Essentially, the BAA is the Business Associate Agreement. This refers to a legal document between a contractor and a healthcare provider which primarily concerns the Protected Health Information that is involved regarding the nature of their transaction.
Everything that comprises the Business Associate Agreement, alongside the people involved in the agreement, why they are necessary, the instances where its applicable, and its contents. This entire section will cover the most recent Business Associate Agreement Template.
Several clauses in HIPAA will refer to a Business Associate Contract, which can naturally cause a little bit of confusion. However, there is no actual difference between those two and they are interchangeable.
The BAC or the BAA is an avenue to legally bind two parties and create a liability under the framework of HIPAA between the two of them. Because of its legally binding nature, the violation of the Business Associate Contract can appropriately deploy legal actions against the offending party. This helps clarify terms between these parties as well as their compliance to HIPAA and the FDA.
Without this contract, breach of HIPAA and FDA protocols will likely hold both parties in legal trouble.
Business associates are recipients of Protected Health Information. When healthcare providers hire third parties, sometimes Protected Health Information will inevitably get involved due to certain processes.
It is also important to note that if these said business associates assign the task that will grant another entity access to Protected Health Information, the said entity falls under the category of subcontractor business associate. In which case, the same standards that are expected out of business associates will apply to subcontractor business associates.
However, companies that do not directly deal with Protected Health Information, in such a way that these sets of information are never disclosed to them and something that they never come into contact with, there is no need for a BAA with that subcontractor.
In essence, these contractors that come in contact with Protected Health Information must sign the BAA and readily comply and be liable to regulations and terms that are set forth by HIPAA.
Officially, these are organizations that provide goods and services in relation to medical treatment. Hence, they often collect information about an individual’s health and are the ones charged of the responsible disclosure of Protected Health Information.
As previously mentioned, these are entities that handle Protected Health Information via being in business with a covered entity. Under HIPAA requirement, businesses that have access to Protected Health Information must sign BAAs.
Some of the examples that fall under business associates are:
These are usually third parties that help business associates carry out their functions. Business associate subcontractors are also required to sign a BAA if they are to receive, maintain, or transmit Protected Health Information. Some of the usual business associate subcontractors are:
The employees of healthcare providers are directly part of the company’s compliance towards HIPAA regulations. Given this, there is no requirement for them to sign a Business Associate Agreement as they are not considered business associates.
Separate regulations such as HIPAA training and certification for direct employees, trainees and volunteers, and others that are under the direct jurisdiction of the healthcare provider/company. These training sessions are often accessible through other companies that offer HIPAA training packages such as MP1 Solution.
Protected Health Information, due to its more electronic nature in the age of the internet can easily scatter. With it are private information about patients that largely affect their lives, employment, identities, and the like. The more entities handle protected information, the higher the propensity it is to fall into the wrong hands. Hence, the BAA not only enacts legal recourse for breach of privacy, but it also allows for regulatory bodies to easily trace how Protected Health Information circulates.
Furthermore, there is a chance that legal liabilities, at the absence of BAAs would fall on healthcare providers upon a contractor’s breach - given that liability becomes harder to track. This can spell huge amounts of money just to cover damages and penalties.
As previously mentioned, BAAs are necessary to easily track liability. Hence, upon the signing of BAA, healthcare providers do not become liable for breach. That is because the contract already assumes that each signatory is responsible for how they handle the Protected Health Information that falls into their hands.
However, one instance of healthcare providers sharing liability is if it is proven that the provider was aware of the breach and neglected to act through either attempting to mitigate the damages and solve the problem or through terminating the arrangement.
Though the contract is a little long, the Health and Human Services or the HHS summarized what are the key components of a BAA and under no circumstances should these sets of information be omitted from a Business Associate Agreement.
Other provisions that may be included in a BAA are:
BAAs are usually either a separate contract or included in other agreements such as data security agreements or terms of service agreements. What is important is that the said provisions are outlined, and that business associates and covered entities identify their relationship with each other.
Some BAAs include specifics regarding breaches, such as specifics on how and when to report breaches. The most common modifiers for these contracts include reporting windows as these are required by HIPAA anyway. Certain covered entities though would want to deal with these problems a lot faster and would require a reporting window that is shorter than 60 days.
Wording in several contracts can be confusing, as there is a difference between the breach happening and discovering that a breach has happened.
Creating and following these agreements can be tricky and the safest way to verbalize a modification to the traditional reporting window is to disclose the amount of days given to entities after they discover a certain breach as opposed to assuming that an undiscovered breach would have been discovered.
Hence, what is normally found would be provisions that require entities to report a breach within a certain number of days after its discovery.
The short answer is that it is advisable to craft the contract in such a way that it is not. Liabilities must be separate from each other and must only exist insofar as protecting the Protected Health Information that an entity is currently holding. Doing so means that without having anything to do with a certain breach, if one of the entities breach the BAA, the other entity will also be held legally liable and therefore carry a part of the burden regarding penalties.
From the recent years, several Cloud Based Service Providers or those whose services primarily function through the internet have attempted to skirt compliance towards HIPAA. Arguments that have been used include physical exposure to data as they have cited the Janitor and Conduit clauses. However, these perceived loopholes have been addressed by a clause in BAAs that covers any entity that “creates, transmits, receives, or maintains PHI.”
Midyear of 2020, the Health and Human Services released a “Notification of Enforcement Discretion” which laxed the allowable disclosures and uses of Protected Health Information. This was enacted with the urgency that healthcare facilities, as well as bodies that are primarily involved in the mitigation and treatment of COVID-19 need immediate access to COVID-19 related healthcare data. These types or data are needed to inform evolving policies and suggestions as to how local governments and healthcare systems would be able to approach COVID-19.
However, this is not to say that the enforcement discretion is a way to irresponsibly disclose and use Protected Health Information.
The HHS stated that it, “does not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities.”
They have also outlined that the following conditions must be achieved before enforcement discretion could be exercised.