Business Associate Agreement FAQ

Who is a Business Associate (BA)?

According to HIPAA, a Business Associate (BA) is a person or entity that performs certain functions on behalf of a Covered Entity (CE) or that provides services to a Covered Entity that involve the use or disclosure of protected health information (PHI). The activities or services provided by a BA that include the use or disclosure of PHI may include things such as: claims processing or administration; data analysis; quality assurance; or legal, accounting, management and financial services. This list is not exhaustive, and more detail can be found here.

Who is not a BA?

Employees of Covered Entities are not considered Business Associates of the Covered Entity. Health care providers who receive PHI related to the treatment of an individual are also not considered BAs. For example, if a hospital refers a patient to a specialist and transmits the patient’s medical record for the purposes of treating the patient, the specialist is not considered a BA of the hospital.

What is a Business Associate Agreement (BAA)?

A Business Associate Agreement (BAA) is a written agreement between a Covered Entity and a Business Associate (BA) in which the BA agrees to take appropriate measures to safeguard any PHI it receives or creates while providing services to the Covered Entity. The purpose of a BAA is to require BAs to provide the same Privacy Rule protections for PHI that currently apply to Covered Entities in order to safeguard such information from unauthorized disclosure. Basically, the BA agrees to comply with HIPAA safeguards while working with PHI.

It is important to note that all the duties and obligations that HIPAA imposes on the CE are similarly imposed on the BA. This includes subjecting the BA to sanctions and fines in the same way as the CE is subject to such.

Why would I need a BAA?

HIPAA requires BAAs between Covered Entities and Business Associates. However, HIPAA has begun to increasingly scrutinize not only whether a BAA is in effect between a BA and a Covered Entity, but also whether the BAs are actually complying with the agreements. Business Associate Agreements set clear expectations that the Business Associates with which you work must comply with the requirements of HIPAA regarding the safeguarding of PHI. Compliance with HIPAA is reason enough for you to enter into agreements with your BAs. In addition, it is important to know that an increasing number of HIPAA audits are taking place, and they are targeting smaller practices and organizations. Failure to have BAAs in place may lead to sanctions including monetary penalties that can be especially problematic for small practices with limited resources.

What are the risks of not having a BAA?

The number and scope of HIPAA audits has changed recently. In 2016, HIPAA launched Phase 2 of the audit program, which includes both Covered Entities and Business Associates, and there are fewer on-site audits. Instead, so-called “desk audits” are conducted that include requests for a list of all of the Covered Entities’ Business Associates. In Phase 1 of the audits, the Office of Civil Rights (OCR) only asked Covered Entities to provide a list of business associate contracts; in Phase 2, OCR is looking not only at the BAAs, but is also auditing the BAs to determine if they are actually in compliance with HIPAA. Covered Entities need to be sure that they understand when a BAA is required and execute such agreements so that in the event of an audit, they can produce the requested documentation and show compliance with the relevant provisions of HIPAA.

What is included in a BAA?

A BAA must “establish the permitted and required uses and disclosures of protected health information by the Business Associate.” The regulation then identifies specific information that must be part of the BAA, including, but not limited to: a requirement that the BA not use or disclose PHI other than as permitted by HIPAA; a requirement to report breaches or unauthorized disclosures; requiring that PHI is made available to patients and allowing for amendment as required by HIPAA; requiring the destruction or return of PHI at the termination of the BAA; requiring that any subcontractors engaged by the BA agree to the same restrictions and obligations regarding PHI; and several other specific provisions. PLEASE NOTE: This is not a comprehensive list - the full text of the regulation and all of its requirements can be found here.

There are many entities and individuals who provide services that would be subject to a BAA. However, many such entities and individuals are not healthcare providers and are not familiar with the requirements of HIPAA. Many BAs may be willing to sign a BAA thinking that it is similar to a non-disclosure or confidentiality agreement but without truly understanding what is required under HIPAA. Because BAs are likely to be unfamiliar with the specifics of HIPAA, it is important that any BAA includes specific information about compliance with HIPAA, including specific processes that the BA will follow in the event of a data breach, what safeguards the BA will employ to ensure PHI is used only as detailed in the BAA, and how the BA will respond to an OCR audit. The more specific the BAA, the easier it will be for the Covered Entity to demonstrate not only its own attempt to comply with HIPAA, but also that it made a reasonable effort to assist the BA in understanding and complying with HIPAA requirements. A sample template for a BAA can be found here.

Do I need a BAA with:

    Banks or other financial institutions? No. According to the Department of Health and Human Services (HHS), when a bank or other financial institution conducts its normal banking or financial transaction services for its consumers, it is not considered to be performing an act for or on behalf of a Covered Entity. Instead, it is simply engaging in normal services that it provides to all of its customers. Thus, a BAA is not required between a Covered Entity and its bank or financial institution. Note: Transactions beyond the normal scope of financial/banking operations DO require a BAA. For example, having Square send an invoice to a client regarding a bank transaction would be beyond the normal scope of banking operations and would require a BAA with Square.

    Psychologists who share office space? Not usually, as long as the psychologists do not share PHI with each other and take reasonable precautions to protect against accidental disclosures of PHI to other office-mates. In an office sharing situation, it is often the case that the providers sharing the space may have occasional access to the PHI of another provider’s patients. For example, a provider may hear the name of a patient being called from the waiting room or may see the name on a patient sign-in sheet. Such disclosures would be considered “incidental disclosures” – secondary disclosures that occur as a result of a permitted disclosure, that are limited in nature, and that cannot reasonably be prevented. These incidental disclosures are permissible, but only if: (1) the Covered Entity has reasonable safeguards in place to protect the privacy of individual patients; and (2) the Covered Entity has implemented the minimum necessary standard. The “reasonableness” of safeguards varies depending on the specific characteristics of the entity. If, however, the Covered Entity does not have such safeguards in place (e.g., all providers share one common file cabinet for records or share an EHR system where providers can access PHI of the other providers’ patients), then a BAA should be in place among the people who will have access to the PHI of the patients of other providers.

    Shredding companies? It depends. When a Covered Entity hires a shredding company to destroy documents containing PHI and the company takes the documents off site for shredding, then the shredding company is likely a Business Associate and there would need to be a BAA in place between the Covered Entity and the shredding company. There are many shredding companies that advertise themselves as HIPAA compliant and that may even provide their own BAAs to customers who need such an agreement, and it is important to seek a company that understands and complies with the requirements of HIPAA.

    However, if the shredding is done under the direct control of the Covered Entity (for example, on the Covered Entity’s premises with an employee of the Covered Entity observing the work), the service can be treated as part of the Covered Entity’s workforce. Because HIPAA does not require Covered Entities to enter into BAAs with members of their workforce, a BAA would not be necessary in such a situation.

    IT or computer repair technicians? Repair tech for copiers, fax machines, and other hardware? It depends. The main consideration is whether the repair technician will have access to PHI in order to provide its services to the Covered Entity. It is important for the Covered Entity to understand where and how PHI is stored so it can determine whether or not a repair technician will have access to this information. In many cases, IT or computer repair technicians will have access to PHI when accessing computers or networks in order to complete their services. In these situations, a BAA would be required. In other situations, such as a copier repair person coming on site to conduct a minor repair, the technician may not have access to PHI, and a BAA would not be required. When feasible, the safest course of action would be to find computer and other repair technicians who are willing to enter into a BAA and that understand the requirements of HIPAA as they relate to the protection of PHI.

    Plumbers, electricians and other maintenance workers? No. The services provided to a Covered Entity by this type of worker do not require access to PHI, which places these workers outside of the definition of a Business Associate. Any exposure these workers may have to PHI would be considered an incidental disclosure and would not require a BAA.

    Housekeeping/maintenance crews in office? No. The HIPAA Privacy Rule permits incidental disclosures of PHI, and a BAA is not required where access to PHI would be incidental. In the case of janitorial or housekeeping crews, the work performed does not involve the use or disclosure of PHI. Any access to or disclosure of PHI to such personnel would be limited and a by-product of the work being performed; such incidental disclosures do not require a BAA.

    The United States Post Office, UPS, or other delivery companies? No. The Privacy Rule contains an exception for entities that act as “conduits” for protected health information, and the USPS and other delivery services fall under this exception. A “conduit” is an entity which transports information, but does not access or use the information on any regular basis. Under these circumstances, the Covered Entity has no intention of disclosing the PHI, but instead expects the USPS or other courier to transport the information from one place to another. Because there is no intent to disclose the PHI and the likelihood of PHI being accessed by a conduit is low, the conduit is not considered a Business Associate and a BAA is not required.

    Dropbox or other Cloud Storage Providers (CSPs)? Yes. According to HHS.gov, when a Covered Entity engages a CSP “to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA….This is true even if the CSP processes and stores only encrypted ePHI and lacks an encryption key for the data.” (https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html) Thus, if a Covered Entity uses any type of CSP, whether it be Dropbox for storing documents or a full Electronic Health Record system, the Covered Entity and CSP must enter into a BAA even if the data are encrypted and cannot actually be viewed by the CSP. This is because although encryption does help protect the confidentiality of ePHI, it does nothing to ensure the integrity and availability of the PHI, and the Security Rule requires that the confidentiality, integrity, and availability of PHI are all safeguarded using reasonable measures.

    Pearson, PAR, and other test companies? It depends. Some of the services provided by psychological assessment companies involve creating, receiving, maintaining, or transmitting ePHI, but not all. It is up to you to determine if the service you are using requires a BAA. For example, Pearson Assessments has a number of different scoring services available. Some of them consist of software that resides completely on the customer’s computer system, and no PHI is shared with Pearson when these services are used. Thus, a BAA is not required when using these services. Others, such as the Q-Interactive service, do involve PHI and would require a BAA with Pearson. Similarly, PAR has a service called PARiConnect which involves PHI and requires a BAA. You can check with the specific company you are working with to determine if the product(s) you are using involve PHI and require a BAA in order for your use to be HIPAA-compliant.

    Email service providers? Yes, although HHS has not specifically stated that email providers are considered Business Associates. There has been guidance issued by HHS that suggests that email providers may be treated as BAs, and the conservative position at this time is to consider email providers to be BAs. The main question is whether the email provider stores PHI on more than just a temporary basis (although “temporary” has not yet been clearly defined). HIPAA requires a BAA with any entity that stores PHI or routinely accesses PHI. If the email provider does not store or routinely access emails or PHI that is connected to the emails, a BAA may not be required. However, it is not always easy to determine if this is the case. Finding an email provider that is willing to enter into a BAA may provide assurances that the company will have appropriate security measures in place to protect the information that you transmit via email, and at this time, is the least risky position to take. However, there is still some debate regarding whether a BAA is required under HIPAA.

    Attorneys providing services to the Covered Entity? Yes, if the attorney will have access to PHI. If you retain an attorney to provide services that do not include access to PHI, such as creating a business entity, drafting contracts, or reviewing forms, then a BAA is not necessary. However, if you have retained an attorney for malpractice or licensure defense and the attorney will have access to PHI related to the complaint, there must be a BAA in place. The BAA should provide that the attorney and any agents performing functions to assist the attorney, such as paralegals, investigators, other legal counsel, etc., will safeguard the privacy and security of the PHI. However, the BAA does not need to require people who are not providing assistance to the attorney but who may have access to the PHI (such as opposing counsel or other witnesses) to comply with the conditions of the BAA.

    Court/judge when a provider is testifying or otherwise sharing PHI? No. HIPAA requires BAAs with Business Associates, which are persons or entities performing functions on behalf of, or providing services to, a Covered Entity. A judge presiding over a case in which a Covered Entity is testifying is not providing services to or on behalf of the Covered Entity, so a BAA is not required.

    Online fax systems, Google Voice or other VoIP platforms? It depends. As a general rule, HIPAA does not require a BAA with vendors who sell or provide software to a Covered Entity as long as the vendor does not have access to the PHI. Therefore, it is important for you to understand how any PHI will be transmitted, stored, or accessed by a software platform in order to know whether a BAA will be required. When you engage a vendor for fax or VoIP services, it is your responsibility to determine whether they will store or have access to the PHI; if they will, you will need a BAA with that third party vendor.

    Skype/VSee or other videoconferencing platforms? It depends. Although HIPAA requires a BAA with any entity that stores PHI or requires routine access to PHI, it is not always clear whether videoconferencing platforms store or access such data. If a vendor provides encryption and a written BAA, this can provide assurances to you that the vendor will meet the privacy and confidentiality requirements of HIPAA. In the absence of encryption and a written BAA, it is up to you to verify that the platform either meets the conduit exception or otherwise has technological safeguards in place that meet the terms of HIPAA.