Contracts, by their definition, aim to govern the rights of parties whose rights are not otherwise governed. They allow the parties to negotiate the exchange and reduce to an agreement what each party can and should expect of the other. We tend to think of contracts as voluntary arrangements entered by willing participants. In the case of a business associate agreement (BAA), that is not precisely true. This is because BAAs are mandated by government regulation—specifically, the regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This article introduces the reader to BAAs and provides some guidance about when they are necessary and what they should include.
BAAs are intended to secure the protected health information (PHI) of patients. To do this, they bind a business associate to certain standards when handling PHI related to the services of a covered entity. A “covered entity” is defined at 45 C.F.R. Section 160.103 as a health plan, a health care clearinghouse or “a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” A common example of a “transaction covered by this subchapter” is electronic billing for services rendered.
A “business associate” at 45 C.F.R. Section 160.103 is an individual or organization outside the workforce of the covered entity that “creates, receives, maintains, or transmits” PHI for specified purposes (e.g., claims processing/administration, data analysis, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management and repricing). The definition does not have clear boundaries and, in fact, a covered entity may be a business associate of another covered entity. To help clarify what a business associate is, 45 C.F.R. Section 160.103(4) helps by providing examples of what a business associate is not.
The HIPAA regulations at 45 C.F.R. Section 164.502(e)(1) discuss how and when a covered entity may disclose PHI to a business associate. First, the “how.” A BAA is a contract between a covered entity and a business associate (or between a business associate and its subcontractor) aimed at documenting assurances related to the business associate’s handling of PHI. This is necessary because 45 C.F.R. Section 164.308(b)(1) allows a covered entity to grant permission to a noncovered entity (i.e., a business associate) to “create, receive, maintain, or transmit” PHI on the covered entity’s behalf (45 C.F.R. §164.308(b)(2), grants that same right to business associates working with subcontracted business associates).
Such permission creates an issue because covered entities are held to a higher standard than business associates with regard to PHI protection (e.g., the privacy rule under HIPAA applies to covered entities). The disparity in standards applicable to business associates and covered entities may jeopardize patient privacy when covered entities need assistance from third party business associates. The BAA seeks to address this disparity. The HIPAA regulations at 45 C.F.R. Section 314 set forth the various requirements of a BAA, including reporting security incidents, complying with the HIPAA regulations applicable to covered entities, and implementing administrative, physical and technical safeguards. In essence, the BAA formalizes the administrative safeguards that address concerns about PHI. The U.S. Department of Health & Human Services published form BAA provisions on HHS.gov that help the parties remain compliant while picking and choosing which form terms apply to their particular circumstances.
As for the “when,” preparing a BAA is necessary whenever a covered entity wants to permit a business associate to create, receive, maintain, or transmit electronic PHI. Since the BAA is a document that pulls the noncovered entity up nearer to the standard that the covered entity must meet, it becomes necessary when any covered entity is to engage a business associate in connection with any work that involves creating, receiving, maintaining or transmitting PHI.
A BAA represents a useful way to define the rights and obligations of the covered entity and its business associate with regard to protecting patients’ PHI. Despite this inherent value and the admirable goal of protecting patient privacy, the fact remains that BAAs are required by regulations. This means that the carrot of usefulness is accompanied by the stick of financial penalties. By way of a recent example, in December 2018, a group in Florida called Advanced Care Hospitalists (ACH) agreed to pay the Office of Civil Rights (OCR) $500,000 and to adopt a corrective action plan to settle potential claims that it violated HIPAA’s privacy and security rules by releasing PHI without a BAA in place. The Dec. 4, 2018, press release is available on HHS.gov.
ACH’s business was contracting internal medicine physicians to hospitals and nursing homes in western central Florida. From November 2011 to June 2012, ACH utilized the services of an individual who held himself out to be a representative of a Florida company called Doctor’s First Choice Billings, Inc. (First Choice). Though that individual provided ACH with medical billing services ostensibly through First Choice and its website, the individual allegedly did so without either the knowledge or the permission of First Choice’s owner. On Feb. 11, 2014, a local hospital informed ACH that PHI (including names, dates of birth and Social Security numbers) were viewable on First Choice’s website. After ACH was able to identify at least 400 affected individuals, it asked First Choice to remove the information from First Choice’s website.
Two months after learning of the issue, ACH filed a breach notification report with the OCR indicating that at least 400 individuals were affected. ACH raised that number by 8,855 in a supplemental breach report. OCR Director Roger Severino said of the incident, “this case is especially troubling because the practice allowed the names and Social Security numbers of thousands of its patients to be exposed on the internet after it failed to follow basic security requirements under HIPAA.” While one may quibble with how basic the requirements are, the consequences of such a failure can be devastating to both patient privacy and practice solvency. For that reason, it is critical to discuss your covered entity clients’ vendor relationships with an experienced health law practitioner.
—Andrew Stein, an associate at Lamb McErlane, who focuses his practice on health and business law, assisted in the preparation of this article.
Vasilios J. Kalogredis is chairman of Lamb McErlane’s health law department. He represents many medical and dental groups and thousands of individual physicians and dentists.