Before you read this, please check out the article about what a business associate is and what they do.
If you’ve already done that, just keep reading!
It is imperative that CE’s have written and signed contracts with BAs before doing ANYTHING! If the contract is not in place, the CE and BA both can open themselves up for liability and exhaustive legal battles to determine who is responsible for the ePHI and ownership. Most CE’s and BA’s have template agreements that allow them to “plug-and-play” the names and dates for the vendors they’re providing services and ePHI access for. Check out the slideshow below for the 10 minimum requirements the Health and Human Services (HHS) Department expects to be included in a BAA… But keep in mind, doing the minimum requirement may not be enough to completely protect your organization from exposure.
Let’s go into a little more detail about these requirements and what they may look like in the wild.
1- Establishing Use and Disclosure
All BAs interacting with ePHI must use and disclose the information they receive from the CE as instructed in the agreement. This agreement isn’t meant to harm the organization and restrict, but rather to protect them from liability. As long as the information is used in a way that is consistent with the agreement, no party will be found at fault for misuse. The agreement should always include requirements that ensure the integrity, availability, confidentiality, and security of the data it creates, receives, maintains, or transmits.
So in short, requirements around the use of any ePHI the BA uses, which comes from the CE, should be detailed appropriately and include obligations around the security of that data.
2 – Information is not Used or Disclosed outside of Contract or Legal Requirements
This one is similar to what is listed above in requirement 1, but an additional legal requirement should be included in this section. Laws will vary from state to state, so it’s important for a privacy officer to understand the laws in which the organization is domiciled. In the event of criminal investigations, various lawsuits requiring evidence, and other legal requirements, information may need to be provided to law enforcement. Incidents such as this should be included in the agreement to indicate the organization’s compliance with enforceable laws.
3 – Implement Safeguards to Protect ePHI
In addition to the requirements of confidentiality, availability, security, and integrity listed in the first category, BAs must be able to comply with organizational requirements put forth in the contract by the CE. These include administrative, physical, and technical safeguards outlined in section 164, subparts 308, 310, and 312 of the Security Rule.
Administrative safeguards include implementing policies and procedures designed to protect the ePHI the BA interacts with. Something like this can be as simple as an annual risk assessment (required by HIPAA) or a quarterly access review assessing which users can modify the database in which the ePHI is stored.
Physical safeguards shouldn’t be overthought. These are simple, visible (mostly) protections like security badges, biometric mechanisms, security guards, mantraps, security cameras, and receptionists in the front lobby of the building. These provide comfort that machines and infrastructure creating, transmitting, and storing ePHI and not physically accessible by unauthorized individuals.
Technical safeguards can be most unseen by the untrained eye. User IDs, passwords, multi-factor authentication, segregation of duties control, dual control mechanisms, monitoring and logging activity, encryption, pseudonymization technology, anonymization technology, and IPS/IDP tools can protect someone using a computer from inappropriately accessing ePHI.
4 – Reporting Use or Disclosure of Information not Provided by the Contract
There could be instances where the BA receives information from the CE that is outside the restrictions of the contract. This is ok as long as the BA reports that it received the data. In most cases, this will absolve any issues between the two parties. The BA may need to erase the data it received if instructed to by the CE. Regardless of the information received, the BA should still have appropriate safeguards in place to protect the data received outside of contract requirements.
5 – Disclose Information to the CE to meet Individual Requests
If an individual requests their data from the CE, the BA must also provide any information they have on the individual to the CE that will help fulfill the request made by the individual. In some cases, the BA may have information that the CE doesn’t, so they must be able to help the CE meet its obligations to provide all data the data subject requests.
This also applies to requests to update or correct information that is inaccurate. If the request is made to the CE, the BA must also update its own information to comply with the data subject’s request.
6 – A BA must Carry Out the CE’s Obligations under the Privacy Rule
A CE’s obligations under the Privacy Rule extend to the BA. The information the BA is required to protect includes the individual’s past, present, or future health conditions, the provision of health care, and other information that can be used to identify the individual. The common categories of ePHI can be seen here.
De-identification procedures should be in place at the BA to remove any specified identifiers that can link the individual to the information. Since HIPAA extends to BAs, the same provisions in the Privacy Rule apply to the BA.
7 – The BA must make its Internal Practices, Books, and Records Available to the HHS
Obviously, not everything the company has internally is needed to be sent to the HHS. Only the documents that relate to the use and disclosure of ePHI should be provided if requested by the HSS, and this is only to ensure the internal practices meet minimum HIPAA requirements. Anything outside of that criteria wouldn’t be needed by the HHS. This will also help the CE show compliance with the HIPAA Rule.
CE’s should be aware of how a BA is set up to handle ePHI because both parties are required to be compliant with HIPAA. If one is not, the other could be collateral damage if a data breach occurs.
8 – All ePHI Should be Destroyed or Erased when a Contract is Terminated
The CE or BA may terminate the contract if a material term of the agreement is violated by one of the parties (don’t let someone else bring you down with them!). The materiality of the agreement will vary from one to another and is often agreed upon by both parties (since both are in this agreement together).
Materiality can simply be defined as something that is important, essential, or relevant to the contract. This is often determined by the CE and BA, but a broad understanding of materiality can be a violation of one of the 10 requirements of an agreement. If one of those is violated, such as the BA doesn’t have physical safeguards in place, a contract can be terminated as needed by the CE.
If the contract is terminated, the BA must erase or destroy all ePHI received, created, or stored on behalf of the CE, as well as provide confirmation that this has occurred. After this is terminated, the BA is no longer bound to the requirements of the contract, but it is still bound by HIPAA requirements.
9 – BA’s and Subcontractors
A BA may permit a subcontractor to create, receive, maintain, or transmit ePHI on behalf of the BA as long as satisfactory assurance is obtained a=over the subcontractor’s safeguards. This must be in accordance with section 164, subpart 314(a) of the HIPAA Rule. The subcontractor will be bound by the same requirements of the contract that the BA is with the CE.
Basically, anything you can think of that would apply to the BA or CE, the subcontractor would also need to do. HIPAA protects a data subject’s ePHI misuse by a CE, BA, and affiliated subcontractors and doesn’t discriminate. Subcontractor agreements should look similar to BA Agreements.
10 – Authorize Contract Termination in the Event of a Material Violation
This was already discussed in category 8, paragraph two. If a BA or CE violates one of the other requirements of the contract, the offended party may terminate the contract at a moment’s notice. If this occurs, requirement 8 would apply next to delete any ePHI from the BA’s systems.
These are the 10 minimum requirements of a Business Associate Agreement that all CEs and BAs should include when drafting a contract. Anything less would be dangerous and anything more would be above and beyond (which is a great move).
I’ve included an example of a BAA that you can use to start creating your own! This only includes the minimum 10 requirements, so it’s a good start you can add to and shouldn’t use as-is. There is additional information included to reference the regulation or other areas of the agreement.
See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.
Once you understand how valuable your information is, then you can begin taking steps to keep it private.