When it comes to safeguarding Protected Health Information (PHI), you could say, “It takes a village.” The Omnibus Rule underscores the fact that protecting patients’ health information and their right to privacy is the responsibility today not only of healthcare providers, but also of their business associates (BAs) whose work requires them to access PHI. And the Business Associate Agreements mandated by HIPAA play an important role in that shared responsibility.
Get your free BAA template here! (Not.)
In this post I’d like to offer a handy BAA template that would work for all your business associates, as defined by HIPAA. A template that would make it super easy for you to fulfill HIPAA’s requirement for Business Associate Agreements in a few simple steps: Download. Fill in the blanks. Print. Sign. Date. Done.
I’d like to do that, but to be honest, I can’t. No one can.
The Business Associate Agreements HIPAA requires are binding legal documents that vary depending on the kind of service a business associate provides. One size – sorry to say — doesn’t fit all. The expectations and “must-do’s” spelled out in an agreement with a lab that handles blood-work, for instance, will be quite different from those delineated in a contract with a data-storage company.
What I can do is offer some general guidelines, along with a link to the page on the HHS website that gets into the nitty-gritty of what to consider and include in a Business Associate Agreement.
Basics of a good Business Associate Agreement
According to the government’s Health Resources and Services Administration, a Business Associate Agreement needs to include:
- Describe the permitted and required uses of protected health information by the business associate.
- Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.
- Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.
- Include that the business associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity.
- Require the business associate ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards.
- Provide that the business associate will report to the covered entity any security incident of which it becomes aware.
- Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.
In addition, under the HIPAA Privacy Rule, if a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful, the covered entity should terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
But wait, there’s more!
With the disclaimer from HHS that reliance on its samples for Business Associate Agreements “may not be sufficient for compliance with State law, and does not replace consultation with a lawyer or negotiations between the parties to the contract,” the Health & Human Services website goes on to provide details of specific issues that need to be addressed in Business Associate Agreements. To go to that page, click here.
The best approach to Business Associate Agreements?
While it may be possible to use the HHS guidelines and take a do-it-yourself approach to drawing up your BAAs, I don’t recommend it. Your best and safest bet is to call on an attorney who specializes in compliance or contract law. The cost of doing that is small compared to the potential penalties for non-compliance. I guarantee that hiring a lawyer for this element of compliance won’t cost you anywhere near what a data-breach by a business-associate-without-a-contract could.