Over the past few weeks, we’ve written about HIPAA in a fairly broad way. Today we’re going narrow the focus in on business associates. A “business associate” is someone that works with PHI—protected health information—on behalf of a covered entity, like a hospital or insurance company, but is not employed by the covered entity. Contractors. Tech companies. That kind of thing.
If you’re in the business of working with health care providers or payers, you’re probably a business associate. And HIPAA has a few words for you.
Like, 450,000 words, actually.
They’re called the Privacy Rule.
So, as we mentioned in the first installment of this series, HIPAA was created with two goals in mind: to facilitate sharing of PHI and to minimize misuse of PHI. Simple enough.
The Privacy Rule is an HHS regulation that implements HIPAA by, in part, introducing the concept of a business associate. This facilitates the “sharing of PHI” part of HIPAA. The Privacy Rule also requires a covered entity to have an agreement with each business associate—creatively known as a Business Associate Agreement (or BAA)—that covers access to and use of PHI. That’s the “minimizing misuse” part.
Through a BAA, a business associate becomes bound to many of the HIPAA requirements otherwise aimed at covered entities. (See our prior posts in this series for more on those.)
To comply with the Privacy Rule, a BAA must address some specific things, like:
- What PHI the business associate has access to. Generally speaking, access to PHI should be limited to what is “minimally necessary” to carry out the business associate’s services.
- What safeguards the business associate must implement to protect the PHI it receives.
- Whether there are limitations on further disclosure of PHI.
- Subcontractor compliance, up to and sometimes including, an outright ban on the business associate giving subcontractors access to PHI. Where subcontractors do have access to PHI, the BAA should at a minimum require the business associate sign its own BAA with those subcontractors.
- Procedures to follow in the event of a data breach.
- Procedures for handling or disposing of PHI after the relationship between the covered entity and business associate comes to an end.
Since their contents are driven by regulation, BAAs have become fairly standardized. (Though that doesn’t prevent parties from fighting over whose BAA will be used.) Even so, it’s important to review every BAA if only to make sure the agreement is consistent with your general PHI practices, covers all items required by the Privacy Rule, and doesn’t include anything unusual or onerous, like unreasonable breach-notification timelines or unrelated terms that shouldn’t be included at all.
In the next installment we’re going to look at what happens if you breach a BAA or otherwise improperly disclose PHI. And not to ruin the surprise or anything, but it’s not good.