Patient Privacy and Security

Resource: Business Associate Agreement Checklist and Considerations

By Emma TrivaxErin Whaley, Jim Koenig, Brent Hoard, Jonathan Ishee, and Kimberly Gillespie.[1]

Business Associate Agreement Background

In 2013, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights announced a final rule that implemented a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to further strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).[2] HIPAA requires that a covered entity enter into a business associate agreement (BAA) with a business associate. Among other things, the HITECH Act made business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements. The HITECH Act was needed to strengthen the HIPAA privacy and security protections for individual’s health information maintained in electronic health records and other formats.

Definitions

Including applicable definitions into a BAA will clarify language and advise the writer/reader what terms mean. BAAs may include a statement with catch-all or specific definitions, as described below.

Catch-all Definition

The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

Specific Definitions

  1. Business associate: “Business associate” shall generally have the same meaning as the term “business associate” at 45 C.F.R. § 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Business Associate].

  2. Covered entity: “Covered entity” shall generally have the same meaning as the term “covered entity” at 45 C.F.R. § 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Covered Entity].

  3. HIPAA Rules: “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. §§ 160; 164.

  4. Breach: This term means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under Subpart E of this part which compromises the security or privacy of the protected health information.

  5. Unsecured protected health information: This term means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111–5.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2023 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings