Business Associate Agreements: A Primer
A BAA is a contract between the organization responsible for health data (the covered entity) and an outside party who will have access to the data (the business associate). In a subcontracting situation, the business associate may be an intended subcontractor. Generally, the BAA will also include a separate agreement between the business associate and the subcontractor, but it is not required to do so. The point of having BAAs in place is to establish in writing that these parties are now the custodians of protected health information (PHI) pursuant to HIPAA, and therfore must abide by the privacy and security requirements of the HIPAA regulations.
From a contractual standpoint, having a BAA in place clarifies the roles and responsibilities of the covered entity and the business associates for legal purposes, as well . It makes it clear that the subcontractor is the agent of the business associate, and has the same duties and obligations under HIPAA as the business associate itself. This distinction is important in order to protect the security interests of the covered entity.
Under most state laws, a contractually defined agency relationship between two or more parties is deemed to permit liability on the part of the principal (the business associate) for the wrongful acts or omissions of the agent (the subcontractor). In such a situation, the covered entity is in a better position to enforce its right to receive notice of breaches of PHI by the business associate and its subcontractor. In such a case, the business associate may choose to obtain indemnification for any breach from the subcontractor as additional protection.
The Value of BAAs for Subcontractors
Subcontractors, with unique and specific services they provide, are frequent targets for large organizations who may not have the expertise or staff to handle certain functions required in the healthcare industry. Yet many subcontractors who work with these large organizations frequently do not know they are subject to the same standards as the larger company. A business associate agreement is the tool by which a consumer of healthcare services can ensure that any service providers that are "business associates" make the same assurances to protect the confidentiality of protected health information. Such an approach is necessary to comply with HIPAA and to mitigate risk with respect to the disclosure of protected health information.
All risks take time to manifest. If subcontractors do not understand whether they are subject to a business associate agreement, or their responsible obligations under the BAA, they are taking a significant risk to their business that cannot be fixed once it is too late. For example, if the HIPAA regulators come knocking at the door, whether subcontractors like it or not in almost all instances, the subcontractor will be responsible for complying with the rule and fulfilling the obligations of the business associate agreement. If they are not ready to comply, and do not have the proper resources, personnel, and training in place, there are few excuses or safe harbors that will allow the subcontractor to escape liability and claims for damages.
All involved must understand the scope of services to performed, and what rights and responsibilities go along with that. As the merchant says, "know your rights."
Fundamental Components of a BAA
These agreements must address many components. First, a BAA should clearly define its relevant terms: "Shared Information" is the full definition of any information, data or analyses from or based upon the information created by or on behalf of covered entity that can be used to identify a Patient. "Protected Health Information" is a HIPAA term that refers to all shared Information that can be used to identify a patient along with any other identifying personal information like name, address, social security number, unique identification number, and face photographs (the definition includes any shared information that contains identifiers that are set out in the HIPAA or HITECH regulations and also under any state regulations). A list of those identifiers is attached to this paper to help identify them. The definition of Protected Health Information is of critical importance to "Subcontractor" in the business sector where the shared information must only be used for permitted purposes and not for any other unauthorized purposes. "Permitted Purposes" is the defined purpose for which the identified data is being shared (for example, in health services, analytics, or other purposes as authorized in the BAA). "Required By Law "refers to the circumstances when a federal, state or local law requires a party to take or not to take certain actions. This is relevant to situations when a State or Federal law supersedes HIPAA. In that event the more restrictive law applies even though it overlaps with the Federal law. For example in California, the Confidentiality of Medical Information Act (CMIA) is more secure than HIPAA (HIPAA requires certain actions to be had when a family member who is not Emergency Contact does not consent to access) while CMIA prohibits the doctor from disclosing information to the family member without express consent. Therefore, the application of the law becomes a critical assessment for the BAA. A "Subcontractor" is the party that creates or receives any Protected Health Information from a Covered Entity or Business Associate who makes disclosures to a Subcontractor. Subcontractor assumes the responsibility as if it were substituted for the appropriate Party. This substitution requirement is why Subcontractors should restrict the need for them to perform as a Subcontractor (in other words, business relationships between Covered Entities and Business Associates).
The BAA must then be entered into by both the Covered Entity and the Subcontractor. It will grant to the Subcontractor the right to use the Protected Health Information only for permitted purposes identified in the BAA. Permitted purposes must be surveyed very carefully and accurately so as to not violate the common rule that the Subcontractor do not have greater access than the Covered entities themselves. The BAA will also allow for the Subcontractor to have the right to make necessary data aggregations on the shared information (this is an analysis of records to create a common set of information). The BAA should also limit the type and amount of Protected Health Information to the minimum required to perform the permitted purposes. For example, this would allow the Subcontractor to aggregate the shared information only for analytics (as defined above). The BAA should become effective no later than the commencement of relationship (and preferably at the same time). After that, if the Subcontractor has not already initiated, the acceptance of the BAA terms is evidenced by the action of the relationship’s commencement. BAA terms and conditions relate to each specific purpose separately (such as analytics) as opposed to blanket coverage.
How to Draft your First BAA for Subcontractors
A BAA for subcontractors requires a similar approach to that of a BAA for covered entities (CE) and Business Associates (BA). The "subcontractor" definition applies to business associate subcontractors, which are "an individual or entity, other than a member of the workforce of the business associate, who performs or assists in the performance of a function or activity on behalf of or provides services to the business associate that involves the use or disclosure of protected health information (PHI), [and] accomplishes work through a business associate agreement."
Just like a BA may not disclose PHI he or she has received in a CE’s capacity as an agent, a BA’s subcontractors may not also receive PHI absent the CE’s knowledge and permission, so long as the BA’s subcontractor continues storage, maintenance, transmission or other use of PHI. But a BA’s subcontractor may be allowed to do this if the BA already has a BAA with the CE that permits this type of conduct, or in the event one of the exceptions is triggered.
Given this, the HIPAA Security Rule requires subcontracts to comply with the security requirements of the BA’s BAA with the CE. This is important because a CE cannot monitor or control PHI in a BA’s possession. Because of this, the BA must collect information from its own subcontractors and relay it to a CE.
With this in mind, a BA should take great care in ensuring that these BAA’s for subcontractors reflect both its obligations to the CE through its BAA the subcontractor’s obligations to the BA through its BAA. To this end, some of the provisions to keep an eye out for include:
Common Pitfalls and Workarounds
Challenge: Interpretation of the term "Subcontractor" or "Subcontract"
Interpretations of the word "Subcontractor" differ greatly between the CMS Final Rule and the Final Omnibus Rule. For example, a subcontract may refer to a number of business automation tools, such as scheduling and accounting software to manage their business. However, under the Omnibus Privacy Rule, the term subcontractor is limited to "business associates" that create, receive, maintain or transmit PHI in providing services to business associates. As such, when subcontracting with a services provider to perform just PII functions, such subcontractor is not a BAA subcontractor for purposes of HIPAA compliance.
Solution
Before signing a BAA, ask your healthcare business associates if there are other vendors or contractors who may require a BAA. For example, if Your Company needs to obtain insurance for its medical and dental practice, consider the possibility that the insurance agent or broker may be a subcontractor under the Omnibus Privacy Rule. If so , then the BAA and HIPAA compliance requirements may apply.
Challenge: Difficulties Accruing from "Exclusions" in Business Associate Agreements
Most business associate agreements contain detailed exclusions which can prove to be confusing. This phenomenon has its genesis in the HHS Guidance, which notes that the covered entity cannot use a BAA with a business associate if the activity does not involve the creation, receipt, maintenance, or transmission of PHI.
Solution
If Part A or Part D covered entities decide that it is appropriate to use a "business associate contract" to protect the handling of protected health information, the BAA should also describe permitted uses and disclosures of PHI by the business associate, the responsibility of the business associate to report breaches of unsecured PHI, and other HIPAA privacy and security standards protections. Ultimately, while odds are that CMS knows the Omnibus Privacy Rule more than the Guidance, it is up to the covered entity to engage in a reasoned analysis of the activity referred to in the BAA to determine whether the use of a BAA is appropriate. Whatever path the employee chooses, they should document the basis for their decision in writing.
Benchmark Case Studies of BAA in Action
One large non-profit community health center serving a low-income, older adult population entered into a data sharing agreement with a group of independent contractors for the provision of remote management of chronic disease by professionals using telemedicine technologies. The provider also advised the contractors that it would not allow them to handle or have access to any patient information that did not relate to the specific purpose of the data sharing agreement and instructed them not to maintain any patient information outside of the project and to create a password protected and encrypted electronic file for that purpose. The contracts specified that there be only limited, required data about the care delivered that needed to be carefully reviewed and scrubbed by the provider prior to providing it to the contractors. The health center maintained an ongoing dialogue with the providers, conducted on-site monitoring and site visits and provided training and assistance. Most importantly, the contractor had to secure the provider’s consent for any other uses. Every 3 months, the contractors submitted to audits of the remote visit files in order to earn their contracted stipend.
Another health center developed an extensive educational program during the period that it was working to transition to the requirements of Stage 2 of the meaningful use program. This included conducting its own internal assessment regarding how BAAs were likely to be impacted by the electronic health record requirements, what type of information technology changes may be necessary to support BAAs, what types of new policies and procedures are needed and what type of training will be required for staff regarding BEA implementation. It also developed an inventory of its current BAAs and began to perform an inventory of its current business associates and their subcontractors, requiring each business associate to identify its subcontractors and the nature of the relationship. Finally, the health center used this process to develop a timetable for contract review and renewal, and began updating its subcontractor agreements and making decisions about contracting with outsourcing parties directly (as permitted).
Emerging Trends in BAAs for Subcontractors
The future of BAAs for subcontractors is one of the most intriguing areas to explore as we head into the next decade. With the enforcement of HITECH strengthening the applicability of the privacy and security rules for the business associates of covered entities, a significant number of new industry standards are emerging and existing practices are being revised. The implementation of section 13410(e) of the Patient Protection and Affordable Care Act, which will result in significant changes in the way that covered entities and business associates handle breach notifications, is also generating significant activity.
In addition to an overall increase in activity in HHS and state attorneys general on the part of the OCR of HHS and states’ attorneys general, respectively , their work with the GAO and other federal agencies on electronic health records and health IT systems means that the law will be shaping the long term future just as much as technological change or business concerns.
BAAs themselves may soon begin to evolve into and merge with other legal agreements in the B2B world. We may well see the presentation of privacy and data security considerations in the forms of a "Data License Agreement" as the HIPAA basic concept of disclosure and use morphs to meet other legal requirements in other areas of the law and at the same time becomes more strictly governed by HIPAA standards.
Aspects of the BAA may even become incorporated in into franchise disclosures as franchising is the one area of business that requires a written document to be given to the business associate before it can legally access or use confidential information about the franchise system, its members, or the parent company. As organization and enforcement efforts continue on the part of all relevant parties, the fact that BAAs are almost entirely self-created and vary from business to business means that standardization and jurisdictional consistency will likely remain the bane of HIPAA compliance officers for many years to come.