The Archive

Business Associate Agreements – Don’t do business without them.


The Office of Civil Rights (OCR) within the Department of Health and Human Services (HHS) created the HIPAA Privacy Rule on December 20, 2000. The version governing HIPAA Privacy Rules today, called the Final Omnibus Rule, was adopted on March 26th, 2013. By law, the HIPAA Privacy Rule applies only to covered entities, such as health plans, healthcare clearinghouses, and certain healthcare providers. Most covered entities do not perform all their healthcare-related functions themselves. Instead, they rely on Business Associates to assist them with these additional functions.


The HIPAA Privacy Rule allows covered providers and health plans to disclose protected health information (PHI) to their “Business Associates”  if — and only if — the covered entities obtain satisfactory assurances that the Business Associate will use the information only for the purposes for which it was engaged by the Covered Entity, will safeguard the information from misuse, and will help the Covered Entity comply with some of the Covered Entity’s duties under the Privacy Rule. Covered Entities may disclose PHI to a Business Associate only to help the Covered Entity carry out its healthcare-related functions.


Before disclosing PHI to a Business Associate, a Covered Entity must sign a HIPAA Business Associate Agreement (also known as a HIPAA Business Associate Contract). The agreement should specify what PHI is being disclosed to the Business Associate and the permissible uses and disclosures of PHI by the Business Associate. Since the passage of the Omnibus Rule, subcontractors used by Business Associates are also required to comply with HIPAA. Therefore, if a Business Associate subcontracts a function, activity, or service to a subcontractor, an additional HIPAA Business Associate Agreement must be in place with that subcontractor. The Omnibus Rule extends the following requirements and liabilities to Business Associates:


  1. Make Business Associates of Covered Entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
  2. Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes and prohibit the sale of protected health information without individual authorization.
  3. Require modifications to, and redistribution of, a Covered Entity’s notice of privacy practices.
  4. Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
  5. Adopt the additional HITECH Act enhancements to the Enforcement Rule such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.


The Omnibus Rule also applies much greater detail to the definition of a Business Associate and their incumbent responsibilities and liabilities, such as:


  • The Rule adopts as Business Associates those identified as Health Information Exchange Organization, Regional Health Information Organization, E prescribing Gateway, or each vendor that contracts with a Covered Entity to allow that Covered Entity to offer a personal health record to patients as part of its electronic health record
  • The “conduit exception” still applies but is limited to an organization that merely transmits Protected Health Information (e.g. an Internet Service Provider) as opposed to those that “maintain and store it.” The former is NOT a Business Associate but the latter is.
  • A subcontractor(s) who “creates, receives, maintains, or transmits Protected Health Information on behalf of a Business Associate, is a HIPAA Business Associate” and therefore “on the hook” for compliance with applicable rules (e.g. in general: Breach Notification Rule, HIPAA Security Rule, HIPAA Privacy Rule, etc.)
  • Covered Entities are required to obtain “satisfactory assurances” (i.e. that their Protected Health Information will be protected as required by the rules) from their Business Associates, and Business Associates are required to get the same from their sub-contractors (now also Business Associates).


Bottom Line: If you are a Covered Entity OR a Business Associate of a Covered Entity and you are subcontracting any or all of your functions that require access to, or use of, PHI, you are required to have a Business Associate Agreement in place with the Covered Entity or Business Associate to whom you’ve given access to that PHI. Having the required Business Associate Agreements in place is an HHS auditable point. Not having the proper Business Associate Agreements in place is an extreme liability in case of a reportable data breach and can lead to convictions and enhanced enforcement and fines.