Under the U.S. Health Insurance Portability and Accountability Act of 1996, a HIPAA business associate agreement (BAA) is a contract between a HIPAA covered entity and a HIPAA business associate (BA). The contract protects personal health information (PHI) in accordance with HIPAA guidelines.
Effective Feb. 18, 2010 in accordance with the HITECH Act of 2009, a BA's disclosure, handling and use of PHI must comply with HIPAA Security Rule and HIPAA Privacy Rule mandates. Under the HITECH Act, any HIPAA business associate that serves a health care provider or institution is now subject to audits by the Office for Civil Rights (OCR) within the Department of Health and Human Services and can be held accountable for a data breach and penalized for noncompliance.
With these new regulations in mind, a HIPAA business associate agreement should explicitly spell out how a BA will report and respond to a data breach, including data breaches that are caused by a business associate's subcontractors. In addition, HIPAA business associate agreements should require a BA to demonstrate how it will respond to an OCR investigation.