Under the U.S. Health Insurance Portability and Accountability Act of 1996, a HIPAA business associate agreement (BAA) is a contract between a HIPAA-covered entity and a HIPAA business associate (BA). The contract protects personal health information (PHI) in accordance with HIPAA guidelines.
Effective Feb. 18, 2010, in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, a BA's disclosure, handling and use of PHI must comply with HIPAA Security Rule and HIPAA Privacy Rule mandates. Under the HITECH Act, any HIPAA business associate that serves a healthcare provider or institution is now subject to audits by the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) and can be held accountable for a data breach and penalized for noncompliance.
Examples of HIPAA business associates
According to the HHS, examples of HIPAA business associates include:
- When a health plan uses a third-party administrator to help with claims processing.
- If a CPA firm provides accounting services to a healthcare provider and they have access to protected health information.
- When a hospital has a consultant perform utilization reviews.
- When a healthcare clearinghouse translates a claim from a nonstandard format to a standard format for a healthcare provider then sends the process transaction to a payer.
- When a physician uses an independent medical transcriptionist's services.
- When a pharmacy benefits manager managed a health plan's pharmacist network.
Mobile application developers could also be considered HIPAA business associates because many healthcare mobile applications handle PHI.
HHS gave a scenario where an app developer would be considered a HIPAA business associate: A patient is told by her provider to download a health app to her smartphone. The app developer and the provider have a contract for patient management services which include remote patient health counseling, patient messaging, monitoring the patients' food and exercise, and electronic health record (EHR) integration and application program interfaces. Furthermore, the information the patient inputs into the application is automatically incorporated in the EHR.
HIPAA business associate contract requirements
According to HHS, HIPAA business associate contracts or other written arrangements should contain the following:
- Describe how the business associate is permitted and required to use PHI.
- Require that the business associate not use or disclose PHI other than as specified in the contract or as required by law.
- Require the business associate to use appropriate safeguards to ensure the PHI is used as detailed in the contract.
- The covered entity is required to take reasonable steps to cure any breach by the HIPAA business associate if and when they know of one. If this is unsuccessful, the covered entity is required to terminate the contract with the business associate.
- If contract termination is impossible, the HIPAA covered entity must report the event to the OCR.
- A covered entity is required to report to the HHS OCR if there is a problem in terminating the contract with the business associate.
With these new regulations in mind, a HIPAA business associate agreement should explicitly spell out how a BA will report and respond to a data breach, including data breaches that are caused by a business associate's subcontractors. In addition, HIPAA business associate agreements should require a BA to demonstrate how it will respond to an OCR investigation.
Continue Reading About HIPAA business associate agreement (BAA)
- HIPAA privacy expert David Holtzman says healthcare business associates will be audited. Patient access to health data will be part of audits.