Jump to Section
Need help with a legal contract?
What Is A Business Associate Agreement?
Numerous rules and regulations are surrounding PHI and ePHI. Health care lawyers can help business associates and providers draft an agreement.
Here is an article about what a business associate agreement is .
Understanding Business Associate Agreements
Business associate agreements are specific to healthcare providers and others who deal with PHI. They are part of the continuous effort to ensure that PHI and ePHI are not inadvertently or intentionally disclosed to unauthorized individuals. Specific individuals must sign a business associate agreement and acknowledge all applicable laws.
Who Should Sign A Business Associate Agreement?
All relevant parties should sign a business associate agreement. However, these agreements are generally signed by managers with protocols implemented and delegated to the team individually.
These are the following individuals who typically sign a business agreement:
- And more
If you have questions about who should be signing a business associate agreement in your organization, ensure that you speak with healthcare lawyers for advice. They can help you identify all parties with a vested legal or financial interest in the matter.
Here is an article on the basics of business associate agreements .
Who Needs A Business Associate Agreement?
There are two parties who could need a business associate agreement. The first one is a business associate, and the second is a covered entity. Both parties have separate duties and responsibilities that should be carefully established in a business associate agreement.
Who Is Considered A Business Associate?
Business associates are individuals or business entities who perform specific activities that involve the direct use or divulgence of PHI or ePHI. These activities include operation management and administration according to the Privacy Rule and Administrative Simplification Rules.
A business associate can range from software companies to cloud services providers. Anyone who could potentially view PHI or ePHI and is not a covered entity employee is a business associate.
Covered Entity vs. Business Associate
Covered entities are hospitals and healthcare providers and are different from business associates. Business associates are not employed by covered entities. However, a business associate provides a service to the covered entity as part of its normal course of business.
Here is an article about business associates .
Parts of a Business Associate Agreement
Under HIPAA and HITECH, business associates must follow specific security rules and routinely review them when working with a covered entity. For both parties to protect themselves, it is essential to address the key parts of a business associate agreement. Leaving out important details can result in legal problems in the future.
These are the parts of a business associate agreement under Health and Human Services (HHS) guidelines:
- Part #1: Establish permitted uses of PHI as well as any disclosures.
- Part #2: Require that the business associate not use the information as permitted or required by law.
- Part #3: Demand that the business associate utilize reasonable security protocols to prevent unauthorized use of PHI.
- Part #4: Set terms and conditions related to breaches of PHI.
- Part #5: Address the business associate’s obligation to handle PHI copy requests.
- Part #6: Explain how HIPAA obligations require business associates to comply with applicable laws.
- Part #7: Require the business associate to maintain high internal standards and practice related to the handling of PHI.
- Part #8: Determine how contract terminations should be handled as well as how to return or destroy PHI data.
- Part #9: Specify how business associates should deal with subcontractors and their use of PHI.
- Part #10: Provide for contract termination of a material business associate violation from the terms contained within.
As you can see, business associate agreements are highly technical and complex. It is necessary and imperative to understand the role of HIPAA compliance and BAAs when forging this type of relationship with a covered entity. If you have any questions, privacy lawyers are able to provide specific legal advice.
Image via Pexels by Ketut Subiyanto
HIPAA-Compliance and BAAs
The Health Insurance Portability and Accountability Act (HIPAA) sets standards that are not just limited to covered entities. HIPAA standardized how PHI should be used, stored, transmitted, and disclosed for everyone working in the healthcare industry. Since business associates use PHI, it is essential that BAAs comply with current rules and regulations.
Here is an article about HIPAA business associate agreements .
BAAs and Cloud Services
Before business associates can use, store, or process PHI, they must ensure that the services of the covered entities are secure. Even if the business associate claims that they are HIPAA and HITECH compliant, they cannot use ePHI until a risk analysis is performed when it is being stored in the cloud.
However, there is an added element in that cloud services are also considered business associates. As such, covered entities must ensure that they have BAAs in place with them as well. Before uploading any PHI data to cloud services, the covered entity must have a signed BAA with their providers.
Cloud computing service providers can be liable for accessing ePHI if their services do not comply with HIPAA standards, even if they did not see any data. It is also essential to remember that not all cloud computing providers are willing to sign BAAs.
Also, BAAs do not necessarily make cloud services to be HIPAA compliant upon signing. Even with an agreement in place, HIPAA laws can be violated, which means that no provider can be authentically HIPAA compliant alone.
Simply put, HIPAA compliance is determined by how the platform is used.
Getting Help With a Business Associate Agreement
Federal and state laws take HIPPA violations seriously. As such, it is critical to hire healthcare lawyers when getting help with a business associate agreement. The value, knowledge, and experience they provide will protect you and your organization in the future while avoiding common pitfalls.
These are the advantages of hiring healthcare lawyers when dealing with a business associate agreement:
- Vast knowledge of laws that help you avoid HIPAA violations
- Ability to interpret laws and court rulings when making decisions
- Business associates and covered entities will understand their rights
- Experience will help clients better prepare for the transaction
- Manage expectations among all negotiating parties
- Compliance under all federal, state, and county regulations and laws, such as the CCPA
- Representation in case future disputes arise
Due to the intricate nature of healthcare laws, especially those related to PHI and HIPAA, ensure that you do not make the critical mistake of guessing your way through the business associate agreement. Doing so could create problems in the future, and the losses could far outweigh the costs of hiring privacy lawyers the first time around.
Privacy lawyers will listen to your needs and draft a contract that meets them. They will also focus on keeping patient information private and secure.
Here is an article with resources for providers on PHI compliance and data security .
Need Help from Privacy Lawyers?
Get help from privacy lawyers in your state with ContractsCounsel. Post your project for free to start receiving proposals.
Meet some of our Business Associate Agreement Lawyers
John Daniel "J.D." Hawke is an experienced attorney with a law practice in Mobile, Alabama. He was born in Fairhope, Alabama and after earning his undergraduate degree at Auburn University, he received a law degree from Thomas Goode Jones School of Law in 2010. After law school, he formed the Law Office of J.D. Hawke LLC and over the last decade he has fought incredibly hard for each and everyone of his clients. His practice focuses on representing people facing criminal charges and clients dealing with family law matters. In addition to criminal defense and domestic relations cases, he also regularly handles contract disputes, personal injury cases, small business issues, landlord/tenant disputes, document drafting, and estate planning. He is licensed to practice law in the State of Alabama and the United States District Court for the Southern District of Alabama.
Thomas Codevilla is Partner at SK&S Law Group where he focuses on Data Privacy, Security, Commercial Contracts, Corporate Finance, and Intellectual Property. Read more at Skandslegal.com Thomas’s clients range from startups to large enterprises. He specializes in working with businesses to build risk-based data privacy and security systems from the ground up. He has deep experience in GDPR, CCPA, COPPA, FERPA, CALOPPA, and other state privacy laws. He holds the CIPP/US and CIPP/E designations from the International Association of Privacy Professionals. Alongside his privacy practice he brings a decade of public and private transactional experience, including formations, financings, M&A, corporate governance, securities, intellectual property licensing, manufacturing, regulatory compliance, international distribution, China contracts, and software-as-a-service agreements.
Attorney of 6 years with experience evaluating and drafting contracts, formation document, and policies and procedures in multiple industries. Expanded to estate planning last year.
George is a lifelong Houston resident. He graduated from St. Thomas High School and then Texas A&M University. He obtained his Doctor of Jurisprudence from South Texas College of Law in 2007. He is experienced in real estate, estate planning & probate, civil/commercial matters, personal, injury, business matters, bankruptcy, general counsel on-demand, and litigation. He is active in the community serving as past-president of the St. Thomas Alumni Board, a current member of the Dads Club Aquatic Center Board of Directors, current member of the Dickinson Little Italy Festival of Galveston County Board of Directors, and former PTO President for Briarmeadow Charter School.
My clients are often small and medium size technology companies, from the "idea" stage to clients who may have raised a round or three of capital and need to clean up a messy cap table. I help with all legal matters related to growth that keep founders up at night - hiring people, allocating equity, dealing with shareholders and investors, client negotiations and early litigation counseling (before you need a litigator). I've seen a lot, and because I run my own business, I understand the concerns that keep you up at night. I’ve been through, both on my own and through other clients, the “teething” pains that will inevitably arise as you scale-up – and I’m here to help you. I have over 20 years international experience devising and implementing robust corporate legal strategies and governance for large multinationals. I now focus on start-ups and early/medium stage technology companies to enable a sound legal foundation for your successful business operations. Many of my clients are international with US based holding companies or presences. My 17 years abroad helps me "translate" between different regimes and even enabling Civil and Common Law lawyers to come together. Regularly, I handle early stage financings including Convertible Notes, Seed and Series A/B financings; commercial and technology contracts; international transactions; tax; mergers and acquisitions.
Sammy Naji focuses his practice on assisting startups and small businesses in their transactional and litigation needs. Prior to becoming a lawyer, Sammy worked on Middle East diplomacy at the United Nations. He has successfully obtained results for clients in breach of contract, securities fraud, common-law fraud, negligence, and commercial lease litigation matters. Sammy also counsels clients on commercial real estate sales, commercial lease negotiations, investments, business acquisitions, non-profit formation, intellectual property agreements, trademarks, and partnership agreements.