Paubox blog: HIPAA compliant email made easy

What does a HIPAA compliant BAA look like?

Written by Kirsten Peremore | September 27, 2023

The necessary components of a business associate agreement (BAA) ensure both the covered entity and the business associate are aware of their responsibilities and obligations under HIPAA. While the information below offers a comprehensive template, the specifics of a BAA can vary based on the unique circumstances and requirements of the parties involved.

 

Introduce the purpose of the BAA

The introduction section of a BAA serves as an opening statement that clarifies the agreement's primary goals. First, it explains that the BAA exists to outline the purpose and terms of the partnership between a covered entity and a business associate in handling sensitive healthcare data, known as protected health information (PHI). Second, it emphasizes the safeguarding of PHI, highlighting that the agreement's main objective is to ensure that both parties take all necessary measures to protect the privacy and security of this confidential patient information. 

See also: How to know if you're a business associate

 

Clearly define the terms 

In the "Definitions" section of a BAA, terms like "Business Associate," "Covered Entity," and "HIPAA Rules" are precisely defined to ensure that both parties involved in handling healthcare data have a common understanding of these concepts. For instance, it clarifies what qualifies as a Business Associate, typically an organization or individual providing services to a healthcare entity. It also specifies what a Covered Entity is, often the healthcare provider or insurer that directly interacts with patients and manages their health information. Additionally, it explains the scope and regulations of the HIPAA Rules, which are the federal laws governing the privacy and security of patient health data.

See also: Business associate agreement provisions

 

State the obligations set by the BAA

The "Obligations and Activities of Business Associate" section in a BAA outlines the responsibilities the business associate must adhere to. First and foremost, it underscores the business associate's duty to safeguard PHI, emphasizing the need to protect the confidentiality and security of patient data. Additionally, it specifies the requirement for the business associate to promptly report any breaches or unauthorized disclosures of PHI, ensuring that potential security incidents are addressed promptly. 

This section also addresses the business associate's responsibility for complying with the HIPAA Security Rule, which sets forth guidelines for electronic PHI protection. It highlights that if the business associate is performing tasks typically carried out by the covered entity, they must follow the relevant provisions of Subpart E of 45 CFR Part 164. Furthermore, it emphasizes the business associate's commitment to making their internal practices, books, and records available for audits by the Department of Health and Human Services (HHS), reinforcing transparency and accountability in PHI management.

 

What are the permitted uses and disclosures?

A BAA commonly includes permitted uses and disclosures of PHI that are allowed under the HIPAA regulations. These may include:

  • Treatment
  • Payment
  • Healthcare operations
  • Legal compliance
  • Patient authorization
  • Research
  • Public health
  • Health oversight
  • Law enforcement
  • Emergency situations
  • Government functions
  • Workers' compensation
  • De-Identification

 

Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions

The "Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions" section within a BAA establishes a critical channel of communication between the covered entity and the business associate regarding privacy-related matters. This provision outlines the covered entity's responsibility to inform the business associate of any changes in its privacy practices, patient permissions, or restrictions related to the use and disclosure of PHI. 

This communication ensures that the business associate remains informed of any alterations in the covered entity's policies or procedures that may impact how PHI is handled. 

If the covered entity updates its privacy practices or imposes new restrictions on PHI use, it is obligated to promptly notify the business associate so that they can adjust their processes and remain in compliance with HIPAA regulations.

 

Permissible Requests by Covered Entity

The "Permissible Requests by Covered Entity" section of a BAA defines the boundaries within which the covered entity can request the business associate to use or disclose PHI. This provision ensures that any requests made by the covered entity align with the requirements of HIPAA and its privacy and security rules. It establishes that the covered entity should not request the business associate to engage in any activities related to PHI that would violate HIPAA regulations if performed directly by the covered entity.

 

Terminating the BAA

 It typically includes the agreement's effective date, setting a clear starting point for the partnership between the covered entity and the business associate. This section outlines the conditions under which the agreement can be terminated. If the business associate breaches any material term of the agreement, the covered entity is generally authorized to terminate the BAA. 

This provision emphasizes the significance of adhering to the terms of the agreement and reinforces the covered entity's ability to take action in case of non-compliance. Furthermore, this section addresses the critical issue of PHI after termination. It specifies the business associate's obligations regarding the return or destruction of any PHI it still possesses, ensuring that sensitive patient information is handled appropriately even after the partnership ends. 

 

Sending your HIPAA compliant BAA using HIPAA compliant email

Sending a BAA using HIPAA compliant email involves adhering to specific security measures to protect the confidentiality and integrity of sensitive healthcare data. HIPAA requires covered entities and business associates to use secure methods when transmitting PHI, and this includes the exchange of BAAs. 

Utilizing a HIPAA compliant email service ensures that the agreement is sent securely, typically through encryption and other safeguards. This approach helps prevent unauthorized access or breaches during the transmission process.