Everything You Need to Know About BAA

February 4, 2021

Everything You Need to Know About BAA

BAA mp1 solution

Essentially, the BAA is the Business Associate Agreement. This refers to a legal document between a contractor and a healthcare provider which primarily concerns the Protected Health Information that is involved regarding the nature of their transaction.

Everything that comprises the Business Associate Agreement, alongside the people involved in the agreement, why they are necessary, the instances where its applicable, and its contents. This entire section will cover the most recent Business Associate Agreement Template.

What is the difference between a BAA and a BAC?

Several clauses in HIPAA will refer to a Business Associate Contract, which can naturally cause a little bit of confusion. However, there is no actual difference between those two and they are interchangeable.

The BAC or the BAA is an avenue to legally bind two parties and create a liability under the framework of HIPAA between the two of them. Because of its legally binding nature, the violation of the Business Associate Contract can appropriately deploy legal actions against the offending party. This helps clarify terms between these parties as well as their compliance to HIPAA and the FDA.

Without this contract, breach of HIPAA and FDA protocols will likely hold both parties in legal trouble.

How does the contract define a business associate?

Business associates are recipients of Protected Health Information. When healthcare providers hire third parties, sometimes Protected Health Information will inevitably get involved due to certain processes. 

It is also important to note that if these said business associates assign the task that will grant another entity access to Protected Health Information, the said entity falls under the category of subcontractor business associate. In which case, the same standards that are expected out of business associates will apply to subcontractor business associates.

However, companies that do not directly deal with Protected Health Information, in such a way that these sets of information are never disclosed to them and something that they never come into contact with, there is no need for a BAA with that subcontractor. 

In essence, these contractors that come in contact with Protected Health Information must sign the BAA and readily comply and be liable to regulations and terms that are set forth by HIPAA.

Who are the different parties that are usually involved in a BAA?

Covered Entities

Officially, these are organizations that provide goods and services in relation to medical treatment. Hence, they often collect information about an individual’s health and are the ones charged of the responsible disclosure of Protected Health Information.

  • Healthcare providers - doctors, clinics, dentists, nursing homes, pharmacies, etc.
  • Health plan providers - health maintenance organizations, health insurance companies, and federal programs like Medicaid and Medicare
  • Healthcare clearinghouses - those that transfer physical Protected Health Information into electronic data.

Business Associates

As previously mentioned, these are entities that handle Protected Health Information via being in business with a covered entity. Under HIPAA requirement, businesses that have access to Protected Health Information must sign BAAs.

Some of the examples that fall under business associates are:

  • Practice management
  • Medical transcriptionists
  • Law/Accounting firms
  • Medical device manufacturers
  • IT consultants 
  • Shredding companies
  • File sharing vendor
  • Email encryption provider

Business Associate Subcontractor

These are usually third parties that help business associates carry out their functions. Business associate subcontractors are also required to sign a BAA if they are to receive, maintain, or transmit Protected Health Information. Some of the usual business associate subcontractors are:

  • Law/Accounting firms
  • Transcription services
  • Email encryption providers
  • Shredding companies
  • Backup storage

Are employees of healthcare providers considered as business associates?

The employees of healthcare providers are directly part of the company’s compliance towards HIPAA regulations. Given this, there is no requirement for them to sign a Business Associate Agreement as they are not considered business associates. 

Separate regulations such as HIPAA training and certification for direct employees, trainees and volunteers, and others that are under the direct jurisdiction of the healthcare provider/company. These training sessions are often accessible through other companies that offer HIPAA training packages such as MP1 Solution.

Why are BAAs necessary and how does it affect society?

Protected Health Information, due to its more electronic nature in the age of the internet can easily scatter. With it are private information about patients that largely affect their lives, employment, identities, and the like. The more entities handle protected information, the higher the propensity it is to fall into the wrong hands. Hence, the BAA not only enacts legal recourse for breach of privacy, but it also allows for regulatory bodies to easily trace how Protected Health Information circulates.

Furthermore, there is a chance that legal liabilities, at the absence of BAAs would fall on healthcare providers upon a contractor’s breach - given that liability becomes harder to track. This can spell huge amounts of money just to cover damages and penalties.

What happens when a business associate violates the BAA?

As previously mentioned, BAAs are necessary to easily track liability. Hence, upon the signing of BAA, healthcare providers do not become liable for breach. That is because the contract already assumes that each signatory is responsible for how they handle the Protected Health Information that falls into their hands.

However, one instance of healthcare providers sharing liability is if it is proven that the provider was aware of the breach and neglected to act through either attempting to mitigate the damages and solve the problem or through terminating the arrangement.

Creating Business Associate Agreements

What is covered in HIPAA’s BAA?

Though the contract is a little long, the Health and Human Services or the HHS summarized what are the key components of a BAA and under no circumstances should these sets of information be omitted from a Business Associate Agreement.

  • A description of the extent of required/permitted use of the Protected Health Information by the business associate (inclusive of the subcontractors where it applies).
  • A provision within the contract that disallows the use and disclosure of Protected Health Information beyond the extent of permission and requirement that is outlined by the contract.
  • A provision that mandates business associates to deploy necessary safeguards to prevent the undue disclosure and use of Protected Health Information.
  • A requirement that, upon a patients’ request, covered entities and business associates must release Protected Health Information.
  • A requirement to report breaches.
  • A provision that requires business associates to either return or destroy Protected Health Information upon the termination of the BAA.

Other provisions that may be included in a BAA are:

  • More detailed information regarding breach reporting, such as the window by which a signatory should have reported a breach. Currently, HIPAA requires that breaches must be reported within 60 days from when an entity realizes that Protected Health Information has been breached.
  • Variation or adjustment to the default provisions of HIPAA’s usual method of reporting breaches. The current HIPAA regulations mandate that every security incident must be reported by the business associate to covered entities/healthcare providers. Sometimes, contracts would include specific details about this provision.
  • Insurance requirements for when there are breaches, which usually depend on the nature of the relationship between the covered entity and the business associate/subcontractor.

BAAs are usually either a separate contract or included in other agreements such as data security agreements or terms of service agreements. What is important is that the said provisions are outlined, and that business associates and covered entities identify their relationship with each other. 

What happens if there is a breach?

Some BAAs include specifics regarding breaches, such as specifics on how and when to report breaches. The most common modifiers for these contracts include reporting windows as these are required by HIPAA anyway. Certain covered entities though would want to deal with these problems a lot faster and would require a reporting window that is shorter than 60 days. 

Wording in several contracts can be confusing, as there is a difference between the breach happening and discovering that a breach has happened. 

Creating and following these agreements can be tricky and the safest way to verbalize a modification to the traditional reporting window is to disclose the amount of days given to entities after they discover a certain breach as opposed to assuming that an undiscovered breach would have been discovered.

Hence, what is normally found would be provisions that require entities to report a breach within a certain number of days after its discovery.

Are business associates and covered entities each other’s legal agents?

The short answer is that it is advisable to craft the contract in such a way that it is not. Liabilities must be separate from each other and must only exist insofar as protecting the Protected Health Information that an entity is currently holding. Doing so means that without having anything to do with a certain breach, if one of the entities breach the BAA, the other entity will also be held legally liable and therefore carry a part of the burden regarding penalties.

fashionable ppe suit

How has BAA started to change in the modern context?

There are more entities involved due to the digitized age.

From the recent years, several Cloud Based Service Providers or those whose services primarily function through the internet have attempted to skirt compliance towards HIPAA. Arguments that have been used include physical exposure to data as they have cited the Janitor and Conduit clauses. However, these perceived loopholes have been addressed by a clause in BAAs that covers any entity that “creates, transmits, receives, or maintains PHI.”

Fixtures for COVID-19 Period

covid19 new variants 2021

Midyear of 2020, the Health and Human Services released a “Notification of Enforcement Discretion” which laxed the allowable disclosures and uses of Protected Health Information. This was enacted with the urgency that healthcare facilities, as well as bodies that are primarily involved in the mitigation and treatment of COVID-19 need immediate access to COVID-19 related healthcare data. These types or data are needed to inform evolving policies and suggestions as to how local governments and healthcare systems would be able to approach COVID-19.

However, this is not to say that the enforcement discretion is a way to irresponsibly disclose and use Protected Health Information. 

The HHS stated that it, “does not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities.”

They have also outlined that the following conditions must be achieved before enforcement discretion could be exercised.

  • "the disclosure or use is made in “good faith” for public health activities and health oversight activities; and
  • the business associate informs the covered entity within ten days after the use or disclosure occurs (or commences, with respect to ongoing uses or disclosures).”


linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram