The What, When, & Why of Business Associate Agreements Under HIPAA

It can be confusing for those in the health industry to determine when a Business Associate Agreement (“BAA”) is necessary under Health Insurance Portability and Accountability Act (“HIPAA”). With that determination made, it can be difficult to decide what should be included in such an agreement. This post seeks to introduce the concept of the BAA and provide some basic guidance. As a starting point, it is important to know what is a “covered entity.” The term is defined in the HIPAA regulations at 45 C.F.R. §160.103 as a health plan, a health care clearinghouse or “a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” If you are asking yourself what transactions are covered by which subchapter, a common example is electronic billing for services rendered.

Starting this post with the definition of covered entity is important because covered entities are held to a higher standard (e.g., the Privacy Rule under HIPAA applies to covered entities). BAA’s enter the scene because covered entities do not work alone. Recognizing this, 45 C.F.R. §164.308(b)(1) allows a covered entity to grant permission to a non-covered entity (i.e., a business associate) to “create, receive, maintain, or transmit” protected health information (“PHI”) on the covered entity’s behalf. 45 C.F.R. §164.308(b)(2) grants that same right to business associates working with subcontracted business associates.

Such permission must be subject to safeguards given that the business associate is not, by definition, a covered entity subject to a higher standard. Think of the BAA as a document that pulls the non-covered entity up nearer to the standard that the covered entity must meet. It formalizes the administrative safeguards that address concerns about PHI. It does this pursuant to 45 C.F.R. §164.308(b)(3) which requires the covered entity or subcontracting business associate to place these safeguards and assurances into a written contract.

When preparing this written contract, the parties need not start from scratch. The U.S. Department of Health & Human Services has very helpfully published BAA provisions here. While the provisions are customizable and include some optional language, they provide a framework for what the BAA should include.

In summary:

What? A contract that sets forth safeguards related to the handling of PHI by non-covered entities.

When? Whenever a covered entity contracts with a business associate or a business associate subcontracts with another business associate to create, receive, maintain, or transmit PHI.

Why? Because HIPAA says so. Here is an example of what happens if you don’t listen.