Back to the Basics of Business Associate Agreements

Business Associate (BA) Agreements are contracts executed between Covered Entities and Business Associates, or between Business Associates and their Subcontractors. These agreements specify the responsibilities of each party under HIPAA to ensure that protected health information (PHI) is safeguarded. BA Agreements are also used to clarify permissible uses and disclosures of PHI based on the relationship between the parties and the services being performed.

The last substantive change to HIPAA laws impacting BA Agreements occurred in 2013 with the implementation of the HIPAA Omnibus Rule. The Rule finalized new requirements for Business Associates mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. It also expanded the definition of Business Associates.

Who is a Business Associate?

The definition of a Business Associate always included persons or organizations creating, receiving or transmitting PHI on behalf of a Covered Entity. But the Omnibus Rule added the keyword “maintain” to the definition. This significantly broadened the scope of the definition to include organizations that store PHI but may not necessarily access it, such as Cloud Storage Providers (CSPs).

In the past, organizations like CSPs successfully argued that they were merely “conduits” of PHI, not Business Associates, and therefore, not subject to BA Agreements. However, the U.S. Department of Health and Human Services (HHS) issued guidance clarifying that organizations providing services to Covered Entities or Business Associates in which PHI is maintained are indeed Business Associates even if they do not actually view the information. HHS indicated that the conduit exception is limited to transmission-only organizations where the access to PHI is transient, like internet service providers (ISPs) providing transmission services, as opposed to organizations like CSPs, which have persistent access to PHI, regardless of whether the PHI is actually accessed.

Expanded Business Associate Obligations

In addition to expanding the definition of Business Associates, the Omnibus Rule also clarified provisions required for them to be in compliance with the HITECH Act. Now, Business Associates must:

  • Adhere to the Security Rule;
  • Report breaches of unsecured PHI to Covered Entities;
  • Comply with the requirements of the Privacy Rule to the extent they are carrying out a Covered Entity’s privacy obligations; and
  • Enter into BA Agreements with Covered Entities, and execute BA Agreements with their own Subcontractors, imposing the same obligations that apply to themselves as Business Associates.

The most impactful and far-reaching of these provisions concerns BA Agreements. Prior to 2013, Business Associates were only required to comply with HIPAA based on the terms of their contractual agreements with Covered Entities; there was no requirement for BA Agreements to be executed between Covered Entities and their Business Associates. And, there was no requirement for Business Associates to address HIPAA compliance with their Subcontractors.

HHS Guidance on BA Agreements

With the passage of the Omnibus Rule, HHS provided guidance on the structure and content of BA Agreements, requiring that all BA Agreements accomplish the following:

  1. Establish permitted and required uses and disclosures of PHI by the Business Associate;
  2. State that the Business Associate will not use or further disclose PHI other than as permitted or required by the Agreement, or as required by law;
  3. Obligate the Business Associate to implement appropriate safeguards as defined in the HIPAA Security Rule with regard to electronic PHI (ePHI);
  4. Require the Business Associate to report uses and disclosures of PHI not provided for by its contract with the Covered Entity that constitute a breach;
  5. Require the Business Associate to disclose PHI to satisfy the Covered Entity’s obligation with respect to individuals’ requests for copies and accounting of disclosures of their PHI;
  6. Require the Business Associate to carry out the Covered Entity’s obligation under the Privacy Rule, to the extent applicable to their contractual duties with the Covered Entity;
  7. Obligate the Business Associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI, for purposes of HHS determining the Covered Entity’s compliance with the HIPAA Privacy Rule;
  8. Upon termination of the contract, if feasible, require the Business Associate to return or destroy all PHI received from the Covered Entity, or created and/or received by the Business Associate on behalf of the Covered Entity;
  9. Require the Business Associate to ensure that its Subcontractors that have access to PHI agree to the same restrictions and conditions that apply to the Business Associate themselves; and
  10. Allow the Covered Entity to terminate its contract if the Business Associate violates the BA Agreement.

Note that there is a downstream chain of obligation, that is, the requirements listed apply when the Business Associate contracts with a Subcontractor. And, the responsibility for the execution of BA Agreements with a Subcontractor lies with the Business Associate, not the Covered Entity.

What about Indemnification?

Looking at the BA Agreement requirements, and the sample document template provided by HHS, one is quick to notice that indemnification isn’t mentioned. Yet, many BA Agreements contain indemnification clauses. Why?

In simple terms, an indemnification clause is a promise made by one party to cover another party’s losses and expenses. Covered Entities typically insert indemnification clauses into their BA Agreements in an effort to shift financial liability to their Business Associates when the Business Associate is found to be at fault in the event of a breach.

With Business Associates now directly liable under HIPAA, they can be fined and penalized by the government for violations and breaches. Given this direct liability, it may seem that the issue of indemnification is redundant. However, since the ultimate responsibility for notification in the event of a breach still falls to the Covered Entity, and it’s the Covered Entity that’s usually at greatest risk of reputational harm, one can see why they would want to be indemnified by their Business Associates.

From the Business Associate perspective, navigating indemnification clauses is challenging. Before agreeing to indemnification, a Business Associate must find out from its own liability insurance carrier whether they are even permitted to do so, or if agreeing to indemnification would have an adverse impact on coverage. Some policies exclude coverage for liability assumed under contract for indemnification clauses.

Other factors Business Associates should consider are: capping the amount paid in case of indemnification, setting an end date for the indemnification period, clearly defining the scope of activities subject to indemnification, and making the indemnification clause mutually applicable (that is asking the Covered Entity to indemnify the Business Associate in the case of a breach caused by the Covered Entity).

In light of all these considerations, it’s best to review BA Agreements carefully before signing on the dotted line.