How to write HIPAA-compliant business associate agreements

Healthcare providers who work with outside business associates are required to have updated business associate agreements (BAAs) under the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule. A separate document is required for each entity that has any access to protected health information (PHI). When establishing BAAs, small practices should address the following issues in addition to the standard areas of compliance. 

HIPAA Omnibus Rule
The final HIPAA ruling made a number of significant changes to the guidelines for BAAs. When writing or updating agreements with third-party contractors, practices should closely review the Omnibus Rule requirements. According to the Association of Corporate Counsel, some essential changes include an updated definition of PHI, the use of PHI in marketing, the necessary forms when PHI is requested, reporting obligations and compliance with the HIPAA Security Rule. Practices should also review any changes in state security and privacy laws before updating their BAAs.

Training and education
Business associates who handle PHI are required under HIPAA to educate and train their staff on privacy and security standards. According to the American Health Information Management Association, a BAA can request confirmation that the associate has completed this training. The healthcare provider can also request that employees of the business associate complete training at the hospital or practice.

Addressing subcontractors
Although business associates are responsible for the security practices of their subcontractors, healthcare practices need to ensure that the chain of responsibility is documented. A BAA should address what measures the associate must take with subcontractors who handle PHI. According to HealthITSecurity, each BAA in the chain must be as specific as the one above it regarding the use and handling of health and personal information. The same rules apply to any third-party companies that work with contractors.

Definition of low-risk breaches
Under HIPAA, healthcare providers and their subcontractors are required to report any data or information breaches to the U.S. Department of Health and Human Services within a set time period. Covered entities should address the proper protocol for handling all types of security breaches in their BAAs. There are a few circumstances when violations are exempt from notification requirements because there is a low probability that the PHI was compromised, and these should be addressed in the agreement, as well.

2014 HIPAA Compliance Survey Results

Kevin McCarthy's picture

Kevin McCarthy

Industry News Editor

An avid traveler and news junkie, Kevin covers a range of topics from healthcare technology to policy and regulations. As a former journalism student, he enjoys finding stories relevant to small practices and is passionate about keeping them informed. Before joining NueMD, Kevin worked for Turner Broadcasting as a Programming Intern where he conducted legal research and contributed to editorial content development. He received his bachelor's degree in Communication from Kennesaw State University and currently serves as the Industry News Editor at NueMD.

comments powered by Disqus

Related Articles