If your business is going to be handling individuals’ medical or health information in any form – paper, oral or electronic – for another entity such as an insurance company, hospital or medical practice, then that entity or its lawyers will probably ask you to sign a contract entitled “HIPAA Business Associate Agreement” or just plain “Business Associate Agreement.”
Typically, this Business Associate Agreement will contain language obligating you to use “appropriate safeguards” to prevent the unauthorized use or disclosure of “protected health information” and obligating you to implement “administrative, physical, and technical safeguards” that “reasonably and appropriately” protect its confidentiality, integrity, and availability when it is in electronic form.
Generally, the Business Associate Agreement will contain a long list of densely-worded obligations for you and a short list of obligations for the other entity. Moreover, the Business Associate Agreement will likely contain language providing for its mandatory termination in the event you breach it. It may even provide for termination without giving you any opportunity to cure your breach.
The questions a business logically asks when presented with such a contract are the following:
- What is this contract and why are they telling me I “have to” sign it?
- What am I being asked to agree to?
- How do I comply with the terms of this contract?
This article addresses these common questions.
The Basics of HIPAA
First, some basic terminology and concepts are critical to understanding the answers to the above questions:
- “HIPAA” is the Health Insurance Portability and Accountability Act of 1996, a federal law that protects the privacy of individual medical and health information and gives individuals certain rights with regard to their information. HIPAA is implemented through detailed rules and regulations promulgated by the Department of Health and Human Services and enforced by it and the Department of Justice through civil monetary penalties and criminal sanctions.
- A “Covered Entity” under HIPAA is either a “health plan,” a “health care clearinghouse” or a “health care provider,” each of which has its own detailed definition under HIPAA.
- “Protected Health Information” or “PHI,” is information identifying an individual (or with respect to which there is a reasonable basis to believe it can be used to identify an individual) that relates to the past, present or future physical or mental health or condition of the individual, the provision of health care to the individual, or the past, present or future payment for the provision of health care to the individual.
- Your business will be a “Business Associate” of a Covered Entity under HIPAA if it performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a Covered Entity. These functions and activities include claims processing or administration, data analysis, processing, or administration, utilization review, quality assurance, billing, benefits management, practice management, and repricing. Business associate services include accounting, consulting, administrative, and financial services.
What Is this Contract and Why Am I Being Asked to Sign It?
HIPAA requires that a Covered Entity have a written agreement before disclosing PHI to a Business Associate. The Covered Entity must, through such a written agreement, obtain “satisfactory assurance” that the Business Associate will “appropriately safeguard” PHI the Business Associate receives from, or creates on behalf of, the Covered Entity. This is why your counterparty may be telling you that you “have to” sign in order to obtain its business.
The flip side is that if your counterparty is not a Covered Entity, or if you are not handling PHI, then your counterparty is not legally required by HIPAA to obtain these contractual assurances from you. In that case, in other words, no Business Associate Agreement is necessary.
Sometimes it is obvious the entity you are dealing with is a Covered Entity and that PHI will be disclosed to you. For example, if you are being engaged by a medical practice to digitize patient charts, then you are dealing with a Covered Entity that will be disclosing PHI to you. The medical practice cannot legally start handing over the patient charts until it has executed a Business Associate Agreement.
Say the medical practice is engaging you to digitize its employment files. A medical practice is a Covered Entity. But employment records are generally excluded from the definition of PHI, even though they may contain information about sick leave, drug testing, and other sensitive personal health-related matters. Therefore, the medical practice can hand over its employment files to you without a Business Associate Agreement.
Say you are being engaged to digitize the files of a manufacturing company’s employee health benefit plan, such as a group medical, prescription drug, dental, vision, or health care flexible spending account plan. Whether or not an employee health benefit plan (which is considered a separate legal entity from the sponsoring employer under HIPAA) is a Covered Entity depends on how many participants the plan has, how it is administered, and how it provides benefits. Employee health benefit plan files are just one example of an instance where it may not be readily apparent without further investigation whether a Business Associate Agreement is really necessary.
Finally, say a Covered Entity is engaging you to digitizing a wide variety of files, some of which will be PHI and some of which will not. In such cases it may be advisable to agree upon a mechanism for the identification of what is PHI before you start getting inundated with files, so that the scope of your obligations is defined and limited.
What Am I Being Asked to Agree To?
HIPAA further requires that the Covered entity impose certain specific obligations on you via the Business Associate Agreement. At the very least, a Business Associate Agreement will contain these required obligations.
The required obligations, which are summarized below, are the only obligations that some standard Business Associate Agreements put forward by Covered Entities contain. However, it is not uncommon for Covered Entities to include additional provisions. You may be willing to accept such additional provisions in order to get the deal done. But in any event, you should have an understanding of what is actually required versus what has been added. Also, some of the required minimum provisions will still contain a negotiated component. For example, the Business Associate Agreement is required to contain a term obligating the Business Associate to report any unauthorized use or disclosure of PHI to the Covered Entity. How quickly you have to report such an incident to the Covered Entity is a negotiable component of the requirement.
The following bullet points summarize the required obligations. It should be noted that they are only intended to give the flavor of the requirements, not the full details, which are lengthy and found in complex provisions in the Code of Federal Regulations. Most of the required obligations are relatively straightforward. Two are broadly worded and open-ended. The “straightforward” obligations are the following:
- You must report any unauthorized use or disclosure of the PHI to the Covered Entity.
- You must report any security incident to the Covered Entity.
- You must not use or further disclose the PHI other than as permitted or required by the agreement or as required by law.
- You must obligate your agents and subcontractors to agree to the same restrictions and conditions that apply to you, and they must agree to implement reasonable and appropriate safeguards for the protection of electronic PHI.
- You must make the PHI available in connection with individuals’ rights under federal law to access their PHI.
- You must make the PHI available for amendment and incorporate any amendments in connection with individuals’ rights under federal law to seek amendment of their PHI.
- You must make available the information required to provide an accounting of disclosures of PHI to individuals in accordance with their rights under federal law to obtain such accountings.
- You must make your internal practices, books, and records relating to the use and disclosure of the PHI available to the federal government for purposes of determining the Covered Entity’s compliance with HIPAA.
- You must return or destroy all PHI, if feasible, at the termination of the agreement, or, if return or destruction is not feasible, you must continue to protect the PHI even after termination.
The “open-ended” obligations are the following:
- You must use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by the agreement.
- You must implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI.
One other important item the Covered Entity is required to have in the Business Associate Agreement is a provision for its termination in the event you breach it. The Covered Entity is permitted to have a term allowing you a period in which to cure your breach, but the Covered Entity cannot waive breach indefinitely. That means even if you are permitted a period to cure your breach, if you breach and stay in breach, or breach in a way that cannot be corrected, then the Covered Entity is required to terminate the contract.
This mandatory termination provision of the Business Associate Agreement can jeopardize your underlying contract and business relationship, because a Covered Entity cannot continue disclosing PHI to you without the required contractual assurances for its protection. Thus it will be critical for you to be able to demonstrate compliance with the terms of the Business Associate Agreement.
How Do I Comply with the Terms of this Contract?
Addressing both the “straightforward” and the “open-ended” obligations means, first, having an understanding of what they mean and second, acting in accordance with them. This is best accomplished through a simple HIPAA Business Associate Policies and Procedures Manual that 1) translates each of these obligations into a plain-English policy and 2) provides the corresponding procedures to be followed for compliance with each.
Addressing the “straightforward” obligations is relatively simple. Addressing the “open-ended” requirements, especially the requirement to implement “administrative, physical, and technical safeguards” for the protection of electronic PHI, is more involved. Neither the law, nor most Business Associate Agreements, spells out precisely what this requires any given Business Associate to do.
The law imposes extensive and detailed requirements for administrative, physical, and technical safeguards for electronic PHI directly on Covered Entities, but it also affords them significant flexibility in the actual implementation. The gist of the regulatory scheme is to maintain an adequate level of protection of electronic PHI as it passes from Covered Entity to Business Associate and so forth on down the chain (hence the requirement that a Business Associate obtain HIPAA assurances from any entity to which it passes the PHI). It is sometimes said that the Covered Entity is required to “pass on” all of its electronic PHI obligations to its Business Associate, but that characterization can be misleading.
Some examples of the administrative, physical, and technical safeguards it is advisable for a Business Associate to adopt include access control authorization, data backup, mechanisms to guard against malicious software, and discipline for employees who violate your HIPAA polices and procedures. However, precisely what safeguards any given Business Associate should implement is beyond the scope of this article. A more detailed analysis depends on a variety of factors such as the form of the PHI, the nature of the services you will be providing, and the size and technological sophistication of your business.
Regardless of the specifics of these safeguards, a simple HIPAA Business Associate Policies and Procedures Manual is the best way to implement them. If you are going to be handling electronic PHI, chances are you already have data security policies that can be incorporated by reference in your HIPAA Business Associate Policies and Procedures Manual and thereby serve double duty as safeguards to meet your HIPAA Business Associate Agreement obligations.