What Is A HIPAA Business Associate Agreement?

The HIPAA Business Associate Agreement (BAA) was constructed under the  U.S. Health Insurance Portability and Accountability Act of 1996. The HIPAA BAA will be a contract between the HIPAA covered entity and a Business Associate (BA). This contract was established to protect personal health information (PHI) in accordance with HIPAA guidelines.

The rules of HIPAA required covered entities and BAs to enter into these contracts to ensure and properly protect all health information.  Under HIPAA Rules, Business Associates are directly liable to civil, and sometimes criminal penalties, for disclosures of PHI that are not directly authorized by its contact. The BA is also liable for failing to protect electronic PHI, under HIPAA Security Rule.

Are You A Covered Entity?

Covered entities are defined by the HIPAA guidelines as any person or persons who electronically transmit any type of health information. These apply to:

• Health plans;
• Healthcare clearinghouses;
• Healthcare providers.

Who Is Not A Business Associate?

Business Associates are defined as a person, entity, or organization that is working with or providing needed services to covered entities who handle or disclose PHI or Personal Health Records (PHR). Along with persons and organizations, BAs may also be;

• Subcontractors that create/receive/maintain/transmit protected PHI;

Who Is Not A Business Associate?

Many people within the health and wellness industry do not fall under Business Associate standards, so it’s important to know the difference. Individuals who are not Business Associates are;

• Health care centers general workforce – Employees, faculty, residents, students;
• Employees providing treatment;
• Health center labs;
• People or organizations that have little to no exposure to health care information – telephone companies, internet providers, etc.;
• Companies that act as a 3rd party channel for PHIs like USPS, UPS, Fedex, etc..

Still Confused?

If you are still unsure if your establishment requires a BAA or not, we have 2 simple questions for you to answer.

• Is your Health Center (employer) releasing/disclosing Personal Health Information (PHI)?
• Does the receiver (recipient) of this PHI provide a service to/on behalf of your Health Center?

If you answered yes to both of these questions, you have a relationship that requires a BAA.

Worst Case Scenario

Hopefully, this can be avoided, but in the situation where your Business Associate doesn’t sign a BAA, there are needed measures that have to be taken. If your BA will not sign, this means they are not HIPAA compliant and PHI and PHR are not secure. By law, you will be required to notify the Secretary of Health & Human Services (HSS). Neglecting to obtain the needed and proper BAA from a BA is a serious situation, and should never be ignored.