Editorial: The Complicated Nature of BAA Compliance

When a HIPAA covered entity contracts a service from a third party – or engages a third party to provide a service on the covered entity’s behalf – and the service involves the disclosure of Protected Health Information (PHI), it is necessary for the two parties to enter into a Business Associate Agreement (BAA). However, deciding what should in in a Business Associate Agreement and ensuring the Terms of the Agreement are complied with can be complicated.

In the healthcare industry, the term BAA compliance refers to a third party service provider (the “business associate”) complying with the terms of a Business Associate Agreement entered into with a covered entity. While, in theory, BAA compliance should be straightforward, this is not always the case – and sometimes, noncompliance is not the fault of the business associate.

This article aims to help you – a covered entity – understand how to engage with business associates in a HIPAA compliant way, and what needs to be in your  HIPAA Business Associate Agreement. You can use this guide in conjunction with our HIPAA Compliance Checklist for Business Associates.

The HIPAA Administrative Simplification Regulations apply to group health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically in connection with a transaction for which the Department of Health and Human Services (HHS) has adopted standards (i.e., transactions covered in 45 CFR Part 162).

Many healthcare providers that qualify as “covered entities” are unable to manage every activity or function in-house and often subcontract some activities to third-party persons or organizations. When these activities involve the creation, receipt, storage, or transmission of PHI, third-party persons or organizations are classified as business associates.

Covered entities are required to protect the privacy of individually identifiable health information, ensure the confidentiality, integrity, and availability of electronic PHI, and notify individuals and HHS’ Office for Civil Rights in the event of a data breach – exposure or unauthorized access to PHI. When PHI is disclosed to a business associate, the business associate assumes some compliance requirements concerning the PHI they are provided with, collect, store, or transmit.

Business Associates’ Compliance Requirements

Any third party or organization acting as a business associate of a covered entity is automatically required to comply with the HIPAA Security and Breach Notification Rules. Other compliance requirements are determined by the nature of the service being provided by the business associate for or on behalf of the covered entity.

For example, if a business associate is providing billing or claims management services for a covered entity, the business associate is required to comply with the transaction, code set, and operating rules of Part 162. If the business associate is providing outsourced medical services, the business associate is required to comply with certain Privacy Rule standards.

When a business associate is required to comply with certain Privacy Rule standards, these should be noted in the Business Associate Agreement – along with any restrictions on uses and disclosures that would normally be allowed by the Privacy Rule but are limited due to the content of the covered entity’s Notice of Privacy Practices or because one or more individuals have exercised the right to request privacy protections for PHI under §164.522 of the Privacy Rule.

The HIPAA Business Associate Agreement (BAA)

The HIPAA Business Associate Agreement (BAA) is a contract between a covered entity and a business associate that establishes the permitted uses and disclosures of PHI by the business associate. The BAA must stipulate that uses and disclosures beyond those included in the BAA are not permitted and will result in the termination of the BAA. Other clauses in the BAA should cover:

• Making PHI available to individuals exercising their rights of access and amendment, and when requesting an accounting of disclosures.
• Disclosures required by state or federal law, including (if applicable) to report child abuse or comply with “duty to warn” regulations.
• Business associate contracts with subcontractors when secondary services are required for the business associate to perform an activity.
• The reporting of disclosures of PHI not permitted by the BAA and other security incidents – in addition to reporting breaches of unsecured PHI.
• The term of the BAA (if applicable) and reasons why the BAA may be terminated before its recorded term – for example, a failure of BAA compliance, and the obligations of the business associate when the contract is terminated or expires.
• Making internal practices and records available to the Secretary of the HHS for determining compliance with the HIPAA Rules.

In most cases, BAAs are prepared by covered entities according to the services subcontracted to the business associate, but there are times when a covered entity must agree to a business associate’s BAA before it can use the business associate’s services. One of the best examples of this scenario is Microsoft – which refuses to sign covered entities’ BAAs on the grounds that it offers “hyperscale, multi-tenanted services that are standardized for all customers” and cannot offer non-standard services for one or two customers.

Why BAA Compliance is Not Always Straightforward

It would be reasonable to assume that, if a contract states a business associate must comply with specific requirements to benefit from the covered entity’s business, the business associate would comply with the BAA – but that is not always the case. Some business associates take shortcuts with BAA compliance “to get the job done”, exposing themselves to cyberattacks, breaches due to training failures, and theft of PHI by external actors and malicious insiders.

However, BAA compliance failures are not always the fault of the business associate. HHS guidance implies covered entities need only obtain “satisfactory assurances” that business associates will use PHI for the purposes for which the business associate is engaged before entering into a BAA. There is no legal requirement for a covered entity to conduct due diligence on a business associate to ensure that satisfactory assurances are backed up with policies, safeguards, and procedures.

Additionally, covered entities’ BAAs may not always be entirely complete. Some may omit limitations to uses and disclosures of PHI, fail to insist on adequate training, or not require business associates to provide copies of contracts with subcontractors for review. In such cases, business associates may violate HIPAA through no fault of their own, yet be exposed to sanctions from HHS’ Office for Civil Rights and State Attorneys General – potentially resulting in civil monetary penalties.

What Business Associates Need to Know about BAA Compliance

Since the publication of the HIPAA Final Omnibus Rule, business associates have been liable for HIPAA violations of their own making. Unfortunately, a lack of knowledge is not a defense against a civil monetary penalty and/or costly corrective action plan. Before entering into a BAA with a covered entity, business associates are advised to thoroughly check the content of the BAA; and, if in doubt about their compliance requirements, query the issues with the covered entity and seek professional compliance advice.

Steve Alder, Editor-in-Chief, HIPAA Journal