Business Associate Agreements: Common Misconceptions and Key Considerations



In the past five years, healthcare organizations have harnessed the power of technology to improve patient care for the better. Essentially, fast access to care-critical information helps care providers make more informed decisions. This means healthcare providers may have one or many relationships with vendors and partners who have access to PHI. To comply with HIPAA, care providers are often required to form written partnerships between covered entities and business associates, in the form of business associate agreements (BAA). So the question begs “when do you need a BAA?

Organizations shouldn’t treat a BAA as a checklist item: If not properly implemented or managed, a BAA can put your organization, and its reputation, at risk. Here are key considerations and misconceptions regarding Business Associate Agreements:

What is a Business Associate?

A BAA is a hybrid contractual agreement meant to satisfy HIPAA regulatory requirements. The contract creates accountability and liability between both parties who may handle PHI on behalf of the other entity. If one party violates the agreement, the other party may have remedies.

In 2013, The Department of Health and Human Services’ (HHS) Office for Civil Rights changed the definition of a business associate with the HIPAA Omnibus Rule. Today, a business associate is defined as:

  • A health information organization, e-prescribing gateway, or other entity that provides data transmission services to a covered entity and requires access on a routine basis to protected health information (PHI).
  • An entity that offers a personal health record on behalf of a covered entity. (However, if the personal health record is not offered on behalf of a covered entity, then the personal health record vendor is not a business associate.)
  • A subcontractor, if a business associate subcontracts part of its function requiring access or use of PHI to another organization.
  • A person who creates, receives, maintains, or transmits PHI on behalf of a covered entity. Physical storage facilities or companies that store electronic PHI are business associates.

On January 25, 2013, the HHS published a sample business associate agreement to help organizations create their own.

Reducing Risk When Implementing a BAA

The goal of a BAA is to protect and secure PHI and meet compliance. When implementing a BAA, then, you should focus on reducing risk. Below are six key considerations both during and after the implementation of a BAA:

  1. Sign a BAA before any PHI is transmitted between parties
  2. Keep security top-of-mind by encrypting all transmitted PHI
  3. Understand and require best practices regarding the transmission, storage, and destruction of a BAA
  4. Assign and engage with responsible parties that will take formal responsibility for the BAA process. BAA champions may include a Chief Compliance Officer, Chief Financial Officer, or member of the IT team.
  5. Require and conduct regular risk analyses of computer and other information systems to identify potential security risks and respond accordingly.
  6. Regularly review BAAs with vendors to identify changes in business processes that would require alterations to the current BAA.

The Bare Minimum Works, For Once

Sharing unnecessary data with third parties, contractors, and associates can put your organization at risk. Ensure that the PHI you share with business associates is kept to the minimum necessary to complete their job function. The official “Minimum Necessary Requirement” is a key protection under the HIPAA Privacy Rule. The rule states that covered entities should take reasonable steps to limit the use or disclosure of, and requests, for PHI to the minimum necessary standard.

However, the HHS states that the minimum necessary standard does NOT apply to the following:

  • Disclosures to or requests by a health care provider for treatment purposes
  • Disclosures to the individual who is the subject of the information
  • Uses or disclosures made pursuant to an individual’s authorization
  • Uses or disclosures required for compliance with the HIPAA Administrative Simplification Rules.
  • Disclosures to the HHS when required under the Privacy Rule for enforcement purposes
  • Uses or disclosures that are required by other law

Policies and procedures should be developed and implemented for each specific organization to reflect business practices and workforce – and while the minimum necessary standard won’t apply to every industry context, it provides a helpful baseline for thinking of shared PHI.

Common Misconceptions about BAAs and HIPAA Compliance

There are many sources to help you in your HIPAA compliance journey, but there’s also a lot of conflicting information — especially when it comes to BAAs. Here are five misconceptions, debunked:

Misconception #1: “A BAA puts all of my liability on the business associate”

A BAA is a shared responsibility between a covered entity and a business associate. Even if a breach occurs and it’s the business associate’s fault, providers can still face monetary penalties.

Misconception #2: “I need to sign a BAA with all of my vendors”

Implementing BAAs with partners and vendors when it’s not appropriate can put your organization at even more risk than not having a BAA in place at all because if a business associate experiences a breach – you may inherit shared responsibility.

Seek clarity on your relationship and the type of data is really needed to perform the job. Reduce your risk posture by hiring an outside consultant, if needed, to assess when a BAA is truly appropriate — and when it is not.

Misconception #3: “Subcontractors don’t need to sign a BAA, because the vendor they’re subcontracting with already has one in place with the covered entity”

The latest HIPAA rules state that covered entities must obtain satisfactory assurances from their business associate. If PHI passes through your system, you are automatically considered a business associate, and the vendor with which you are contracted will require a BAA with you.

Misconception #4:“The vendor is HIPAA-compliant because they encrypt the data in transit and in storage.”

While data encryption is important for HIPAA compliance, it’s not the only thing to look for. Additional controls are required for security, risk management, disaster recovery, data retention, auditing, and more. For example, the HIPAA Rules require, under 164.312(b,) the “[implementation] of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

Misconception #5: “All BAAs are the same”

Each BAA will need to be tailored for your organization. Pay attention to breach notification terms and other requirements addressed in the HIPAA Omnibus Rule Final. If a BAA is older than 2013, it will most likely need to be updated to account for the additional requirements.

Moving forward, organizations can maintain compliance and ensure PHI is secure by implementing a BAA when it is necessary. While there are many considerations to take when achieving HIPAA compliance, there are also misconceptions to consider. Organizations should take an informed approach to security and compliance to maintain trust among business associates — and the patients who trust that their data is secure.