5 Facts about HIPAA Business Associate Agreements. In May, 2019, the OCR (HHS Office for Civil Rights) issued a new fact sheet that offered a more clear explanation of all of the provisions that a business associate can be held directly liable for certain requirements of compliance of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (“HIPAA Rules”) as part of the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009. This update was due to the increased number of system breaches within the healthcare industry that exposed personal and private patient health information. The 2013 update of the HITECH Act included the HIPAA Rules provisions that applied directly to business associates and for which these business associates would be liable for directly.
Business Associate agreements must therefore contain very specific details and elements to accommodate all new requirements by including the following terms.
1} Define the permitted required uses of the Personal Health Information (PHI) by the business associate and include the fact that the BAA may not authorize the further disclosure or use of the PHI by the business associate in any manner or method that violates the Privacy Rule if done by the covered entity, with exception that the BAA may but is not necessarily required to:
2} The BAA must include specific wording that the business associate will use appropriate safeguards to prevent the violation, disclosure, or abuse of the Personal Health Information other than as provided for by the BAA.
3} In relation to electronic Personal Health Information, where applicable, the BAA must comply with the Security Rules. This involves the requirement of encryption or similar security features when electronically transmitting PHI.
4} Report to the covered entity any security incidents or use or disclosure of PHI not provided for by the BAA of which it becomes aware, including breaches of unsecured PHI as required by § 164.410.
5} Allow for “additional terms” that are not required by HIPAA by may be requested by covered entities such as:
Confirmation that the business associate is not an agent of the covered entity but is acting as an independent contractor.
Requirement of business associate(s) and/or subcontractors to carry their own insurance to cover HIPAA violations.
Require that business associate(s) personally carry the cost of responding to any potential HIPAA violation and provide notice of security or privacy incidents or breaches as mandated by the Privacy Security or Breach Notification Rules.
Join thousands of other practices working with HWM.
"The only company you will ever need."