Does your business associate agreement (BAA) reflect your business deal, or is it a bare bones HIPAA compliance document?

Now is the time to check. The HIPAA “Omnibus Rule” published in January of 2013 gave covered entities, business associates, and subcontractors until September 22, 2014 to make their business associate agreements (BAAs) compliant, so use the next few weeks to make sure your BAA complies with the law and reflects your business deal.

skeleton
Copyright: clairev / 123RF Stock Photo

HHS published a bare bones sample BAA when the Omnibus Rule came out, and a number of posts to this blog provide tips that can be used in reviewing and updating your BAA.

But don’t forget that a good BAA supports and is supported by the underlying services contract between the parties, and should be the meat on the bones of the BAA and the brain behind it. A perfectly HIPAA-compliant BAA will crumble into dust if it’s not written to reflect and support the services contract and underlying business deal. Here are two key questions to ask to make sure the business deal and BAA are working in synch:

Question 1: Who are the parties to the BAA?

  • What are the roles of the parties under HIPAA? Check definitions and what is being performed by one party “on behalf of” the other.
  • If the business associate is really a subcontractor (because the covered entity is really a business associate or subcontractor itself), does the BAA (or subcontractor agreement (SA)) recognize and describe the privacy and security obligations imposed by the BAA above it? Has such BAA or subcontractor actually reviewed the BAA or SA above it?
  • If both parties are covered entities, does the BAA clearly describe when the business associate is acting as such, and not as its own covered entity?
  • Will the covered entity ever act as a business associate in relation to the other party?

Question 2: What is the business reason for or purpose of the use and/or disclosure of protected health information (PHI)?

  • What is the reason PHI is being created, received, maintained or transmitted on behalf of the covered entity, business associate or subcontractor?
  • Do the parties have reciprocal obligations to abide by privacy and security standards, such as minimum necessary standards?
  • Will the business associate (or subcontractor) have any claim to own, de-identify, aggregate, modify or keep data derived from the PHI that is the subject of the BAA (for example, will the business associate’s activities with respect to the PHI under the BAA produce other data or data sets not subject to or contemplated by the services contract)?

The bottom line? Before the summer fades (and certainly before September 22nd), make sure your BAA meets the Omnibus Rule requirements, but also make sure it reflects and supports your business deal. The bare bones BAA may not be what you want or need.