Business Associate Agreement - DoctorsManagement Business Associate Agreement - DoctorsManagement

Business Associate Agreement

Make Sure You Have Them on File

by Sean Weiss, Partner & VP of Compliance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), also referred to as Public Law 104-191, has been around for more than two decades now. For the first 15 years or so, there was not much traction regarding the law. Of course, when it was first introduced to the health care industry, it was positioned as the law that would bring stability and protection to patients regarding their Protected Health Information (PHI). The truth is, the law was sorely needed and, had it been enforced as it was supposed to be out of the gate, I believe things would be a bit different today. Sure, there were some fines and penalties over the years and a few that were pretty significant, but nothing like what we all thought it would be.

I remember back in 2001 and 2002 when I co-authored the book HIPAA “The Administrative Simplification Provisions” we focused on the requirements that HHS set out to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. The law and provisions were enacted by Congress because they felt with all of the advances made in electronic technology it could erode the privacy of health information. With this in mind, Congress incorporated into HIPAA provisions mandates for the adoption of Federal privacy protections for individually identifiable health information (IIHI).

The privacy rule (Privacy Rule) was published as a final rule in 2000 and was later modified in 2002. The rule set national standards for the protection of IIHI via three types of Covered Entities (CE): Health Plans, Health Care Clearinghouses, and health care providers who conduct the standard health care transactions electronically.

Jump ahead to 2019 and what we thought would be happening out of the gate is now at full speed regarding enforcement (You can also click this link  Enforcement Rule – PDF to view the provisions relating to compliance and investigations and the imposition of civil money penalties for violations of the HIPAA Administrative Supplication Rules). Below I have provided for you a chronology of the Enforcement Rule and its history if you are interested:

Enforcement Rule History

October 29, 2009 – HITECH Act Enforcement Interim Final Rule

February 16, 2006 – HIPAA Enforcement Rule – Final Rule (PDF – PDF)

September 14, 2005 – Extension of Expiration Date of Interim Final Rule  (PDF – PDF)

April 18, 2005 – HIPAA Enforcement Rule – Proposed Rule (PDF – PDF)

September 15, 2004 – Extension of Expiration Date of Interim Final Rule (PDF – PDF)

April 28, 2003 – Correction of Expiration Date of Interim Final Rule (PDF – PDF)

April 17, 2003 – Procedures for Investigations, Imposition of Penalties, and Hearings – Interim Final Rule (PDF – PDF)

Since I previously blogged about HIPAA this month, I am only going to focus on the Business Associate Agreement (BAA) for today. What I can tell you is based on recent investigations in which I have participated with the Office for Civil Rights (OCR), they are taking practices and health systems to task for failing to engage in the process of getting a BAA signed by all vendors and contractors with routine access to PHI. Since these cases are on-going, I obviously cannot divulge any specifics but I can share this, a healthy seven-figure penalty has been levied against a medium sized practice for failure to have a BAA with three of their vendors. So, why is the BAA so important? The Department of Health and Human Services has defined the terms Business Associate and Business Associate Contract as such:

Business Associates

Business Associate Defined. In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. A covered entity can be the business associate of another covered entity.

Business Associate Contract. When a covered entity uses a contractor or other non-workforce member to perform “business associate” services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement (in certain circumstances governmental entities may use alternative means to achieve the same protections). In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates. Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule. Covered entities that had an existing written contract or agreement with business associates prior to October 15, 2002, which was not renewed or modified prior to April 14, 2003, were permitted to continue to operate under that contract until they renewed the contract or April 14, 2004, whichever was first. See additional guidance on Business Associates and sample business associate contract language.

One recommendation I am making to my clients is to go back and audit all of your vendors/contractors that have access to PHI and make sure you have an executed BAA dating back to the date of your initial contract with them (six years is the statute of limitations for OCR). If you have a contract that has language in it regarding their commitment to ensure the confidentiality of patient information or something along those lines that is not enough; you must have a BAA. If you do not, I would move quickly to have one executed so that you can at least limit potential financial damages in the event you are investigated by OCR. Do not try to be slick and back-date your BAAs as that is unethical and potentially fraudulent behavior that would definitely be frowned upon by OCR.

Here is the model language offered by DHHS for Business Associate Agreements. If you do not have one or yours does not comply with the language in the PDF, consider revising your BAA and working with your vendors to execute a new agreement. Make sure to maintain all of your old BAAs (Do not toss them because you have a new one signed, you want them in the event you need them for proof with OCR. Remember OCR has a statute of limitations of six years for their look-back period).

What to do next…

  1. If you need help with an audit appeal or regulatory compliance concern, contact us at (800) 635-4040 or via email at
  2. Read more about our: Total Compliance Solution

Why do thousands of providers trust DoctorsManagement to help improve their compliance programs and the health of their business?

Experienced compliance professionals. Our compliance services are structured by a chief compliance officer and supported by a team that includes physicians, attorneys and a team of experienced auditors. The team has many decades of combined experience helping protect the interests of physicians and the organizations they serve.

Quality of coders and auditors. Our US-based auditors receive ongoing training and support from our education division, NAMAS (National Alliance of Medical Auditing Specialists). All team members possess over 15 years of experience and hold both the Certified Professional Coder (CPC®) as well as the Certified Professional Medical Auditor (CPMA®) credentials.

Proprietary risk-assessment technology – our auditing team uses ComplianceRiskAnalyzer(CRA)®, a sophisticated analytics solution that assesses critical risk areas. It enables our auditors to precisely select encounters that pose the greatest risk of triggering an audit so that they can be reviewed and the risk can be mitigated.

Synergy – DoctorsManagement is a full-service healthcare consultancy firm. The many departments within our firm work together to help clients rise above the complexities faced by today’s healthcare professionals. As a result, you receive quality solutions from a team of individuals who are current on every aspect of the business of medicine.