAs, you need both a BAA and an SLA.
See the Department of Health and Human Services for a detailed list of what you must include in your business associate agreements.
2. When is a Business Associate Agreement Required?
The purpose of a business associate agreement is to outline your BA’s responsibility to keep your patients’ PHI private and secure. The BAA sets forth the expectations and requirements of both parties – both you and the vendor, and of course, as a contract, it is a legally binding document.
As such, a BAA is required any time you are working with a vendor or contractor who will come into contact with PHI on your organization’s behalf.
Keep in mind, HIPAA requires you to sign the BAA with your business associate before sharing any PHI with them. This will help you avoid a privacy breach, as well as fines and investigations for failing to have a BAA in place.
3. What Happens if I Don’t Have a BAA in Place with a Business Associate?
Don’t “roll the dice” when it comes to HIPAA compliance. If you hire a BA and share your PHI with them without first establishing a BAA, you’ll face serious consequences.
The Department for Health and Human Services Office for Civil Rights (HHS/OCR) can impose hefty fines and corrective action plans if you fail to have a BAA in place with your BAs.
Additionally, if the OCR audits your organization, you must be able to supply your business associate agreements and demonstrate that you’ve conducted due diligence with your BAs.
4. Do Two Covered Entities Need a BAA?
Yes. If you hire another HIPAA-covered organization to create, maintain, receive, or transmit PHI on your organization’s behalf, then they are your business associate. So, you’ll need a BAA with them.
5. Which Business Associate Agreement Should I Use?
Sometimes a business associate has their own BAA. Which should you use, yours or theirs? HIPAA doesn’t specifically say anything about this, but it’s typical for the hiring organization to dictate the terms of an agreement.
For example, you’d use your BAA with your business associate, and the business associate would use their BAA with their subcontractors. However, you will never enter a BAA with your BA’s subcontractors!
Note: Regardless of whose version of the BAA you use, your BA is liable for any breach of PHI that they cause. The same goes for additional subcontractors.
6. Do BAAs Need to be Signed Annually?
No. If your BAA is “evergreen,” it will renew automatically and won’t require a new signature to remain valid. Nevertheless, it’s smart to set a regular review schedule for your BAAs. The purpose of a review is to make sure the BAA stays current with your SLA and state laws.
Once you and your business associate sign the BAA, the signature is valid until there’s a material change to the SLA that makes it necessary to change the BAA. Make sure you and your BA sign and date the BAA and document your reviews.
7. Do Business Associate Agreements Expire?
Your BAA is valid as long as the vendor contract is in effect. However, if there’s a change in the SLA that impacts your BA’s use or disclosure of PHI, you must adjust your BAA to reflect the new uses and disclosures. As stated above, you may also need to change your BAA to conform with changes to the law.
Business associate agreements are the cornerstone to HIPAA-compliant vendor relationships. That’s why it’s critical to be sure you understand the usage and requirements for BAAs under HIPAA.
If you’d like to simplify your BAA process and other contract management, we can help. Using HIPAAtrek’s HIPAA compliance software, you can create, negotiate, and sign BAAs and other contracts, being sure you don’t miss any steps. Plus, automated reminders will let you know when it’s time for a contract review, and version history tracks every change to create an audit-ready compliance trail.
Need Help? Grab Our BA Decision Tree!
A quick & easy cheatsheet to help you determine whether a vendor is a Business Associate under HIPAA.
The goal of this five-part series is to show healthcare CEOs and CFOs that effective, HIPAA-compliant vendor management is vital to the finances, performance, and reputation of their organizations. Furthermore, healthcare organizations will see a positive ROI when they foster successful vendor relationships that yield high-quality, secure services.
Want to learn more about vendor management under HIPAA? We’ve also covered:
- How to know if your vendor is a business associate (BA) under HIPAA,
- How to conduct due diligence before contracting with a vendor,
- And six areas to address in your vendor contract.