Does your business associate agreement (BAA) reflect your business deal, or is it a bare bones HIPAA compliance document?

Now is the time to check. The HIPAA “Omnibus Rule” published in January of 2013 gave covered entities, business associates, and subcontractors until September 22, 2014 to make their business associate agreements (BAAs) compliant, so use the next few weeks to make sure your BAA complies with the law and reflects your business deal.

Copyright: clairev / 123RF Stock Photo

HHS published a bare bones sample BAA when the Omnibus Rule came out, and a number of posts to this blog provide tips that can be used in reviewing and updating your BAA.

But don’t forget that a good BAA supports and is supported by the underlying services contract between the parties, and should be the meat on the bones of the BAA and the brain behind it. A perfectly HIPAA-compliant BAA will crumble into dust if it’s not written to reflect and support the services contract and underlying business deal. Here are two key questions to ask to make sure the business deal and BAA are working in synch:

Question 1: Who are the parties to the BAA?

  • What are the roles of the parties under HIPAA? Check definitions and what is being performed by one party “on behalf of” the other.
  • If the business associate is really a subcontractor (because the covered entity is really a business associate or subcontractor itself), does the BAA (or subcontractor agreement (SA)) recognize and describe the privacy and security obligations imposed by the BAA above it? Has such BAA or subcontractor actually reviewed the BAA or SA above it?
  • If both parties are covered entities, does the BAA clearly describe when the business associate is acting as such, and not as its own covered entity?
  • Will the covered entity ever act as a business associate in relation to the other party?

Question 2: What is the business reason for or purpose of the use and/or disclosure of protected health information (PHI)?

  • What is the reason PHI is being created, received, maintained or transmitted on behalf of the covered entity, business associate or subcontractor?
  • Do the parties have reciprocal obligations to abide by privacy and security standards, such as minimum necessary standards?
  • Will the business associate (or subcontractor) have any claim to own, de-identify, aggregate, modify or keep data derived from the PHI that is the subject of the BAA (for example, will the business associate’s activities with respect to the PHI under the BAA produce other data or data sets not subject to or contemplated by the services contract)?

The bottom line? Before the summer fades (and certainly before September 22nd), make sure your BAA meets the Omnibus Rule requirements, but also make sure it reflects and supports your business deal. The bare bones BAA may not be what you want or need.

Where did the time go?  Today’s the day – September 23, 2013.  This is compliance day for most of the Omnibus Rule changes.  I had a feeling this deadline would catch up with me faster than I would be able to blog my 10 tips, so I’m going to count “TIP TWO” as tips TWO through SEVEN so as to make my own deadline.  I will post TIP TEN before midnight tonight…

Here are TIPS FOUR and FIVE (aka EIGHT and NINE) —


Business Associates:  before you sign that Business Associate Agreement (BAA), make sure you ARE one! 

As noted in TIP THREE, entities that create, receive, maintain, or transmit protected health information (PHI) on behalf of another entity are likely to be Business Associates.  However, it’s worth taking the time to analyze whether you really are a Business Associate subject to HIPAA before contractually obligating yourself to act like one.  By entering into a BAA, not only are you agreeing to take on BA duties and responsibilities, but you may be admitting that you are, in fact, a BA and make it more difficult to establish to the putative Covered Entity or to a court or regulatory authority that you’re not. 

To determine if you are a Business Associate, first ask yourself if you are creating, receiving, maintaining, or transmitting PHI on behalf of the Covered Entity.  If you are doing any of these things on your own behalf and you are a health care provider, health plan, or clearinghouse, you may be a Covered Entity with respect to the PHI at issue.  Alternatively, HIPAA may not even apply (for example, if you’re a provider who doesn’t transmit PHI in electronic form in connectin with a HIPAA-covered transaction). 

It’s important that you know your role prior to signing the BAA so that you aren’t bound by contract to take on the BAA role, but also so that you fully understand the implications of a breach.  If a breach occurs while the PHI is under your watch (directly, as a result of actions or inactions of workforce members, agents, etc., or indirectly, as a result of actions or inactions of subcontractors, for example) and you are actually the Covered Entity, notifications to HHS and to affected individuals will be your responsibility, as will the determination of whether a reportable breach occurred.  A BAA, under which you are purportedly the BA, will not protect you from these obligations, but will certainly muddy the waters and complicate your obligations with respect to the putative Covered Entity.


Check to see if your contractors are actually acting as your agents.

The Omnibus Rule makes it clear that if your “Business Associate” (or “Subcontractor”) is actually an agent, the time frames for notification set forth in your BAA (or Subcontractor Agreement) are off.  The day on which the contracted party knew or should have known, by the exercise of reasonable diligence, of a breach will be imputed to you, and your failure to notify HHS, the media, and/or affected individuals within the HIPAA-required timeframes could result in significant penalties. 

The preamble to the Omnibus Rule explains that HHS will look to the federal common law of agency in determining whether an agency relationship exists, and language in a BAA stating that the BA is an “independent contractor” is irrelevant:  “Rather, the manner and method in which a covered entity actually controls the service provided decides the analysis.”  HHS uses this example of BAA language that shows that the BA is actually an agent of the Covered Entity:  the Business Associate “must make available protected health information in accordance with § 164.524 based on the instructions to be provided by or under the direction of” the Covered Entity.   The clear message: if you exercise authority and control over the contractor during the course of its provision of contracted services, the contractor may be your agent and you won’t be able to point to a BAA’s notice requirements to say you didn’t know and couldn’t reasonably have known of an unreported breach.

Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re well into the 10-day countdown for compliance with most of the Omnibus Rule requirements.  Here’s “TIP THREE” —


Covered Entities and Business Associates:  make sure you know where your Protected Health Information (PHI) sits, and make sure you have a Business Associate Agreement (BAA) with whoever houses it. 

Does your vendor create, receive, maintain, or transmit protected health information (PHI) on your behalf?  If so, it’s very likely they are a Business Associate even if they aren’t expected to actually access the PHI.  The Omnibus Rule added language to the definition of Business Associate to make it clear that it includes a person who, on behalf of a Covered Entity, provides “data transmission services with respect to a covered entity and that requires access on a routine basis” to the PHI. 

In the preamble to the Omnibus Rule, HHS describes what it means for a data transmission service to have “access on a routine basis” to PHI and distinguishes such a vendor from a “mere conduit” (which is not a Business Associate).  HHS says that the determination of whether the vendor is a “mere conduit” is “fact specific” and meant to apply narrowly to services like the U.S. Postal Service or United Parcel Service and their “electronic equivalents, such as internet service providers… .”  HHS explains that a “mere conduit” does not access PHI “other than on a random or infrequent basis as necessary to provide the transportation service or as required by law.”  On the other hand, an entity that maintains PHI on behalf of the Covered Entity is a Business Associate and not a conduit, “even if the entity does not actually view” the PHI. 

My tip?  If you are a Covered Entity or Business Associate and use a vendor to store electronic or hard copy health information on your behalf in the cloud, on a server, or anywhere else, make sure you have a BAA or Subcontractor Agreement, respectively, in place even if you don’t expect the vendor to access the PHI on a “routine basis.”

Our partner Keith McMurdy posted a timely summary of the requirements of the HIPAA Omnibus Rule for employers and benefit plan sponsors at his Employee Benefits Legal Blog.  It is reproduced below:

Lost in the Shuffle: The September 23 HIPAA Notice Requirements

By Keith R. McMurdy on September 6, 2013Posted in Plan Administration, Welfare Plans

With all of the attention being paid to compliance with health care reform and the October 1, 2013 exchange notices to employees, the September 23, 2013 HIPAA compliance deadline may have been lost in the shuffle. Employers should recall that earlier this year, HHS issued its final security and privacy regulations that made some real changes to the breach notification rules and the business associate rules and employers should make sure that thee change have been implemented to avoid penalties.
With respect to the privacy rules, a revised Notice of Privacy Practices should be issued to incorporate the new rules related to breaches in the security of protected health information (PHI). Changes that should be included are the notification provisions if a breach occurs and also specific statement that genetic information will not be used. With respect to the Business Associates Agreements, plan sponsors have to make a determination as to whether service providers are now business associates under the new rules, which broaden the definition. Further, they have to make sure that their current business associates (and any new business associates) are themselves HIPAA compliant. It is also a good idea for sponsors to update privacy and practices statements to include the new breach rules and also undertake to train plan employees about the new privacy restrictions.So when considering how to distribute your October 1 exchange notices, take look at your HIPAA privacy notices as well and make sure they are properly updated and distributed as well. If you have questions about the specifics of the HIPAA requirements, don’t hesitate to get the details from your benefits professionals or your attorneys at fox Rothschild.