Compliance Portal |  Customer Portal
Free Quote, Call Today!

What is a BAA and Why You Need to Know?

October 8, 2021

Home » Compliance Training » What is a BAA and Why You Need to Know?

What is a BAA and Why You Need to Know?

What is a BAA and Why You Need to Know? The HIPAA Privacy Rule involves laws that are applicable to what are known as “covered entities” which can include but are not limited to health care providers, health plans, and health care clearinghouses. In most cases, these entities need to perform their health care functions and duties with the use of persons and/or businesses that offer services to assist them. The Privacy Rule allows covered entities to disclose or share personal patient health information to these as identified as “business associates” and in doing so are required to obtain satisfactory assurances in writing with a business associate agreement ensuring that the business associates will use the information only for the purposes that it has engaged the covered entity, will safeguard the information from abuse or misuse, and will help the covered entity comply with the duties under the Privacy Rule. A business associate agreement is a contract that includes all of the details required for compliance under the Privacy Rule and all HIPAA guidelines by the business associate.

When was BAA Enacted?

HIPAA, the Healthcare Insurance Portability and Accountability Act was signed into law and started on August 21, 1996. The original 1996 law was designed to “improve the portability and accountability of health insurance coverage” for employees between jobs. Additional objectives for the 1996 law included the reduction of waste, fraud, and abuse within healthcare delivery and health insurance. The Act was also part of the response to encourage the use of medical savings accounts by introducing tax breaks, providing employees with pre-existing medical conditions coverage, and simplifying health insurance administration.

However, many covered entities need the assistance of other individuals and companies to accomplish their duties. The encouragement of computerization of patient medical records launched the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, and this launched the Meaningful Use incentive program. This prompted the addition of the requirements for business associate agreements so that both the covered entities and business associates/subcontractors complied with the privacy of patient healthcare and personal information.

Business associate agreements so that both the covered entities and business associates/subcontractors complied with the privacy of patient healthcare and personal information.

Purpose of the BAA

Part of the HITECH Act of 2009 involved requiring all business associates of covered entities that were involved in the exchange, sharing or transmission of patient medical and personal information to have a contract that made the business associates directly liable for compliance with specific HIPAA Rules requirements. In 2013 the HITECH Act was modified to include policies involving HIPAA Privacy, Security, Breach Notification, and Enforcement Rules as they applied to the business associates.

A “Business Associate” is defined as an entity or person that performs certain activities or functions that involve the disclosure or use of protected patient health or personal information on behalf of the covered entity or provides services to the covered entity. Business associates such as provider of health plan, technology, health care clearinghouse can be a business associate of another covered entity. The function or activity types that may make an entity or person a business associate can include health care operations or payments, as well as additional activities that are regulated under the Administrative Simplification Rules. Staff or workforce of a covered entity is not considered to be a business associate. The Privacy Rule includes some of the activities, functions, and specific services that can make an entity or person a business associate if the service or activity involves protected health information disclosure.

“Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.  Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103.”

What must you do and when must you do it

A Business Associate Agreement or Contract includes all details in writing regarding the responsibilities of both the covered entity and the business associate as it relates to patient PHI (Personal Health Information). An agreed upon written document must be signed and in place prior to any exchange, release, disclosure, or transmission of any PHI by the covered entity to the business associate.

According to HHS, a business associate, including subcontractors must have a BAA that includes:

Can I have someone sign afterwards? 

A signed BAA is required prior to entering into any exchange, sharing, or transmission of PHI between a covered entity and a business associate. HIPAA does allow for electronic signatures to be an acceptable method of signing.

All official representatives that are authorized to sign a BAA must do so prior to allowing the sharing or exchange of PHI.

If there is a change in the business entity such as a name change or ownership, a new BAA must be signed between the covered entity and the business associate/subcontractor.

How long do you have to keep records?

There are various answers to this question based on the type and purpose of PHI and the services offered.

The HIPAA Security Rule indicates that all records containing e-PHI (electronic Personal Health Information) are required to be held for a minimum of six years. However, there are other state and federal regulations that may require that the records be kept longer than six years.

Hospitals are required to keep records for a minimum of 5 years, however, it follows the 6 year rule for critical access hospitals. In the case where an employee has been exposed to a harmful agent or substance, OSHA requires that employers retain medical records for 30 years.

There are also different state rules for physicians that run from seven years to indefinitely, but some indicate that ten years is an acceptable time length.

Upon the termination of a BAA contract, the BAA subcontractor is required to return the information to the covered entity at a recommended 30-day time period. If a return does not occur, the business associate/subcontractor is required to shred all paper documents and overwrite all digital data, which means deleting and overwriting.

Fines penalties of breaching a BAA contract

The Department of Health and Human Services’ Office for Civil Rights (OCR) as well as the state attorneys general can levy penalties for violations of HIPAA regulations as they pertain to the breach of a BAA contract. The financial penalties can be levied against covered entities as they are required to adopt action plans to correct and bring procedures and policies up to HIPAA standards.  The penalties for violation were updated by the HIPAA Omnibus Rule that enacted changes required as they pertained to the HITECH (Health Information Technology for Economic and Clinical Act) that went into effect on March 26, 2013. These new penalties for violations of HIPAA guidelines apply to health plans, healthcare providers, healthcare clearinghouses and all other covered entities and their BAs (business associates) that have been found to violate HIPAA Rules.

The goal of the financial penalties have been created as a method to deter and prevent HIPAA Laws violations and to ensure that covered entities as well as business associates/subcontractors are held accountable for their actions or lack of actions. All covered entities and their business associates/subcontractors are required to protect the privacy and confidentiality of patient health and personal data and to also provide patients with access to their health records as they request them.

The HIPAA financial penalty structure for violation of HIPAA laws has been created in a tiered structure, based on the level of knowledge the covered entity had of the violation. Ignorance of the HIPAA Rules is not considered to be an acceptable excuse for failure of compliance with HIPAA Rules. The OCR uses a number of “general factors” as well as the HIPAA violation severity to set the financial penalties. Maximum fines are applied in the case where the covered entity is found to have willfully violated HIPAA laws.

HIPAA Violation Penalty Structure

The OCR uses a number of “general factors” for the penalty determination that may include but are not limited to length of time that the violation was allowed to continue, the number of people that were affected, and the nature of the information, data that was allowed to be exposed, any prior history, the level of harm caused by the violation, and the financial condition of the organization. An additional factor involved in penalty determination is the willingness of the organization to assist in the OCR investigation.

Covered Entity HIPAA Responsibility to Patients

The HIPAA Privacy Rule includes the right of the individual to be informed of the privacy practices of any covered entity that is involved with, retains, or shares their private healthcare and personal information. All covered entities are required to develop a clear explanation of these practices and rights and supply them to the patient.

The Privacy Rule includes all information on how a covered entity may disclose or use private and protected health information and includes the rights of the individual with respect to that information. While it is not a requirement for a covered entity to include any details regarding the business associates/subcontractors that they deal with, by supplying a privacy policy, the covered entity is required to have signed BAAs with all business associates/subcontractors that comply with the HIPAA Rules.

There are additional exceptions/additions for covered entities where:

The general rule for the Privacy Rule does not require business associates/subcontractors to have a privacy policy if:

By supplying a Privacy Policy, all covered entities are agreeing that they have appropriate BAAs in place with all business associates/subcontractors that will protect patient personal and medical health information and that all business associates/subcontractors are in compliance with HIPAA Rules and guidelines and that all BAAs are up to date to comply with any changes that may have occurred.  

Make The Switch

Join thousands of other practices working with HWM.
"The only company you will ever need."

Learn More        Click to Call