Why Must Covered Entities Have a Business Associate Agreement?
Both the HIPAA Privacy Rule and the HIPAA Security Rule require that a HIPAA covered entity enter into a business associate agreement with each of its business associates. A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information (PHI). The failure to have a business associate agreement can subject covered entities to Office of Civil Rights (OCR) audits and fines.
A Business Associate Agreement Protects PHI and ePHI
There are reasons for why covered entities must have a business associate agreement with a business associate, that go beyond “the law requires it.” Having a business associate agreement in place is needed for covered entities so that they have a clear understanding of whom they are transmitting PHI to, and so that they to obtain assurances that PHI and ePHI (electronic protected health information, which is PHI that is produced, saved, transferred or received in an electronic form) will be protected.
HIPAA requires business associate agreements to:
- Describe the permitted and required PHI uses by the business associate
- Provide that the business associate will not use or further disclose PHI other than as permitted or required by the contract or as required by law;
- Require the business associate to use appropriate safeguards to prevent inappropriate PHI use or disclosure
If these elements are not embodied in a written contract, security of PHI and ePHI is put at risk. In the absence of a contract – a legally enforceable agreement – these required elements may not have ever been addressed – even verbally – by the covered entity and the third party it assigned business associate functions.
Even if a verbal agreement was reached, the parties may not, in the days and months and years after that agreement, have the same recollection as to what that agreement consisted of. Recollections over something as simple as whether the “business associate” agreed to be an independent contractor, as opposed to an agent, of the covered entity, may arise.
Most importantly, in the absence of an agreement, disputes inevitably arise as to what security measures the covered entity “assigned” to the third party. In the absence of a written agreement, OCR will be unable to determine whether the covered entity specifically tasked the “business associate” with implementing and using appropriate safeguards to prevent inappropriate PHI or ePHI disclosure. In the absence of a written agreement, the “business associate” may have impermissibly transmitted ePHI to a third party, assuming (mistakenly) it had the right to do so.
If OCR cannot determine what responsibilities the business associate agreed, by contract, to assume, OCR will conclude that the covered entity assumed responsibility for implementation of these responsibilities, and will fine the covered entity accordingly for failure to comply with HIPAA Privacy Rule and HIPAA Security Rule Standards.