What is a Business Associate Agreement or a Downstream BAA?

Both Covered Entities and Business Associates share a dual responsibility to protect healthcare information and data. 

What is a business associate agreement (BAA)? 

A HIPAA business associate agreement is a legal contract between business associates and a covered entity or other business associates. These contracts are entered when an organization needs access to Protected Health Information (PHI). 

First, the differences between covered entities (CE) and business associates (BA):

What is a covered entity?

• Health Plan:  health insurance company 
• Healthcare Clearinghouse:  data aggregation companies that take data from a nonstandard format and convert it into a standard format 
• Healthcare providers:  physicians, pharmacies, homeopathic providers, prosthetic/orthotic providers

What is a business associate? or a Downstream Entity?

• A business associate creates, receives, maintains, or transmits protected health information (PHI) from or on behalf of a covered entity.
• “Downstream” entities, i.e., subcontractors of business associates who may deal with patient data, are also technically considered business associates. They have the same liabilities as a BA, and the BA to which they're subcontracted is responsible for the management of their agreement.  
• There are exceptions: 
• 
  
  • The transfer of data between two covered entities, each acting in their primary role as a covered entity (for instance, with provider referrals or insurance claims) is not considered a business associate relationship.
  •  Law enforcement and government agencies may request PHI, but they are not considered business associates.

What's Required in a BAA?

Most covered entities use a business associate agreement template, which is fine and even recommended. Above is a sample BAA Contract in a Word/RTF format for you to download and use.  

The required elements of a BAA are the following:

• Reporting obligations: Business Associate's responsibility to notify Covered Entity of impermissible disclosures, which could include a data breach incident 
• Permissible and required disclosures: what the business associate can and can't do with the data, as well as what they're required to do with the data
• Reference to “downstream” subcontractors: ensure that they are responsible to abide by the same terms as the BAs
• BA's duty to safeguard the data: with reference to the security rule 
• Termination clause: A covered entity must be able to terminate the contract for violation of terms, and in the event of termination, the business associate must return or destroy the data  

 Elements that aren't legally required but are still good to have:

• A “right to audit” clause: gives the covered entity right to monitor the business associate's compliance with BAA
• Indemnification clause: each party will take respective responsibility for any financial harm caused
• Expiration dates: if you don't regularly review your BAAs, they may have expiration dates of which you're unaware. This puts them at risk of becoming invalid. Does HIPAA require expiration dates on business associate agreements? No. The agreements can be in force indefinitely. However, it's crucial that you check on them periodically, so expiration dates are a great way to force the action of review.