Have you been asked to sign a HIPAA “Business Associate” agreement? Here’s what you need to know…

Have you been asked to sign a HIPAA “Business Associate” agreement? Here’s what you need to know…

Jul 22, 2014
Generic contract image

Have you been asked to sign a HIPAA “Business Associate” agreement?  Here’s what you need to know…

If you are embarking on, or even merely contemplating, a collaboration with a health care provider, a health insurance company, or a governmental agency, that involves access to individual medical or health information, you may be asked to sign a “Business Associate Agreement” (also called a “BAA”).  What is this agreement, and what does it mean for you and your project?

Business Associate Agreements are required by a set of federal regulations known as HIPAA.  “HIPAA” stands for the Health Insurance Portability and Accountability Act.  This act, passed by Congress in 1996 and updated as part of the HITECH Act in 2013, is an expansive set of rules that, among other things, establishes standards to protect the privacy of individual medical and health information.  A health care provider or a health plan may be a “Covered Entity” under HIPAA, meaning that it must comply with the HIPAA regulations for privacy and security of individually identifiable health information.  A “Business Associate” is a person or entity that creates, receives, maintains or transmits protected health information on behalf of the Covered Entity (e.g., quality assurance, data analysis), or that provides a service involving the disclosure of protected health information from the Covered Entity (e.g., consulting).

HIPAA requires that a Covered Entity must have a written agreement with each Business Associate, to obtain “satisfactory assurance” that the Business Associate will “appropriately safeguard” any protected health information that is part of the arrangement.  [Note that, under the revisions enacted under the HITECH Act, the HIPAA privacy and security requirements – as well as the civil and criminal penalties for violations - now apply directly to Business Associates, even if the Business Associate Agreement is not in place.]  The “Business Associate Agreement” (“BAA”) may be a stand-alone document, may be an exhibit or addendum to a project or service agreement, or may be embedded within the core terms of the agreement.  A BAA formalizes the terms and obligations between the Covered Entity and the Business Associate relative to the handling of protected health information; it should be project-specific and limited only to information covered under the HIPAA regulations.  The requirements in a BAA will typically include: the process for notification in the event of a data breach; authorized uses/disclosures of protected health information; standards for accessibility and security of the information; flow-down of the BAA terms to any subcontractors; and other standard contractual terms, such as termination and amendment requirements.

Because the stakes are high in handling such sensitive information, any Business Associate Agreement should be reviewed by the UNH HIPAA Privacy Officer (contact information below) before it is signed.  UNH’s ability to comply with specific security requirements, or to accept certain contractual obligations, must be addressed on a project-by-project basis and will depend on a variety of factors, such as the form of the information and the nature of the project or services you will be providing.  UNH is regarded as an excellent partner for collaboration with businesses, non-profits and government agencies, and our commitment to compliance is a key to that reputation.

Contact UNH’s HIPAA Privacy Officer:  Melissa McGee, Compliance Officer, UNH Research Integrity Services.

UNH’s “HIPAA FAQs” are here.

Bookmark and Share