The main points covered in the Health Insurance Portability and Accountability Act guidelines are privacy, security, identification codes, transaction codes, and enforcement rule. To help a company adhere to the guidelines, it must create a proper HIPAA business associate agreement. The agreement must contain clauses from the HIPAA guidelines that state what is allowed or disallowed in terms of Protected Health Information. The agreement states the liabilities of each party and the consequences if one party fails to adhere. Because the agreement is vetted against the HIPAA guidelines, companies may choose to use a predesigned business associate agreement template.

Business Associate Agreements

What is a business associate agreement? 

A business associate agreement is a legally binding document signed by an organization or individual and a healthcare provider. The agreement provides authority to access, retrieve, or store PHI (Protected Health Information) in the process of service provision.

According to HIPAA business associate agreement guidelines, individuals and entities should only work with associates who assures that they will protect their PHI. The agreement is made by signing the BAA agreement between the business associate and the covered entity. If a vendor breaches document security, the HIPAA business associate agreement will help protect the entity.

Who needs to establish a HIPAA business associate agreement?

It is not every entity that requires a BAA agreement. The HIPAA guidelines define entities that require BAA form as entities like:

  • Healthcare providers: This is the category of healthcare providers who submit patient information according to the diabetic HHS guidelines.
  • Health plans: These are the health plans that provide referrals to entities who submit payments for medical care.
  • Hybrid entities: These are entities like institutions of learning that have healthcare facilities within the institutions.
  • Healthcare: This is the healthcare of an individual in terms of supplies and care.
  • Healthcare clearinghouses: These are companies that process claims or patient documents on behalf of a healthcare provider. They are companies like billing services and health information systems providers.

Business Associate Agreement Templates

Consequences of violating HIPAA guidelines

There are several liabilities that a business suffers for breaching the HIPAA guidelines. Before an entity signs a business associate contract, the concerned people should first understand the rules that govern it. The entity will suffer consequences if they breach the following disclosures.

  • If the entity fails to provide an account for its disclosures
  • Failure to submit to HIPAA the entity’s compliance documents,
  • Refusing to cooperate with investigators for compliance
  • Allowing third parties to access Protected Health Information without a signed BAA.
  • If the entity fails to make a spirited effort to protect its PHI
  • If there is a breach and the entity fails to take the necessary steps to protect information.
  • Taking action to hit hack a person who reports to HIPAA that the entity has breached the guidelines

What happens if you don’t have a business associate agreement?

The reason for a business associate contract is to provide details for each party’s responsibility in ensuring PHI is kept secure and private. The BAA form details what is expected from each party. It contains legally binding requirements between the parties.

Due to this, you require to download and fill out a business associate agreement template every time you want to work with vendors or contractors who might in some way have access to your company’s PHI. It is important to consider that by filling the business associate agreement template, you will also be fulfilling the HIPAA requirements.

According to HIPAA, you must sign a HIPAA business associate agreement before you allow any third party to come into contact with your entity’s PHI. It helps protect your PHI from being breached and the fines you might receive from HIPAA for failure to have a signed BAA form. If you are found without a BAA agreement, there are serious consequences that can follow.

  • You may incur heavy penalties imposed by the Department for Health and Human Services Office for Civil Rights.
  • The Office of Civil Rights routinely conducts audits of companies. If you fail to provide them with documents that show signed BAA agreements, the OCR can impose heavy penalties on your company.
  • Your company may be required to sign an agreement to a Corrective Action Plan. In a CAP plan, your company will be required to perform a risk analysis. Above this, you will be required to develop and implement a risk mitigation plan. The CAP plan runs for several years. Each year, OCR will require you to submit reports regularly so that they can monitor the progress. This is a capital-intensive process that can significantly affect your company’s capital resources.
  • The entire process is tedious and can cause you nightmares. It will cost you precious business time.
  • If your clients or employees learn that you put their sensitive health information at risk, you could lose clients too.

It is necessary to consider that your company is entirely responsible for protecting customer and employees’ data. If a breach occurs because you failed to follow the due diligence, you are solely responsible for the consequences.

Some of the consequences might mean your business becoming affected financially or losing your reputation.

A BAA agreement is a legal document that states that you are following the HIPAA guidelines in ensuring that your client’s information is safe at all times. Due to the seriousness of HIPAA guidelines, you will find that many companies design the business associate agreement template to make sure it is available for you online.

HIPAA Business Associate Agreements

Why do you need a business associate agreement? 

The third-party service providers that might require a BAA form are providers for services like:

  • Email services
  • Legal services
  • Billing services
  • Collections agencies
  • Online fax
  • IT contractors
  • EHR (Electronic Health Record) software providers
  • E-signature service providers
  • Accountants
  • Shredding service providers
  • Cloud storage services
  • Physical storage services
  • Practice management

You need to sign a BAA agreement with such service providers due to various reasons.

  • To protect your client’s data. Every time you sign a form with a client, you agree that your company will follow all due diligence to ensure their data is safe. Sensitive health data should not be shared with third parties. If it happens, it will be a breach of the agreement. The BAA form signed by the vendor helps ensure that client data is safe.
  • To protect your business. Your business can lose its reputation if clients realize you are not taking precautions for data protection. The result can be the loss of clients, after which your business will begin struggling to survive. An individual client can take legal action against your business and you could suffer penalties.
  • To comply with HIPAA guidelines. According to HIPAA guidelines, companies should sign the HIPAA business associate agreement with their vendors before they allow them to access sensitive data. The vendors must agree to liability if they breach the business associate contract. The forms help to protect your business if the vendor breaches the rules.
  • To avoid hefty penalties. HIPAA does routine checks from time to time. If your business is found not sticking to the guidelines, the Department for Health and Human Services Office for Civil Rights may impose hefty penalties on your business.
  • To avoid a corrective action plan. The Office of Civil Rights can impose on your company a Corrective Action Plan. You will be required to provide a routine report to OCR, and they will do follow-ups for several years. The entire cost may have a significant effect on your company.

How to create a BAA agreement?

The following information is required when creating a BAA agreement.

  • Date. This is the day when the BAA form was created and signed. The date that shows when the form was created is typed at the top, while the one that shows the signing date is typed at the bottom. Non-dated BAA forms cannot be legally binding. Inserting the dates is as important as signing the form.
  • Names. These are the names of the entities involved in the agreement. Make sure you include the full legal names of the involved entities. Provide the names according to how they appear in the identification documents. You must include your names and the names of the vendor.
  • Acceptance. A business associate contract is usually negotiated between the parties involved. Because the document is agreed upon, there must be an acceptance clause. The clause indicates that both parties have agreed to be bound by the terms of the BAA form.
  • The agreement. The agreement provides details of the expectations, responsibilities, and liabilities of each party. It contains the following details.
  • Acknowledgment: Both parties must agree for their relationship to be bound by the HIPAA guidelines. They acknowledge the existence of the guidelines and agree to liabilities resulting from breaches.
  • The nature of PHI data accessible: This clause explains the nature of the PHI information that the third party will have access to.
  • What is allowed and what is disallowed: According to laws, HIPAA guidelines, and the existing legislation, define what permissible and impermissible means as far as PHI is concerned.
  • Consequences and liabilities: According to federal law, the HHS and OCR have a right to audit companies from tie to time. During the audits, they confirm if a company is compliant with the HIPAA guidelines. If the vendor or your company breaches these guidelines, there could be serious consequences.
  • Protocols:According to HIPAA guidelines, a business must have in place administrative protocols, data confidentiality, and security protocols that ensures PHI is safe.
  • Language: The BAA form should use a language that both parties can understand. It must give detailed information about the liabilities each party will suffer due to a breach of the contract.
  • Employee HIPAA training protocols: There should be a defined method for training employees to ensure they are aware of the guidelines. Responsibility for safeguarding PHI should not be on the burden of the business owner only. It should be the burden of both the employer and employees, including the team working with the vendor.
  • Procedures to follow if one party breaches the contract: If one party breaches the contract, there should be an agreement on procedures to be followed. Some of the procedures can be mitigation procedures.
  • Procedures for restoring or destroying PHI: If data is lost in the process of provision of services by the vendor, there should be agreed procedures for restoring it. Sometimes, the authorities may require the breached data to be destroyed. There should be procedures for destroying it.
  • Signatures:The BAA form cannot be legally binding if it is not signed. The two parties must sign at the bottom of the form. Each party should sign and indicate the date when the form was signed. The form becomes legally binding the moment it is signed.

Some entities may want to sign the form before an attorney, which is okay. If there are any disagreements during the time of providing the services, the signed BAA agreement can be used in court to prove the two parties were in a business relationship.

It is important to keep referring to the HIPAA to ensure no detail is left out when preparing the agreement. HIPAA guidelines require some of its guideline clauses to be mentioned in the agreement.

BAA Agreements

Important clauses that must be included in a HIPAA business associate agreement

Both the client and the vendor have full responsibility for protecting the PHI. If the vendor breaches the rules, HIPAA may not come in to arbitrate or help with legal actions. The signed BAA agreement will have the procedures that must be followed by both parties. The BAA form should include the following.

  • What PHI the vendor will be allowed access
  • Relevant measurements that the vendor must implement to ensure the PHI is safeguarded.
  • There must be a clause that states that the vendor will not disclose any PHI information unless authorized by the client.
  • There must be a clause that states how the employees and the vendor’s team will be trained on HIPAA guidelines
  • Provide the guiding procedures to be followed when one party breaches the PHI rules
  • If the vendor will need to subcontract, provide details on how this will be done
  • There must de details about how the contract will be terminated if the parties feel dissatisfied with each other. There could be penalties incurred before terminating the contract.
  • Give details about how breached data shall be restored or destroyed.