In the complex world of health information technology, a business associate agreement is one of the most important aspects of maintaining electronic healthcare record security.
Such agreements are formally known as a HIPAA BAA. In full, that stands for the Health Insurance Portability and Accountability Act Business Associate Agreement. HIPAA is the 1996 federal law that covers issues of medical and insurance record privacy.
The HIPAA BBA has become increasingly important as more medical operations adopt health IT, using technology to both manage and transmit healthcare information from one source to another.
It’s especially important to know for those working in health IT.
HIPAA BBA Defined
A HIPAA BBA is entered into typically by an outside consultant who provides a service to a medical organization. In many cases, that is an individual or business that works in health IT, and may represent a service subcontracted out by healthcare organizations such as hospitals and physician clinics.
As defined by the federal government, a business associate is any person or entity that performs healthcare record services for an insured medical provider, but is not a member of the workforce of the covered entity.
These services involve access to healthcare records protected under HIPAA. The guidelines in HIPAA require that covered entities – a hospital, for instance – must enter into a contract with business associates.
That agreement will clearly define where and how business associates can access protected health information, what information is off limits and how the information will be used.
The goal is to ensure that any business associate uses health information in a secure, safe manner and that patient information is not illegally disclosed or used.
Who Can Be a Business Associate?
Because those who work in health IT often work for a company that contracts with a medical operation, they are often the “business associate” involved with a HIPAA BAA.
Another example could be an attorney working for a healthcare organization and providing services that require access to some healthcare record information.
No matter who the business associate is, they can only have access to protected information to support the healthcare organization in performing its services. To look at it another way, medical operations cannot enter into agreements with business associates who plan to use healthcare information for their own purposes.
Exceptions to the Rule
There are some businesses, individuals and government agencies that work with medical operations who are exempt from having to enter into a HIPAA BBA.
They include:
- Other medical operations that need to share information for patient treatment (a specialist working with a primary care physician, for example)
- Covered insurance companies that must have patient information to properly perform their job
- Government healthcare plans such as Medicare who also need access to patient records
Any business associate not on the covered list will need to, by law, enter into a HIPAA BAA.
Requirements for a HIPAA BAA
Because of the complexities of the HIPAA BAA, many medical operations hire attorneys to help them craft the specific language of the agreement.
However, the federal government is very clear about the main requirements of a HIPAA BAA. They include:
- Clearly establishing the permitted use and disclosure of protected health information
- Provisions ensuring that the business associate will not use information in anyway other than what is permitted in the agreement and required by law
- Requirements that the business associate put safeguards in place to prevent the unauthorized use or disclosure of any protected healthcare record information – including adopting all the provisions of the HIPAA Security Rule that covers use of electronic healthcare records
- Require the business associate to immediately report any use or disclosure of information not provided for in the HIPAA BAA
- Require business associate’s to disclose protected health information in accordance with a covered entity’s obligation to provide this information for patients’ requests for their own health information
- Require the business associate to make their internal practices, books and records available to federal Department of Health and Human Services (HHS)
- Require that when the contract is terminated, the business associate must either return or destroy all protected healthcare information
- Require that any subcontractors hired by the business associate agree to the provisions of the HIPAA BAA
- Allow for termination of the contract if there are any violations of its provisions
Any breaches or violations of the contract must be addressed by the covered entity, i.e. the healthcare organization. This includes ending the violation, terminating the contract if necessary and notifying the federal Department of Health and Human Services.
The HIPAA BAA, while complicated, is something all involved with health IT should know well. It governs a critical issue: the security of private healthcare records.