Business Associate Agreement Matters

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.   

The HIPAA Privacy Rule mandates an individual or organizations such as consultants who perform hospital utilization assessments or attorneys who provide legal counsel to their clients, to establish a Business Associate Agreement (BAA) with any of their partners and vendors to meet specific requirements with respect to the use and disclosure of PHI.

Direct liability of Business Associates according to  Health Information Technology for Economic and Clinical Health (HITECH) Act includes:

Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.

Organizations are  being held accountable for any data breaches resulting from their vendor’s conduct if they don't sign a BAA with them. A vendor is in charge of protecting your PHI after they agree to the BAA. When it comes to HIPAA and business associate agreements, both parties are held accountable for oversight of the PHI, not doing so would have a systemic negative impact on their entire system. A properly executed BAA can  protect both parties in the event of a breach.

Penalties for HIPAA violations can vary from $100 to $50,000 for individual violations, with a maximum fine of $1.5 million per calendar year for infractions, depending on the perceived amount of carelessness. Additionally, those who commit infractions risk spending time in jail. An example of a HIPAA violations is the failure to sign a HIPAA-Compliant Business Associate Agreement.