The business associate agreement xvii (BAA) is a contract that stipulates the types of protected health information (PHI) that will be provided to the business associate, the allowable uses and disclosures of PHI, the measures that must be implemented to protect that information (e.g., encryption at rest and in transit), and the actions that the BA must take in the event of a security breach that exposes PHI.
The contract should stipulate that the BA (or subcontractor) must implement appropriate administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of ePHI and meet the requirements of the HIPAA Security Rule. Some of those measures may be stated in the BAA or it may be left to the discretion of the BA. The BAA should also include the allowable uses and disclosures of PHI to meet the requirements of the HIPAA Privacy Rule. If PHI is accessed by individuals unauthorized to view the information, such as an internal breach or cyberattack, the business associate is required to notify the covered entity of the breach and may be required to send notifications to individuals whose PHI has been compromised. The timescale and responsibilities for notifications should be detailed in the agreement.
A business associate should also be made aware of the consequences of failing to comply with the requirements of HIPAA. Business associates can be fined directly by regulators for HIPAA violations. Both the Department of Health and Human Services’ Office for Civil Rights and state attorneys general have the authority to issue financial penalties for violations of HIPAA Rules.
Unlike most contracts, a HIPAA business associate agreement does not necessarily indemnify a covered entity against financial penalties for a breach of PHI. If a covered entity fails to obtain “satisfactory assurances” that a BA is HIPAA-compliant before entering into a contract, and a breach of PHI subsequently occurs, the covered entity may be considered liable for the breach.