The Basics of Business Associate Agreements (BAAs) for Labs

Laboratorians involved in management activities have likely established agreements with external professionals or consultants who may have access to patient-specific information. Such information requires protection to secure patient health privacy. The Administrative Simplification provisions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) address what’s required of covered entities and their business associates (BAs) when it comes to protecting patient information. It is important to establish policies, as required by law, to manage contracts with external sources who will have access to protected health information (PHI).

Key BAA Definitions from HIPAA

HIPAA establishes definitions for various components of business associate agreements and contracts. More detail can be found in 45 CFR 160.103, but here are some of the key definitions:¹

Business Associate: A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate.

Covered Entity: A health plan, healthcare clearinghouse, or healthcare provider who transmits any PHI in electronic form per the standards developed by the U.S. Department of Health & Human Services (HHS).

Code Set: Any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes. Such code sets include:²

• • ICD-10 – International Classification of Diseases, 10th edition Health Care Common Procedure Coding System (HCPCS)

• • CPT – Current Procedure Terminology

• • CDT – Code on Dental Procedures and Nomenclature

• • NDC – National Drug Codes

Health Information: Any information, whether oral or recorded in any form or medium, that is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

Individually Identifiable Health Information: Any information, including demographic information collected from an individual, that is received by a covered entity and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. The information identifies the individual or there is a reasonable basis to believe that the information can be used to identify the individual.

Source: 45 CFR 160.103

These basic definitions help lab leaders understand HIPAA and BAAs. The purpose of a BAA is to outline the responsibilities of the covered entity and BA to protect PHI and reduce the chances of a breach involving PHI. The key components of BAA documents include:

Typical BAA Components

Use and Disclosure of PHI

The agreement identifies the functions that a BA is to perform and that allow the BA to have access to PHI. The BA will maintain the privacy of the PHI and only disclose what is permitted under the agreement and according to law. A covered entity may request to see any PHI that a BA or subcontractors of the BA may have.

When PHI is legitimately disclosed, it should be the minimum amount necessary. This infers a selective release of information. These disclosures may be required by law, or related to public health or safety requirements, organ donation, coroners’ work, and workers’ compensation.

Safeguards Against Misuse of PHI

A BA should create administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI. This includes appropriate training and education of personnel.

Reporting Disclosures/Breaches of PHI and Security Incidents

Any disclosure or security issues that are not permitted by the agreement should be reported promptly to the covered entity. This reporting also applies to unsecured breaches. Such severe breaches may be associated with financial liability for the BA. Steps must be taken to mitigate damages and prevent future breaches. This may impact agreements with subcontractors.

Accounting of Disclosures

Specific information should be provided to the covered entity by the BA when inappropriate disclosures are detected. A report should document the date of disclosure of PHI, the name of the entity or person who received PHI, and, if known, the address of such entity or person, a brief description of the PHI disclosed, and a brief accounting that includes the basis for such disclosure. The covered entity is responsible for reporting a breach to the individuals involved and the HHS.

Term and Termination

It is important to identify when the agreement is initiated and how long it will be in effect. Usually, the BAA can be terminated by either party. If the BAA is terminated, identifying how PHI will be either returned to the covered entity, or destroyed, is crucial. Our consulting firm retains PHI for three months following the delivery of final reports. After that period of time, all PHI is cross-shredded or electronically altered. We de-identify any PHI appearing in any reports.

HITECH Act

With HIPAA’s inception, covered entities carried the compliance burden pertaining to HIPAA Privacy, Security, Breach Notification, and Enforcement Rules. But in 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act, which makes business associates directly liable for compliance with certain requirements of the HIPAA Rules. A final rule was issued in 2013, confirming that HIPAA rules apply to both covered entities and their business associates.³

According to the HHS, the provisions in this final rule that directly apply to business associates and for which business associates become liable for infractions include:³

• • Failure to respond to the Secretary of HHS or individual requests for copies of PHI

• • Failure to comply with security rule

• • Retaliating against complaints

• • Not self-reporting breaches

• • Improperly using or disclosing PHI, or releasing more than the “minimum necessary” information

• Not accounting for disclosures and lacking BAAs with subcontractors

Our firm has noted that laboratories frequently fail to initiate and update agreements with other service groups and agents. For example, lab leaders should establish a BAA with a shredding company that transports PHI or with a storage company that archives requisitions, results, specimens, and slides.

Penalties for Violations Involving PHI

If labs and their BAs are found to be neglectful in failing to protect PHI, the consequences can be costly. Civil penalties (fines) are mandatory for willful neglect. These fines vary depending on which of four different levels HIPAA violations fall under:

Conduct of Covered Entity or Business Associate	Penalty
Did not know and, by exercising reasonable diligence, would not have known of the violation	$100 to $50,000 per violation; Up to $25,000 per identical violation per year
Violation due to reasonable cause and not willful neglect	$1,000 to $50,000 per violation; Up to $100,000 per identical violation per year
Violation due to willful neglect, but the violation is corrected within 30 days after the covered entity knew or should have known of the violation	Mandatory fine of $10,000 to $50,000 per violation; Up to $250,000 per identical violation per year
Violation due to willful neglect, and the violation was not corrected within 30 days after the covered entity knew or should have known of the violation	Mandatory fine of not less than $50,000 per violation; Up to $1,500,000 per identical violation per year

Other Useful Resources

What counts as a HIPAA violation? The government provides helpful examples of conduct that would be penalized. In one such example, the loss of a laptop containing PHI for 500 individuals represents 500 HIPAA violations. If a policy or safeguard is not implemented, each delayed day equals a violation.⁵ However, there is some room for discretion if the BA’s conduct was not a result of willful neglect.

Further, the Centers for Medicare & Medicaid Services (CMS) website includes a slide presentation that can help leaders determine whether their lab is a covered entity.⁶ Lab leaders can also download a Model Business Associate Agreement from the HHS website to help in drafting their own BAAs.⁷

Though there are many other details related to the use of BAAs not covered here, this article should provide laboratory leaders and their staff with the basics.

References:

1. 1. https://www.govinfo.gov/content/pkg/CFR-2013-title45-vol1/pdf/CFR-2013-title45-vol1-sec160-103.pdf

1. 1. https://www.cms.gov/files/document/code-sets.pdf

1. 1. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html

1. 1. https://www.federalregister.gov/documents/2019/04/30/2019-08530/notification-of-enforcement-discretion-regarding-hipaa-civil-money-penalties

1. 1. https://www.federalregister.gov/documents/2009/08/24/E9-20169/breach-notification-for-unsecured-protected-health-information

1. 1. https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Downloads/CoveredEntitiesChart20160617.pdf

1. 1. https://www.hhs.gov/sites/default/files/model-business-associate-agreement.pdf

________________________________________________________________________________________________________________________________________

Diana W. Voorhees, MA, MLS(ASCP)SH, CLCP, CPCO, is principal in DV & Associates, Inc., Salt Lake City, UT, which makes no representation, guarantee, or warranty, expressed or implied, that the information provided is free of error, and will bear no responsibility or liability for results or consequences of its use.