HIPAA Business Associate Agreement Template
This is a HIPAA Business Associate Agreement / Contract Addendum template for the requirements of the HITECH Act of 2009 in Microsoft Word format. Use it as a starting point and customize to meet the requirements for your business associates agreements.
The HIPAA-HITECH-Omnibus Security rule standard 164.308(b)(1) Business Associate (BA) Contracts and Other Agreements states:
“(1) A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.
(2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with § 164.314(a), that the subcontractor will appropriately safeguard the information”
The importance of a Business Associate Agreement (BAA) can be demonstrated by two examples of breach fines levied in 2017 and 2018.
On December 4, 2018, Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 to the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) and to adopt a substantial corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. ACH provides contracted internal medicine physicians to hospitals and nursing homes in west central Florida. ACH provided services to more than 20,000 patients annually and employed between 39 and 46 individuals during the relevant timeframe.
OCR’s investigation revealed that ACH never entered into a business associate agreement with the individual providing medical billing services to ACH, as required by HIPAA and failed to adopt any policy requiring business associate agreements until April 2014. Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014[i].
The fine for our second example was issued on April 20, 2017. The Center for Children’s Digestive Health (CCDH) has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and agreed to implement a corrective action plan. CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois.
In August 2015, the HHS Office for Civil Rights (OCR) initiated a compliance review of the Center for Children’s Digestive Health (CCDH) following an initiation of an investigation of a business associate, FileFax, Inc., which stored records containing protected health information (PHI) for CCDH. While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015[ii].
ComplyAssistant’s updated BAA is one of the free tools we offer to website visitors in order to assist in their compliance needs. Our goal is to institute a “culture of compliance” in each of our client organizations and the use of an updated BAA is an important part of the compliance evolution.
We also offer automated and managed solutions
In addition to our free BAA, ComplyAssistant also offers a full turn-key solution for assessing a CE’s BAs using our compliance management portal. See our healthcare compliance software page for further information.
[i] U.S. Department of Health & Human Services (HHS.gov, Health Information Privacy). Available at https://www.hhs.gov/about/news/2018/12/04/florida-contractor-physicians-group-shares-protected-health-information-unknown-vendor-without.html
[ii] U.S. Department of Health & Human Services (HHS.gov, Health Information Privacy). Available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ccdh/index.html
Other free tools
Medical Device Security Assessment SampleFree
HIPAA Privacy and Security Proactive Audits Tool KitFree
Business Associate Inventory SpreadsheetFree
HIPAA Privacy and Security Officer Job DescriptionsFree
Mobile App Free Trial – Healthcare Compliance Audit ToolsFree
HIPAA Facility Security Walkthrough ChecklistFree
HIPAA-HITECH Privacy and Security Reminders for the WorkforceFree