HIPAA Business Associate Agreements: Don’t Treat Them as Boilerplate

Bookmark and Share

Kurland_Rebecca_webSince its enactment, the Health Insurance Portability and Accountability Act of 1996 (HIPAA)[1] has grown into a formidable and, for many, daunting tool to address the federal government’s goal of protecting the privacy of health information while encouraging electronic interchange of health records to improve the quality and efficiency of health care delivery.[2]

Changes to HIPAA in recent years have substantially expanded its application beyond the originally defined “covered entities,”[3] to include “business associates,” i.e., contractors who provide services to covered entities that require access to or exchange of health information.

Once major 2009 amendments to HIPAA known as the HITECH Act[4] became effective in 2010, business associates along with covered entities became subject to investigation and enforcement action by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for possible HIPAA violations.

As defined in HIPAA, a business associate is any person (in its broadest sense, to include companies) who “creates, receives, maintains, or transmits protected health information for a function or activity” performed on behalf of the covered entity.[5] Examples of business associate activities include, as might be expected, claims processing, utilization review, quality assurance, billing, benefit management and practice management.

But under HIPAA, business associate activities extend as well to legal, accounting and consulting services that will require the contractor to have access to health information.[6]

Thus, a health care provider’s malpractice or business counsel fits within the definition of “business associate,” as do many entities that might not generate or process health information in their core business, such as gateways for transmission of electronic health information,[7] document storage and destruction services and software installation and service.

Given this broad definition, it becomes apparent that any single covered entity, such as a hospital or medical practice, likely will have dozens, even hundreds, of business associates, and HIPAA requires the covered entity to have a written agreement, known as a “business associate agreement” (BAA), with each and every one of them.[8]

Indeed, lack of a BAA with someone with whom health information is shared is a HIPAA violation in and of itself.[9]

Furthermore, subcontractors to business associates are considered business associates themselves, so the prime contractor business associate must have a HIPAA-compliant BAA in place with each subcontractor who will receive and use or disclose health information to perform their services.[10]

Thus, the need for a BAA must be considered for every business relationship in which information from medical records may be accessed by someone who is not involved in the patient’s treatment and who is not part of the health care provider’s workforce. Since the BAA is usually a separate document and ancillary to the business relationship, it is easy to lose sight of it when negotiating key business terms.

Yet the primary agreement’s own terms may not adequately cover the subject matter that HIPAA requires, nor adequately reflect the parties’ intentions in allocating the risks and costs of HIPAA compliance and responding to a possible violation. Nor is it sufficient just to state generally that each party will comply with HIPAA.

The HIPAA Privacy Rule[11] sets out the mandatory and optional clauses to be contained in each BAA. The BAA must first specify the permitted and required uses and disclosures of health information in the business associate’s possession. This can be accomplished by cross reference to the underlying transactional agreement.

In addition, the business associate must agree to do all of the following:[12]

  • Not use or further disclose the information other than as permitted by the BAA.
  • Use appropriate safeguards and comply with the HIPAA Security Rule[13] in order to prevent disclosure of the information other than as provided by the BAA.
  • Report to the covered entity any breaches of unsecured health information or other use or disclosure not provided for by the BAA.
  • Ensure that its subcontractors agree to the same restrictions and conditions that apply to the business associate under the BAA.
  • Make health information in its possession available for delivery to the patient or for amendments agreed to by the covered entity.
  • Maintain and make available information about the business associate’s disclosures of the information outside of its own workforce.
  • Agree to comply with any Privacy Rule requirements governing functions the business associate performs in the covered entity’s place, such as dealing directly with patients in administrative matters.
  • Make its internal practices, books and records relating to its use and disclosure of health information available for inspection by HHS.
  • At the termination of the underlying business contract, return or destroy all of the covered entity’s health information in its possession, except where it cannot feasibly do so.

Finally, the BAA must explicitly allow the covered entity to terminate the contract under which the business associate receives health information, if the covered entity determines that the business associate has violated a material term of the BAA.[14]

Obviously, a general covenant for HIPAA compliance will not contain the required specificity. In addition, business associates should not broadly assume responsibility for HIPAA compliance without understanding the obligations and risks involved.

Together, the Privacy Rule and the Security Rule dictate who may receive health information without the patient’s written authorization, and for what specific purposes, and what steps the covered entity or business associate must take to protect the information from loss and improper disclosure.[15]

To comply with the Privacy Rule and the Security Rule, simple common sense measures to avoid the release of health information to unauthorized persons are not enough. Rather, covered entities and business associates must prepare and implement detailed policies and procedures and workforce training to maintain the integrity and security of health information in their possession.

Therefore, the BAA should allocate between the parties responsibility for avoiding unauthorized disclosures of health information and for mitigating the effects of unauthorized disclosures when they do occur.

In terms of risk allocation, the stakes have increased greatly with the promulgation of the Breach Notification Rule,[16] which mandates notification to individual patients when loss or improper disclosure of their information has occurred, as well as public notice and reporting to OCR if the breach involves the records of 500 or more patients.[17] In addition to mandating public reporting, the HITECH Act substantially increased the penalties for HIPAA violations.[18]

Given the sheer number of business associate relationships existing in the health care industry and the associated volume of BAAs required, OCR has posted a “model” form of BAA on its website[19] in the hopes of easing the administrative burden of getting them all prepared and executed.[20]

Business attorneys representing covered entities or business associates will, however, find the government’s model form frustratingly silent on important provisions such as indemnification, cure periods for breach, cooperation in investigations, remedies and the amount of direction a covered entity may exercise over the business associate’s HIPAA compliance activities.

Furthermore, a covered entity can be held liable for a HIPAA violation resulting from acts or omissions of a business associate found to be the covered entity’s agent under the federal common law of agency,[21] forcing the parties to consider whether their business relationship might create an agency where none is intended. Thus, a conscientious attorney cannot avoid identifying critical terms to negotiate in the BAA, separate and apart from the business relationship that makes the BAA necessary in the first place.

Therefore, agreements dealing with HIPAA compliance should not be treated as mere boilerplate. The unfortunate result may be that an exchange of health information critical to an important business activity of the covered entity hangs in the balance while the parties wrestle with important BAA issues.

In order to help clients avoid undue delays for last-minute BAA negotiations, counsel would do well to familiarize themselves with HIPAA rules regarding the BAA and take into account the expense of HIPAA compliance and the exposure of each party in the context of the specific business associate activities to be performed.


Rebecca J. Kurland has advised providers and companies in the health care industry on business and transactional matters for 25 years, structuring transactions and internal processes to comply with state and federal laws such as HIPAA, anti-kickback and physician self-referral. Inquiries may be directed to rjk@kurlandlaw.com.


[1] PL 104-191, 110 Stat. 1936 (1996), codified at 42 USC § 1320d et seq.

[2] Recommendations with Respect to Privacy of Certain Health Information, 42 USC § 1320d-2 note. “A major goal of the [HIPAA] Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being.” http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html.

[3] Health care providers, health plans and the health care clearinghouses who process electronic payment claims. 45 CFR § 160.103.

[4] Health Information Technology for Economic and Clinical Health (HITECH) Act, Subtitle D of title XIII of division A and title IV of division B of the American Recovery and Reinvestment Act of 2009, PL 111–5 (February 17, 2009).

[5] 45 CFR § 160.103 (definition of business associate).

[6] Id., subsection (1)(ii).

[7] Id., subsection (3)(i).

[8] 45 CFR § 164.502(e)(2).

[9] E.g., Pharmacy Chain Enters into Business Associate Agreement with Law Firm, http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/allcases.html#case20. (Even though OCR found that no improper disclosure of patient information had occurred, “the investigation revealed that the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy Rule to ensure that [protected health information (PHI)] is appropriately safeguarded. Without a properly executed agreement, a covered entity may not disclose PHI to its law firm.”).

[10] 45 CFR § 164.502(e)(2).

[11] Privacy of Individually Identifiable Health Information, 45 CFR Part 164 Subpart E.

[12] 45 CFR § 164.504(e)(2).

[13] Security Standards for the Protection of Electronic Protected Health Information, 45 CFR Part 164 Subpart C.

[14] 45 CFR § 164.504(e)(2)(iii).

[15] California has long had its own law protecting health information, the Confidentiality of Medical Information Act, Civil Code §§ 56 – 56.37, which is not preempted by HIPAA because its requirements are as protective or more protective of individuals’ rights and access to their information. See 42 USC § 1320d-2 note.

[16] Notification in the Case of Breach of Unsecured Protected Health Information, 45 CFR Part 164 Subpart D.

[17] 45 CFR §§ 164.406-408. In 2013, 199 breaches of patient information reported to OCR affected over 7 million patient records. Redspin, Breach Report 2013: Protected Health Information (February 2014).

[18] OCR investigates reported breaches and lists significant penalties and resolution agreements on its website, www.hhs.gov/ocr/privacy/hipaa/enforcement/examples. In 2013, reported penalties ranged from $50,000 for a breach involving less than 500 patient records to $1.7 million for improper exposure of over 600,000 patient records. Id.

[19] http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.

[20] In its comments to final regulations covering BAAs, OCR optimistically estimated that each BAA “will require, at most, one hour of a lawyer’s time … “78 Fed. Reg. 5678 (Jan. 25, 2013). In the writer’s experience, this estimate is unrealistically low.

[21] 45 CFR § 160.402(c).

Filed Under: Featured

Tags:

RSSComments (0)

Trackback URL

Comments are closed.