As organizations begin renewing and entering into new contractual relationships for 2024, an oft-forgotten aspect of the contracting process is determining whether a Business Associate Agreement (a “BAA”) is required. Under HIPAA, health care providers, health plans and health care clearinghouses (“Covered Entities”) are required to enter into BAAs with any vendor (“Business Associate”) that may have access to Protected Health Information (“PHI”). Many organizations operate under a misconception that they are not subject to HIPAA if they are not in the health care industry but, in fact, HIPAA’s reach is much broader than that. For example, organizations that sponsor health plans, including employers that sponsor self-funded plans, are responsible for their health plans’ compliance with HIPAA, including the requirement to enter into BAAs with plan vendors. As another example, information technology organizations providing services to employers that offer health plans may be asked to sign a BAA as a Business Associate if they have access to data on the employer’s systems that may constitute PHI.

Putting aside the fact that BAAs are legally required under HIPAA, we have outlined the top 5 reasons why you shouldn’t forget to enter into a BAA with applicable organizations as you begin your contract review process for 2024:

1. Ensure proper and timely notification of breaches and security incidents. Data security breaches have seemingly become a daily headline in our morning papers. Under HIPAA, there are very strict, specific notification requirements in the event of a breach or security incident. Entering into a BAA allows the parties to negotiate the timeline for notification not only from Business Associate to Covered Entity or downstream subcontractor to Business Associate, but also to individuals, the Department of Health and Human Services (“HHS”), state agencies, the media, and more. The parties can also negotiate terms to broaden the definition of what constitutes a reportable event. Understanding, outlining, and assigning these obligations is crucial given the breadth of the stringent requirements under the law (and interplay of potentially applicable state laws).
2. Shift liability for breach-related costs. Substantial costs may be involved when a breach or security incident occurs, including, for example, notification costs, credit monitoring expenses, governmental fines and penalties, legal fees, hiring third party cybersecurity experts for investigation efforts, and more. Entering into a BAA provides parties the opportunity to negotiate liability and indemnification rights for these expenses.
3. Pass requirements through to subcontractors. Whether your organization is a Covered Entity or a Business Associate, utilizing BAAs to ensure that subcontractors are also required to comply with applicable HIPAA requirements is key. Understanding who those subcontractors are, where they store data, what entities may receive PHI from them, and what safeguards they have in place is an important aspect of ensuring HIPAA compliance and shifting liabilities.
4. Be prepared for an audit. In the event HHS audits an organization for HIPAA compliance, the agency will ask for a list of all Business Associates and the applicable BAAs with those vendors. If your organization does not have a comprehensive list of Business Associates or up-to-date BAAs, HHS could assess penalties and decide to delve even deeper than usual during the audit process. Producing these documents upon request demonstrates a good faith effort to comply with HIPAA and could help an organization avoid or reduce the risk of certain penalties that may be assessed during the audit process.
5. Assign responsibilities to the parties. There are a number of obligations under HIPAA that the parties may want to specifically assign to a contractual party or delegate to yet another entity. For example, some Covered Entities may want control over individual rights under HIPAA, such as an individual’s right to request access to PHI, amend PHI, request confidential communications of PHI, restrict PHI disclosures, or obtain an accounting of disclosures. In other instances, some Covered Entities may decide to shift the obligation to respond to these requests to the Business Associate due to the nature of the parties’ relationship and the Covered Entity’s capabilities. Entering into a BAA allows the parties to determine who is best suited to satisfy certain HIPAA requirements and assign such roles accordingly.