Critical Elements of a BAA

What must be included in a BAA?

A Business Associate Agreement (BAA) is a critical document that ensures compliance with the Health Insurance Portability and Accountability Act (HIPAA). Under 45 CFR 164.504(e), a BAA must include several mandatory elements. Firstly, it must clearly establish the permitted and required uses and disclosures of protected health information (PHI) by the business associate. The agreement should stipulate that the business associate will not use or disclose PHI beyond what is permitted by the contract or by law. Additionally, the business associate must implement appropriate safeguards to prevent unauthorized use or disclosure of PHI, including compliance with the HIPAA Security Rule for electronic PHI.

Secondly, the BAA must require the business associate to report any unauthorized use or disclosure of PHI, including breaches of unsecured PHI. This ensures that any incidents are promptly addressed and mitigated. The business associate is also obligated to disclose PHI as specified in the contract to satisfy the covered entity's obligations regarding individuals' requests for their PHI, making PHI available for amendments, and providing accountings of disclosures. Furthermore, if the business associate is performing any of the covered entity's obligations under the HIPAA Privacy Rule, the agreement must ensure that the business associate complies with the applicable requirements.

The BAA must also grant the U.S. Department of Health and Human Services (HHS) access to the business associate's internal practices, books, and records related to the use and disclosure of PHI. This access is necessary for HHS to determine the covered entity's compliance with the HIPAA Privacy Rule. Upon termination of the contract, if feasible, the business associate must return or destroy all PHI received from or created on behalf of the covered entity. Moreover, the BAA must ensure that any subcontractors engaged by the business associate who will have access to PHI agree to the same restrictions and conditions that apply to the business associate.

While the aforementioned elements are mandatory, there are additional provisions that, while not required, are often beneficial to include in a BAA. For example, indemnification clauses can protect parties from liabilities arising from breaches or non-compliance. Provisions for injunctive relief can offer remedies in case of unauthorized disclosures. Additionally, including terms that address compliance with other relevant federal and state privacy laws, such as the Part 2 Privacy Rule and the Cures Act information blocking provisions, can provide comprehensive protection and clarity. These additional elements, while not mandated by HIPAA, enhance the robustness and effectiveness of the BAA in safeguarding PHI and ensuring compliance.

Mandatory Elements of a Business Associate Agreement (BAA)

  • Permitted and Required Uses and Disclosures of PHI:

    • Clearly establish the permitted and required uses and disclosures of protected health information (PHI) by the business associate.
    • Ensure the business associate will not use or disclose PHI beyond what is permitted by the contract or by law.
  • Safeguards for PHI:

    • Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of PHI.
    • Ensure compliance with the HIPAA Security Rule for electronic PHI.
  • Reporting Obligations:

    • Mandate that the business associate report any unauthorized use or disclosure of PHI, including breaches of unsecured PHI.
    • Require the business associate to disclose PHI as specified in the contract to satisfy the covered entity's obligations regarding individuals' requests for their PHI.
    • Ensure the availability of PHI for amendments and provide accountings of disclosures.
  • Compliance with Privacy Rule Obligations:

    • If the business associate is performing any of the covered entity's obligations under the HIPAA Privacy Rule, ensure compliance with the applicable requirements.
  • Access for HHS:

    • Grant the U.S. Department of Health and Human Services (HHS) access to the business associate's internal practices, books, and records related to the use and disclosure of PHI for compliance verification.
  • Return or Destruction of PHI:

    • Upon termination of the contract, if feasible, require the business associate to return or destroy all PHI received from or created on behalf of the covered entity.
  • Subcontractor Compliance:

    • Ensure that any subcontractors engaged by the business associate who will have access to PHI agree to the same restrictions and conditions that apply to the business associate.

Additional Provisions That Are Beneficial to Include

  • Indemnification Clauses:

    • Protect parties from liabilities arising from breaches or non-compliance.
  • Provisions for Injunctive Relief:

    • Offer remedies in case of unauthorized disclosures.
  • Compliance with Other Privacy Laws:

    • Include terms that address compliance with other relevant federal and state privacy laws, such as the Part 2 Privacy Rule and the Cures Act information blocking provisions.

These additional elements, while not mandated by HIPAA, enhance the robustness and effectiveness of the BAA in safeguarding PHI and ensuring compliance.

Key Considerations for Parties When Negotiating BAAs

  • Noncompliant and Nonexistent Agreements:

    • Despite clear regulations under 45 CFR 164.314(a) and 164.502(e), many parties fail to comply with the basic requirements for BAAs.
    • Standard confidentiality agreements or nondisclosure agreements are not substitutes for BAAs.
    • Failure to execute a BAA can lead to significant fines for HIPAA violations, including impermissible disclosures of PHI.
  • Outdated Agreements:

    • BAAs must be updated to reflect changes in HIPAA regulations.
    • Agreements predating 2013 may not address the HITECH Act omnibus rule or current operational risks.
    • Continuous updates are necessary to maintain compliance with new laws and regulations.
  • Restrictive Agreements:

    • BAAs may include provisions beyond the required elements, potentially imposing overly restrictive conditions on business associates.
    • The permitted conduct section should allow sufficient permissions for the business associate to perform its services without violating HIPAA.
    • Ensure the BAA includes permissions for the business associate's own proper management and administration and to fulfill its legal responsibilities.
  • Unclear Reporting Obligations:

    • Some BAAs transfer the responsibility of reporting breaches to the business associate, who may not be ideally positioned to handle such notifications.
    • Confirm and understand these obligations and ensure the necessary infrastructure is in place.
    • The OCR has made it clear that the covered entity is ultimately responsible for ensuring that notice is provided in compliance with breach notification regulations.
  • Unrealistic Reporting Times:

    • Immediate reporting of security incidents may not always be feasible, especially for business associates working with external parties.
    • BAAs should include reasonable timelines for incident reporting to avoid breaches of the agreement.
    • While timely reporting is necessary for the covered entity to assess breaches and provide required notifications, business associates should negotiate realistic reporting timeframes up front.

Including these considerations in the negotiation process ensures that BAAs are not only compliant with HIPAA but are also practical and effective in protecting PHI and managing privacy risks.

For Personalized Attention Of Legal Counsel


Available by Appointment
Contact Us for an Initial Review and Consultation

If you are a physician, nurse, dentist, pharmacist, hospital, physician group, or medical lab looking for legal advice then you’ve reached the right site. Today’s healthcare environment is riddled with complex issues of professionalism, market strategy, and the law. Contact us now!

Address

Office Location
401 E. Las Olas Blvd.
Suite 1400
Fort Lauderdale, FL 33301
Call or Text: 954-634-2370
Office: 954-634-2370
Email: [email protected]

Mailing Address
6100 SW 6 Street
Plantation, FL 33317

Menu