As mentioned during SureCloud’s webinar on “Why Your Vendors are Your Biggest HIPAA Privacy Risk,” getting a business associate agreement in order can be a difficult task. The law can be nuanced, confusing, and seemingly endless on this subject matter. There are many factors to keep in mind in order to remain compliant. Here are some tips that should help streamline the process.

Before we begin, it’s important to note that Business Associate Agreements (“BAA”) are imperative towards compliance efforts, given that disclosing Protected Health Information (“PHI”) without one can constitute a Health Insurance Portability and Accountability Act (“HIPAA”) violation. These are the documents that can insulate healthcare providers from liability by means of agency law. Without a BAA, a Covered Entity can be fined and found culpable via governmental enforcement action, as well as private suits; even though their vendor caused the breach.

It’s been cited by a GovInfoSecurity article that: “[in the first half of 2019], business associates have been reported as “present” in 47 breaches affecting nearly 1.25 million individuals that have been added to the tally.”

But even more important than compliance, the vendors pose a significant risk to patient health and patient care.

Who Qualifies as a “Business Associate” (“BA”)?

The term Business Associate is one applied to third-party vendors who, regularly, make use of Protected Health Information on behalf of a Covered Entity (a healthcare provider, health plan, or clearinghouse). The actual definition, which you can find at the Legal Information Institute, is much more robust. This basic rendition will enable you to determine, generally, who and what a Business Associate is.

To make matters even more simple, if you can follow along with this flowchart, answering yes to each question in the chain, your vendor is likely to be a Business Associate. As we discussed in the webinar, it’s always better to be safe and assume that a vendor falls under the definition if you’re unsure. Please note that best practice is to consult the Code of Federal Regulations (“CFR”) for the detailed parameters when drafting business associate agreements, as the following chart has been boiled down for convenience and ease in comprehension.

What Should I do Before Implementing a Business Associate Agreement?

Once you’ve determined that a potential vendor is indeed a Business Associate, it’s wise to screen them. Screening is essentially the process of conducting a risk assessment in the selection of Business Associates. The goal is to ensure that they’re capable of enacting the safeguards mandated by federal regulation, the ones you’ll want to outline in your contract with them.

It is important to document that you’ve performed these actions, as it serves as evidence of precautions taken if a breach occurs. You can do this on a spreadsheet. However, the downside is a daunting manual process with lots of emails and calls when dealing with a large number of vendors. Our clients use our SureCloud Third-Party Risk Solutions to get efficiency in distributing the assessments, tracking and scoring them, as well as doing an automated follow-up on resulting remediation action items. Healthcare organizations have also benefitted from a purpose-built vendor risk solution that SureCloud offers, set up specifically for Business Associates, Protected Health Information tracking and Business Associate Agreement tracking.

What Should I Put in My Business Associate Agreement?

The purpose of a Business Associate Agreement is to determine safeguards and ensure they’re appropriate to protect Protected Health Information against the risks in that particular business relationship. It’s what is called a satisfactory assurance. With a proper BAA, the Covered Entity is shielded from a lot of the liability that would arise from any vendor breach. It’s effectively a company’s written due diligence, making sure that its patients’ data is safe in the hands of their vendors.

From there, it’s easy to see that creating secure safeguards, the measures taken to protect PHI, is paramount. The Health and Human Services boasts a wide variety of resources to help Covered Entities craft emails for BAAs. Such as, examples of Business Associates, sample contracts, transition provisions for existing contracts and exceptions to the Business Associate standard.

Let’s have a brief overview of the sorts of provisions required within a Business Associate Agreement:

It’s important not to forget other imperative aspects of drafting, such as creating working definitions or listing the obligations and activities of the Business Associate in question. For a more in-depth review of exactly what specifications the Office for Civil Rights (”OCR”) requires of BAAs, please read through sections 164.314 and 164.504 of the Code of Federal Regulations. These sections of the code should serve as the formal rubric for compliance.

What if I Already Have an Existing BAA?

When HITECH was enacted in 2009, Covered Entities had a grace period for current contracts with Business Associates. In other words, they could wait until the agreement was up for renewal to make it compliant. Because that leniency is no longer in effect, even existing agreements, those you’ve had with clients for years must comply with the standards we’ve discussed.

Business Associate Agreements should, ideally, be updated annually to reflect any changes in compliance requirements. Because that‘s not always possible when you‘re contracting with a multitude of Business Associates, try to stagger revisions on a two- to- three-year rotation. That way, you‘re still updating for compliance yearly, just on a more manageable basis. Remember, an inadequate BAA is almost as bad as not having one at all; either one is a HIPAA violation, you have less corrective action if you already have a Business Associate Agreement template in place.

What Should I do After Implementing a BAA?

After entering into a Business Associate Agreement, you should continue to monitor your Business Associate. Request a copy of the internal HIPAA policies, as well as regularly reviewing logs of employee training, security incidents, and periodic audits to ensure they adhere to the terms of the contract. As always, make sure to document these activities, should the need to display due diligence ever arise.

Documentation and habitual review also establish whether a Covered Entity knows about potential HIPAA violations, which might decide liability for any resulting breach; even if the Business Associate commits the act. Agency law factors in the relationship between Covered Entities and Business Associates, therefore be mindful of the conduct of those with whom you have a contract with.

In conclusion, determining Business Associates and drafting agreements do not have to be overwhelming. There are numerous templates, resources, and instructive materials at your disposal. HIPAA compliance can be inconvenient, but it is important, and by no means impossible.

This article is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice, nor do they necessarily reflect the views of SureCloud Inc, or any of its attorneys other than the author. This article is not intended to create an attorney-client relationship. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

About SureCloud

SureCloud is a provider of cloud-based, Integrated Risk Management products, which reinvent the way organisations manage risk. SureCloud’s products and services are underpinned by a highly configurable technology platform, which is simple, intuitive and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to support existing business processes without forcing organisations to engage in costly business change programmes. SureCloud has been recognized in the 2021 Gartner Magic Quadrant for Integrated Risk Management Solutions.