.png)
Healthcare’s growth into a modern, data-backed industry has pushed privacy and security protections into high gear. In 2021, 88% of hospitals exchanged data via Electronic Health Record Systems (EHRs).
In this increasingly interoperable ecosystem, patient data is accessed across different states, Health Information Exchanges (HIEs), IT systems, providers, pharmacies, and other stakeholders. So while data is at its most impactful for care continuity, confidential and Protected Health Information (PHI) is also at its most vulnerable.
Efforts like The Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are working to secure interconnected data structures across health organizations. This rule mandates Business Associate Agreements (BAAs) for every individual or organization handling and exchanging patient information. The agreement ensures that collaborators maintain patient information responsibly, and with proper security measures.
We’ll be examining BAAs and their importance for securing the healthcare landscape. This guide will dig into the organizations qualified to enter these agreements, and how a health organization may execute this contract with a Business Associate.
BAAs establish a game plan for individuals or entities accessing, using, or disclosing PHI. The agreement is between HIPAA’s covered entities (health plans, healthcare clearing clearinghouses, healthcare providers) and their business associates (BA), plus subcontractors like Metriport, where our Medical API helps providers and other associates access and retrieve medical data for their patients.
According to the Department of Health and Human Services (HHS), a BA is:
“A person or entity, other than a member of the workforce of a covered entity who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information. A [BA] also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another [BA].”
This means an organization that handles health data on behalf of a covered entity must first enter into a BAA.
BAs cover individuals or organizations contracted for activities like data analysis, claims processing or administration, utilization, and quality assurance reviews. An organization offering legal, actuarial, accounting, data aggregation, or financial services will also sign the dotted lines of a BAA to guarantee patient safety. That said, a covered entity may disclose PHI to a BA without executing a legal agreement. However, this usually depends on factors like the service provided or the context for sharing health information.
BAAs assure covered entities that a third party is trustworthy, and will show the utmost care when handling or creating data. But in some events, this agreement isn’t necessary, and information exchange can happen without a contract in place.
To clarify when an organization falls under this exception, the HHS shares a few cases where BAAs are not needed before disclosing health information:
When an organization falls within these limits, it’s in the clear to manage patient data without any agreement. However, this is on the condition that patient safety remains the focus, and any information exchanged is to promote care delivery by a provider.
Business Associate Agreements are at the heart of HIPAA compliance in health organizations. These contracts list out responsibilities and obligations towards, plus permitted use cases for PHI.
Like most legal agreements, a BAA is executed under terms that are written and agreed to by the parties involved. When executing a BAA, the following must be present in the legal agreement:
A BAA will have the common particulars of a contract to be legally enforceable, such as the date and names of the Covered Entity, BA, or another subcontractor.
Healthcare organizations can determine how vendors use or share PHI by making special provisions in a BAA. In the agreement, organizations can list what will be considered permissible or prohibited use of valuable health information.
For instance, cloud service providers may be permitted to maintain PHIs, but have no authorization to use or disclose these records. Likewise, vendors may be expressly barred from selling or using patient information for marketing information, without receiving the right consents. A vendor may also be prevented from sharing PHI for personal reasons or to unauthorized entities under the agreement.
With healthcare as the most targeted in cyberthreats (79% of reported data breaches are healthcare-related), organizations handling PHI must put appropriate safety measures in place.
These measures must be listed in the BAA, with procedures in place for managing unwanted access to valuable information by third parties.
It’s in the best interest of any Business Associate to comply with the privacy and safety requirements under HIPAA. BAs that wrongfully expose PHI can be held liable, along with covered entities.
Under the HHS, BAs are directly liable where they violate HIPAA in the following ways:
The Business Associate Agreement should also contain provisions that define how health information should be returned or destroyed by the covered entity or Business Associate.
BAAs are solidifying data-exchange structures in healthcare, helping to raise patient trust in care delivery systems.
As stakeholders in data access and transfer, covered entities and BAs have a duty of care to handle patient information to the highest standards that align with laid down regulations.
Get the latest updates and blog posts from the Metriport team.
