The HIPAA rules require that covered entities (health care providers) and business associates enter into contracts to ensure that the business associates properly safeguard protected health information.
So what or who is a Business Associate? A ‘business associate’ is a person or an organization, other than an employee of a covered entity, who engages in activities on behalf of, or provides services to, a covered entity that involves access by the business associate to protected health information. A ‘business associate’ can also be a subcontractor that originates or transmits and processes protected health information on behalf of another business associate.
Like any good agreement, the BAA starts with a glossary of the terms to ensure both parties understand the terminology. Key terms should be included and can simply reference the definitions that are included in the HHS.gov site:
- Data Aggregation
- Designated Record Set
- Electronic Health Record
- Health Care Operations
- HITECH Act
- Privacy Rule
- Protected Health Information (PHI)
- Required By Law
- Security Rule
- Subject Matter
- Unsecured Protected Health Information
The next section of the BAA will then outline the obligations of the business associates or partners in the endeavor.
Mutual responsibilities include each business associate notifying the other if they notice any suspicious activity or a breach in security. Who is responsible for encrypting the PHI data? What access rights to the PHI does each party have? What PHI data can be disclosed by each party to others? What is the disposition of the PHI after the term is completed?
The BAA should also include the term and duration. Without a clearly defined term, it will be unclear when the agreement ends.
Finally, defining the jurisdiction and which locale will handle disagreements or disputes between the business associates is also important.
The business associate agreement doesn’t need to be daunting. You can talk to your attorney, who will charge you a hefty rate for producing a HIPAA agreement, or you can consider buying a boilerplate template from a lawyer who specializes in HIPAA and sells ready-made HIPAA agreements at a far lower price since they sell in volume online. You should always have your attorney review the boilerplate template to ensure it is tailored to meet your particular needs.