When it comes to sensitive medical data that includes patient information, privacy is everything. Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare companies that handle their patients’ personal data cannot allow the public access or disclosure of personal information without individual patient consent or knowledge.
As defined under HIPAA, a healthcare business associate is “a person or entity that performs functions or activities that involve the use or disclosure of protected health information on behalf of, or provides service to, a covered entity.”
Organizations covered by HIPAA often partner with other organizations or individuals to perform business activities on their behalf, and sometimes these functions require access to personal health information. The disclosure of personal health information is allowed to a “business associate.” However, the third party can only access and use relevant personal information for the specified business purposes. Additionally, a business associate must maintain the security and privacy of patients’ personal information.
A business associate agreement (BAA) is a way for organizations to protect themselves from improper access and disclosure by third parties. While BAAs address the issue of data privacy through a legal lens, they are no substitute for robust data privacy protection measures. Even if business associates were to always behave in good faith, they still represent a potential point of vulnerability and access for malicious actors seeking to access patient data.
HIPAA Omnibus Rule Business Associate Agreement
Due to legal and compliance issues, organizations covered by HIPAA often enter into formal written agreements with business associates that have access to personal health information. The 2013 HIPAA Omnibus Rule provides guidance on what should be included in these agreements.
The rule states that a covered organization must receive concrete, written assurance from its associate pertaining to the safeguarding of any protected information that it receives or creates for the covered organization.
In other words, third parties must promise to do their best to keep confidential information confidential. While they should have technological data protection measures in place, the BAA provides an additional, legal layer of protection, albeit a thin one. Without foundational data privacy safeguards in place — such as what the TripleBlind Solution offers — they leave themselves open to data breaches.
Purpose Of Business Associate Agreement
Outline Permitted Uses
A business associate agreement must outline the permitted uses of personal information.
It must also explicitly state that the business associate will not use or disclose the protected information beyond what is outlined in the written agreement.
What Happens If The Business Associate Violates The Agreement?
If the business associate violates the written agreement, the covered organization must take reasonable steps to address any HIPAA violations. If the covered entity cannot successfully address any violations, it must terminate the agreement and report all violations to government authorities.
Both the covered organization and the business associate benefit from entering into a comprehensive written agreement. This measure helps all involved parties understand expectations related to the transfer, storage, and use of personal health information.
HIPAA business associate agreements also support compliance and serve as proof for government inspectors that the appropriate steps were taken to ensure the proper use and protection of personal health information.
However, having only a BAA as a way to protect private data presents a substantial risk. Without additional safeguards in place, the agreements rely heavily on trust: trust that the partner will not engage in nefarious activity or otherwise misuse, misplace, or unintentionally compromise the privacy and security of sensitive information through negligence. Again, BAAs should not be the only privacy protection measure in place. Breaches of sensitive data are irreversible, meaning there are no remedies after the fact, other than stopping the continued leakage.
Business associates that violate a written agreement have more to worry about than just business-related consequences. These third-party organizations can also be held liable for the exposure of personal health information under HIPAA regulations if they do not remain BAA compliant.
According to the Department of Health and Human Services, business associates can be held liable for a number of HIPAA violations, including:
The primary issues with BAAs are that they only provide post facto mechanisms for punishing bad actors and BAAs are complex, onerous and expensive to put into place.
There are two situations in which a BAA would fail. The first would be negligence on the part of the third party. The second is when the monetary benefit of breaking a BAA is far greater than the potential penalties.
Given the limitations, businesses must invest resources in scrutinizing third parties before entering into an agreement with them. The level of scrutiny an organization places on a third party should be dictated by the type and amount of data it will be handling. Patient files are more sensitive than summary statistics about workforce demographics or app usage data.
Any business that uses BAAs should also conduct annual reviews of existing business associates. Often, annual reviews are part of a HIPAA BAA checklist that is used in tandem with the company’s procurement cycle. This forces vendors to participate in a reassessment before their fees are paid.
Companies often have to contract a neutral third party that conducts the assessment of business associates. Attorneys that specialize in HIPAA and business associate agreements are best positioned to conduct these assessments, and their services can be costly.
There is a lot of uncertainty when it comes to handling sensitive personal information. Fortunately, next-generation privacy technology from TripleBlind can eliminate much of this uncertainty by optimizing your organization’s protection for data in use.
While BAAs are an integral piece of the data privacy pie, our trusted cutting-edge solution facilitates better privacy and security for organizations around the world, helping our clients put their sensitive data to use. When it comes to working with business associates, TripleBlind allows health organizations to make their data accessible while also ensuring that it remains protected at every step, enforcing BAA compliance through technology, not trust.
TripleBlind preserves privacy and enforces compliance through its software-only API-based solution. The company’s innovations build on well-understood principles like federated learning and multi-party compute, to radically improve the practical use of privacy preserving technologies and privacy with HIPAA. Plus, the TripleBlind solution offers auditable digital rights, allowing healthcare and life sciences organizations to set how data may be used by a counter-party. That ensures that patient data is used by business associates in approved ways only. Our technology also compared favorably to several other privacy-enhancing computation methods, including homomorphic encryption, synthetic data, federated learning, and differential privacy.
Please contact us to set up a demo and learn more about our revolutionary technology.
Business Associate Agreement FAQs
As a software vendor, what do I need to do to become a HIPAA-compliant Business Associate?
HIPAA And HITECH Requires Adherence To
Third-party software vendors are included in these provisions. HIPAA-compliant Business Associate contracts must adhere to these requirements by establishing the permitted and required uses and disclosures of protected health information, implementing safeguards against unauthorized use, and reporting any use or disclosures outside of contract specifications. Here is additional information about HIPAA-compliant Business Associate Agreements.
If, as a Business Associate, I share ePHI with other companies, do I need to sign an agreement with them?
Yes. Under HIPAA and HITECH, any covered entity (including Business Associates) must sign a Business Associate Agreement when sharing electronic protected health information (ePHI).
Is it always necessary for third party service providers to sign an agreement with a Covered Entity?
Yes. HIPAA’s Privacy Rule requires for all Covered Entities to sign Business Associate Agreements with any third-party service provider that may come in contact with PHI or ePHI. This is specified under HIPAA’s Omnibus Rule.
What are the exceptions to the requirement to sign a Business Associate Agreement?
Business Associate Agreements are not required with individuals or organizations whose functions, activities, and/or services do not involve the use or disclosure of PHI or ePHI.
How can a Covered Entity be a Business Associate for another Covered Entity?
If one HIPAA-Covered Entity hires another HIPAA-Covered Entity who “creates, receives, maintains, or transmits” PHI or ePHI in the course of performing services, then the hired HIPAA-Covered Entity becomes a Business Associate and requires a Business Associate Agreement.
How frequently should HIPAA Business Associate Agreements be renewed?
HIPAA BAAs that are “evergreen” (permanently valid) do not require renewal unless a regulatory rule change occurs. If both the Covered Entity and Business Associate agree to an “evergreen” contract, then the contract will renew automatically.
Who are Business Associate Subcontractors?
Business Associate Subcontractors create, receive, maintain, or transmit PHI or ePHI on behalf of another Business Associate. A Business Associate Subcontractor Agreement (known as a subcontractor BAA) legally binds a business associate of a covered entity and a business associate of that business associate.
Who is not considered a Business Associate/Subcontractor?
Contractors who do not handle PHI or ePHI and who work exclusively with your company, your clients, and workers hired through a business are not considered Business Associates. However, the hiring organization is liable in the event a non-Business Associate/Subcontractor breaches PHI.
What Happens If My Business Associate/Subcontractor Discloses PHI?
Business Associates are directly liable under HIPAA rules. If a Business Associate or Subcontractor discloses PHI, they will be liable to civil and potentially criminal penalties.
TripleBlind is built on novel, patented breakthroughs in mathematics and cryptography, unlike other approaches built on top of open source technology. The technology keeps both data and algorithms in use private and fully computable.
We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Google Webfont Settings:
Google Map Settings:
Google reCaptcha Settings:
Vimeo and Youtube video embeds:
You can read about our cookies and privacy settings in detail on our Privacy Policy Page.
Privacy Policy