Business Associate Agreement (BAA) Basics
When do you need a business associate agreement? Are there situations in which you should decline to enter into one? Learn what it means when you sign the dotted line.
Health care practitioners preach that “an ounce of prevention is worth a pound of cure.” When it comes to the security of personal information, we believe that an ounce of legal analysis is worth a pound of immunity! Let’s talk about the important role of business associate agreements (BAAs), a required element of many business arrangements that involve the exchange of protected health information.
What is a business associate agreement?
A BAA is a contract between two entities describing how both parties will safeguard and maintain protected health information (PHI). For example, you’ll often see BAAs between medical records companies and medical practices detailing how the medical records company will protect the practice’s data.
See our related video, “Business Associate Agreements in Healthcare.”
I’ve been asked to sign a BAA. Should I?
Many providers routinely sign BAAs without hesitation. In many circumstances, signing may be advisable, depending on your services. However, business associate agreements are binding contracts that establish particular standards, rights, and duties upon those who sign them. Thus, the decision of whether to sign a BAA requires careful thought.
When assessing whether you should sign it on behalf of your entity (not in your personal capacity), consider the following questions:
- Are my activities subject to HIPAA?
- Is a BAA required under the proposed business arrangement? Specifically, will PHI be exchanged, created, received, or maintained as part of the services rendered?
- Is my entity HIPAA-compliant (or prepared to be)?
For comprehensive answers to the above questions, gather input from an attorney knowledgeable about the federal privacy rules. Generally, whether your activities are subject to HIPAA depends on whether you qualify as a covered entity and what information the parties exchange.
Because violations of the HIPAA rules can lead to stiff civil penalties (starting at $25,000) and threaten your business’ reputation, do not be cavalier about this assessment!
The Office of Civil Rights (OCR) enforces federal privacy and security standards. OCR is always available to patients who want to report their concerns about your privacy and security practices. In other words, reporting a complaint is easy. Patients can submit complaints by phone call or a brief email, and OCR can refer any complaints to the Department of Justice to consider criminal action. OCR’s investigations have included small provider offices and resulted in the collection of over $131 million to date in 2022.
Legal exposure under HIPAA falls into many categories. In the context of BAAs, common issues are the impermissible use or disclosure of PHI, the failure to notify (and mitigate) a breach, and the failure to have proper safeguards over the data exchanged.
Does my attorney need to read my BAA before I sign it?
It is best to have an attorney review your BAA (and any contract) before you sign it. While the Department of Health and Human Services offers sample BAA language, every arrangement is different. A healthcare attorney’s eye will confirm that the language is indeed compliant with the law and ensures that the other party has not inserted language outside the scope of a business associate agreement.
As explained above, a BAA is a binding contract. Therefore, if you violate a provision of the agreement, either as a business associate or as a covered entity, you have exposure to a civil cause of action for a breach of contract.
If I sign a BAA, does that mean I now have to follow HIPAA?
In short, yes. This makes a BAA unique from other contracts. That is, the agreement incorporates into it extensive federal requirements. As such, the above assessment is critically important to your business.
What happens if you sign a business associate agreement but fail to make the necessary updates to your business policies? For example, say that you don’t adopt procedures that safeguard the data, do not train your staff on the importance of securing PHI, and fail to follow the “minimum necessary” standards. If you don’t execute the policies laid out in your BAA, your risk compounds.
Moreover, the legal exposure extends to both the business associate and the covered entity. For example, if a business associate learns that its server was compromised, the event (likely a security incident) triggers a chain reaction in the relationship. A BAA requires the business associate to promptly notify the covered entity of the incident — typically within a set period of days). Depending on the scope of the access, the covered entity may need to notify the public. These obligations are substantial and serious.
Do I need to sign or give a BAA in all situations?
It is a best practice to first engage in the above assessment to determine whether the arrangement requires you to offer or sign a BAA. There are situations that do not require a BAA. Generally speaking, if a contractor will not receive any PHI under the services, a BAA is not necessary.
For example, perhaps you want to hire a marketing agency to review your public-facing marketing materials. Most likely, those services would not require a BAA. However, suppose the marketing company wants to collect patient testimonials as part of a new campaign. HIPAA could apply, and thus the arrangement would warrant a BAA.
Other situations that don’t require a BAA include standard banking transactions and disclosures between a covered entity and a health care provider that are necessary for treatment. Put differently, the law considers that there are already satisfactory assurances between providers and covered entities (such as between a physician and a hospital), so a business associate agreement isn’t required in those narrow circumstances.
Provide a BAA as part of your contract negotiations. Incorporating the BAA into the service agreement will ensure all parties know the conditions of the arrangement early on.
It is worth noting that even if you conclude that a prospective business arrangement does not fall within HIPAA’s scope, both parties could agree to adopt privacy policies that safeguard the information. Adding this extra ounce of prevention could be immeasurable in curing direct liability.
Get legal support.
Most healthcare businesses and practices that handle PHI will probably need to enter into business associate agreements. And to become HIPAA-compliant, all covered entities must create written policies that govern their handling of PHI.
Fortunately, an experienced healthcare attorney can help you lay the proper foundation for HIPAA compliance, customized to your unique organization. If you operate in one of the states where Jackson LLP Healthcare Lawyers has licensed attorneys, reach out to us. We offer free consultations to help you determine how well we fit your needs.
This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader. It should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.