Failure to execute Business Associate Agreements have resulted in fines of tens of thousands to over a million dollars over the past few years. So, they are a pretty important part of maintaining HIPAA compliance. So, what is a Business Associate Agreement? It is an agreement, required by the Privacy Rule, that a Covered Entity enters into with a Business Associate who will have access to Protected Health Information (PHI). Essentially, a Business Associate Agreement (BAA) is a written arrangement that describes the permitted and required uses of PHI by the Business Associate (BA), requires that the BA use appropriate safeguards to protect the PHI, and notifies the BA of their requirement to notify the Covered Entity of any breaches that may occur.
Business Associate Agreements
Though the Business Associate Agreement requirement has been in place since October 2002, the HITECH Act expanded the obligations of the Business Associate. Whereas only the Covered Entity could be held liable for violations previously, the HITECH omnibus rule issued on January 17, 2013 allows for the BA to be held directly liable for violations of HIPAA requirements.
If you are a Covered Entity and haven’t already, you should review your existing contracts to ensure that they meet the requirements of HITECH and that any new contracts do so as well. If you are a Business Associate, be aware of your new obligations and ensure that all of your employees are fully versed in the requirements of the Privacy Rule.
Examples of fines for not having Business Associate Agreements: