This article is written by Amulya Bhatia, currently pursuing B.B.A. LL.B from Symbiosis Law School, NOIDA. This article is an overview of a business associate agreement. It further discusses the significance of such agreements in the status quo and the equivalent of the same in countries other than the one where it is applicable.
It has been published by Rachit Garg.
We live in a time and age where privacy as a right has been given worldwide recognition and is said to be as important as breathing to live a life of dignity. Not just the Indian Constitution, but Article 12 of the Universal Declaration of Human Rights Act, 1948 recognises the right to privacy as a fundamental and significant right. This right is manifested in multiple facets of our lives; one such manifestation being medical privacy. The privacy of data by healthcare organisations increases the confidence of patients while also providing them with a secure environment. With the advent of technology, the breach of such data has become very common, making the safety of patient information of paramount importance. Patients are more open to getting treated in a fae and private setting. To safeguard the information of patients, various mechanisms have come into play.
In this article, we will understand one such manner, which is a business associate agreement, along with understanding the intricacies of such an agreement.
What is a business associate agreement
A Business Associate Agreement (BAA) establishes a legally binding relationship between Health Insurance Portability and Accountability Act (HIPAA) covered entities and business associates for the purpose of safeguarding protected health information (PHI). In simple language, a BAA is a legal contract between a healthcare provider and an individual (or organisation) for the purpose of storing protected health information and further specifies the responsibilities of the parties to the agreement. Such an agreement is governed by the Health Insurance Portability and Accountability Act (HIPAA). For a more enhanced understanding, there are certain key terms that must be understood:
- Health Insurance Portability and Accountability Act (HIPAA): HIPAA 1996 is a US federal law that was implemented with the purpose of protecting sensitive patient information from being disclosed and it applies to HIPAA-covered entities and business associates.
- Protected Health Information (PHI): According to the law in the United States, PHI refers to any health-related information such as medical records, health status, and payments made, that can potentially be linked to a specific individual. This would also include ePHI, i.e., any medical data that is stored digitally. HIPAA was essentially enforced for safeguarding PHI in order to provide patients with a secure and transparent environment.
- Covered entity: A covered entity is anyone who provides treatment, payment and operations in healthcare. They are engaged in the service of providing medical treatment or collection of health information. The US Department of Health and Human Services, covered entities include healthcare providers, health plans, etc. For example, doctors, and health insurance providers.
- Business associate: This refers to any individual or entity, not belonging to the covered entity, who is responsible for providing certain services with regard to the access of PHI to the covered entities. A business associate creates, receives, maintains, or transmits protected health information for the covered entities and is therefore required to sign a business associate agreement for maintaining the privacy of the PHI. Examples include attorneys, accountants, medical billing companies, etc.
- Business associate subcontractor: A business subcontractor is a person or entity to whom a business associate delegates work and thereby shares access to PHI.
Purpose of a BAA and who needs it
The main idea behind a BAA is the safeguarding of PHI, as stated above, which is also the overall objective of HIPAA. This is done by outlining the responsibilities of the third parties that shall have access to such information. Who must enter into a BAA is decided on the basis of who is a business associate? Any individual or organisation that may potentially have access to PHI during the normal course of work is a business associate and shall therefore be required to sign a BAA. The exceptions to this rule are the direct employees of both covered entities and business associates, as they fall under the ambit of the business associate itself by virtue of their employment. It is to be noted that the responsibility of training employees and ensuring complete compliance with HIPAA laws rests on the organisation to maintain the sanctity of PHI. This essentially helps prevent any privacy breach and also allows the authorities to conduct an easy investigation in case of any breach.
Ramifications of breach of BAA
According to the HIPAA rules, any business associate or business associate subcontractor will have direct civil liability, and in some cases a criminal penalty as well, for making such use of PHI as is not permitted through a BAA. This rule extends to electronic PHI as well. In case of any breach by the business associate/ subcontractors, the covered entity is required to take the necessary measures to cure such a breach. The covered entity has the option of terminating the agreement in such a situation, and if that is not possible, they are mandated to report the problem to the HHS Office for Civil Rights.
Drafting a business associate agreement
Owing to the sensitivity of the subject matter of a BAA, i.e. sensitive medical data, it is imperative for such agreements to be iron-clad and complete. There are certain terms, conditions and details that a BAA should include:
The basic information that must be included within a BAA is as follows:
- Names of the parties as per their official identification cards along with specifying whether they are a covered entity or a business associate.
- Dates are to be mentioned on the top as well as the bottom. The former shall represent the date of creation of the agreement and the latter indicates the signing date.
- Acceptance of the agreement by the parties through the signing of the document.
- Term and termination of the BAA.
Business associate agreement-specific requirements
While basic information is common to all contracts, the agreement must also contain specific information regarding the BAA:
- There is a requirement for a definition clause.
- The kind of PHI that is in question, meaning the PHI that the BA shall have access to.
- The reasoning for the relevance of HIPAA to the relationship between the parties so as to avoid evasion of responsibility by any of the parties maliciously.
- The liability of the parties and consequences thereafter in case of breach of the BAA.
- Clearly defining the permissible and prohibited use and access of PHI.
- A procedure is to be opted for in case of a data breach by the covered entities.
- A mechanism for employee training is also to be established since the employees of all the parties shall also be responsible for the safeguarding of PHI.
Responsibilities of the parties
Any contract, especially one where the privacy of a third person is involved, should specifically outline the responsibilities of the parties to avoid any confusion. In addition to full compliance with the HIPAA rules, the following must also be laid down in a BAA:
- Specifically provide for the permitted use and disclosure of protected health information.
- Prohibit the use of protected health information beyond the required level as per the contract.
- Provide that the business associate must enforce suitable mechanisms to safeguard the protected health information which extended to information available by electronic means.
- Mandate the business associate to report any breach of the contract and unlawful use of the protected health information.
- In case a business associate is to fulfil any obligation, they must be mandated through the contract to do so.
Common mistakes in a business associate agreement
As stated before, a BAA establishes the responsibilities of the business associate and mandates HIPAA compliance by both parties involved. However, a BAA remains incomplete if it does not specify the manner in which PHI is to be protected. The extent to which the PHI can be used, including who can access it and under what circumstances, is also to be addressed through the contract. Further, how such compliance shall be enforced and the consequences and liabilities of breaching the agreement are to be stated.
Minimising the scope of who a ‘business associate’ is
While formulating a business associate agreement, many healthcare providers fail to understand how broad the term ‘business associate’ is. Following the Omnibus rule, anyone who processes or has access to PHI shall be a business associate. All parties must comply with the definition of a business associate to gauge the utmost value of a BAA and fulfil the ultimate objective of protecting sensitive patient health information.
Failing to conduct due diligence
The purpose of a BAA is to protect sensitive health information to avoid any risk of a breach of such data. However, prior to entering into a BAA, any health organisation must conduct due diligence, which includes a risk assessment to ascertain the genuineness of the other party. Further, ensuring that the opposite party follows HIPAA compliance. The idea is to not just rely on a BAA but to arrange proper research to safeguard PHI. This not only mitigates future mishaps but also will instil confidence in the agreement, both for the parties and for the patients, if such a preliminary investigation goes smoothly.
Lack of good technology and incorporating of the same in the BAA
The 21st century has seen fast pacing changes due to upgradation in the technology that is being used. Similar changes can be seen for storing PHI. The Health Information Technology for Economic and Clinical Health Act (HITECH Act) encouraged healthcare providers to switch to electronic modes of storing data and further comply with HIPAA. Even prior to the implementation of the HITECH Act, doctors used electronic mediums such as e-billing or e-prescription for the exchange of PHI. Securing e-PHI and including it under a BAA enables its protection even with the improvements in technology. This allows the law to walk hand in hand with technology, pushes through the objective of HIPAA, and makes the BAA full-proof.
Healthcare-related data privacy laws in India
While HIPAA is essentially limited to governing US citizens, many other countries have also formulated HIPAA equivalents for the protection of sensitive health information; for example, Canada implemented the Personal Information Protection and Electronic Documents Act 2000. However, India still lacks a proper mechanism for the protection of such data and is still in talks for the implementation of the said laws.
The Apex Court of India, in the case of K.S. Puttaswamy v. Union of India, 2018, while declaring privacy as a fundamental right under Article 21 of the Indian Constitution, also highlighted the need to ensure the confidentiality and privacy of medical/health data.
Currently, the Information Technology Act, 2000 read with, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 governs the maintenance of the privacy of health information. However, the legislation remains inadequate in terms of its implementation, as it has not been updated to keep up with the rapid changes in technology. Further, it incorporates a wide array of information for security and does not specifically cater to health data.
Due to the inadequacies, multiple other attempts have been made to enact legislation only for the purpose of protecting sensitive medical data. The Ministry of Health, in 2017, issued a draft for establishing a healthcare information security law in India, namely, the Digital Information Security in Healthcare Act (DISHA). It aims to standardise the process of collecting, storing, and protecting health-related information to keep it private and confidential. According to DISHA, any health-related data, including psychological, physical, and medical history, is the sole property of the person pertaining to such data. Additionally, the Personal Data Protection Bill, 2019 (“PDP Bill”) was also introduced and applied to the processing of personal data.
However, both of these have not been passed by the Indian Government. In fact, the PDP Bill has been withdrawn by the Indian Government, which claims that a more ‘comprehensive framework’ shall replace the same. With the digitisation of the healthcare sector and an increase in sensitive health data, the inefficiency of Indian laws on the protection of such data becomes even more concerning. Considering the rapid pace in which the digitisation of healthcare is progressing, and as an increasing volume of health-related sensitive data is being transferred, between individuals, digital health/health technology platforms.
Protection of health information is a responsibility that is imposed on those who are confided in with sensitive information. Patient confidentiality is necessary to allow the patients to trust you, making them more likely to fully disclose their health information. For this purpose, HIPAA has been extremely successful in bringing about awareness regarding the importance of the privacy of health information while also limiting the use of medical data for any ulterior motives. HIPAA may have its weaknesses, such as failing to delve into the permissible limits of accessing medical data, but it is most certainly a step in the right direction. To avoid this, a business associate agreement is used to allow the parties involved to figure out the extent to which medical data can be used and the purposes for which it can be used.
Many countries that have not been able to bring into force a HIPAA equivalent, like India, could at least initiate business associate agreements, or confidentiality agreements, that would protect the health information of the patients. They have the opportunity to pick the strengths and avoid the weaknesses of HIPAA in their countries. Especially given the medical crisis of COVID-19 that was witnessed globally, it becomes even more imperative to take medical issues seriously. Protection of health related information is a necessity, and a common mechanism needs to be adopted for the same globally.
Frequently asked questions
1. Do BAAs need to be signed annually?
If a BAA has specific causes that make it ‘evergreen’, it is not mandatory for it to be signed regularly. However, it is advised that a BAA be reviewed regularly.
2. Do business associate agreements expire?
No, BAAs do not usually expire unless there is a regulatory change in HIPAA laws.
3. Which business associate agreement should I use?
A BAA dictates the terms of an agreement when there is disclosure of PHI. The type of BAA to be used depends on the relation between the parties involved, for eg. if the parties are two covered entities, one is a business associate and the other is a business associate subcontractor. etc.
4. Do two covered entities need a BAA?
Yes. The purpose of a BAA is to safeguard PHI. Therefore, if another HIPAA covered organisation is hired where there is disclosure of PHI, a BAA is required.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: