5 Questions To Ask Before Crafting a HIPAA Business Associate Agreement

If this is the first time your practice is entering into a contract with a healthcare IT vendor, then according to the Health Insurance Portability and Accountability Act of 1996 or (HIPAA); each party must enter into and establish a Business Associate Agreement and follow it to the letter, to remain HIPAA compliant. But before you sign any IT vendor’s contract, there are questions you may want to ask about the BAA first, before obligating your practice and tying it to a healthcare IT “Business Associate.”

What Is a HIPAA Business Associate Agreement?

Before you start, you must familiarize yourself with what a BAA is and what ten requirements you must adhere to, to remain compliant. According to HIPAA, it is a detailed written contract between a covered entity, you, and a business associate, your healthcare IT vendor in this scenario. In the BAA written agreement, there is a minimum of ten must-do provisions outlining, each party required responsibilities with your patient’s Protected Health Information (PHI).

What Is a “Business Associate?”

The easiest way to explain who or what a business associate is, we’ve included below an excerpt from the U.S. Department of Health and Human Services website defining what a business associate is:

“A business associate is a person or entity that performs specific functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to, a covered entity.  A member of the covered entity’s workforce is not a business associate.  A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.

Which Party Crafts The HIPAA Business Associate Agreement?

Now here is where pressure might be put on you to sign a service contract prematurely if this is your first Business Associate Agreement process. Typically covered entities, you, and Healthcare IT vendors each have their own company’s BAA they want the other to sign, before either enter into an IT service contract. At times it can become a “war of the agreement forms,” when each side insists whose form to sign.

The critical point to remember, it’s not who’s form is used, it’s the content or language inside that form that carries all the weight. In the event of a breach, you don’t want to learn later you are responsible when during the negotiation the vendor actually should be, but no provision was made before signing.

If You Use the IT Vendor’s Form Can You Still Negotiate Terms?

Yes. By all means. Even if your practice is small, never conclude you cannot negotiate critical provisions. With this process, each side gives and takes. Just remember, inside the form, you must have the ten must-do requirements outlined by HIPAA. This part is not negotiable. If the IT vendor does not allow you to negotiate, when using their BAA form, you may want to hold off and reach out to another IT vendor business associate for other options.

How Is a Business Associate Agreement Designed?

Remember these three words: “Level of Risk.” Not every healthcare IT vendor will interact with your patient’s health information or (PHI), as another might. It comes down to what amount and type of PHI are made, accepted, maintained and transmitted by your business associate, based on the terms inside the BAA.

Two possible examples:

  1. This IT vendor is going to handle significant amounts of PHI. In designing of your BAA, you would request additional layers of security protection, along with the must-do provisions.
  2. This IT provider will have little or no exposure to your PHI. In designing a BAA for this vendor, you would not need the strict extra layer requirements, but the ten provisions must remain.

Besides the levels of risk, you will also want to discuss any issues or risks that are only specific to Healthcare IT, such as:

  • Data Analytics – Can they perform data analytics on the PHI they’ve made
  • Cloud Computing – Do they use a cloud service that provides, “no-view services”
  • Limitation of Liability – What is the vendor’s liability limits, and does it favor the covered entity
  • Cyber Liability Insurance – Do they have it and can they provide a certificate of coverage

As you or your attorney design your Business Associate Agreement, there is much to consider, before you sign the IT vendor’s service contract. Don’t feel pressured that you must sign the contract now before you negotiate BAA terms. Whatever you decide, make sure not to rush into signing, until the Business Associate Agreement is agreed upon by both parties and signed.