What is a Business Associate Agreement?

Video 21 of 27
0 min 54 sec

In this lesson, we're going to look briefly at what a business associate agreement (BAA) is and what some of the common elements of a BAA are. At the end of the lesson, we'll take a look at some common HIPAA violations.

A business associate agreement is a required contract between a covered entity and a business associate who has direct or incidental access to PHI or ePHI.

A business associate agreement will contain details on how each entity will be responsible in handling PHI and can include:

  • Required compliance training
  • A risk assessment
  • Financial liabilities
  • Responsibilities if and when a data breach occurs

Pro Tip: A business associate agreement is required and holds business associates accountable to handle PHI and ePHI securely and safely.

Business associates are required to have:

  • A risk assessment
  • HIPAA compliance training
  • Policies and procedures, also known as a Book of Evidence

A Word About 10 Common HIPAA Violations

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI.

But before we get into the top 10 list, let's answer a couple of important questions first.

Are Data Breaches HIPAA Violations?

Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. The Office for Civil Rights (OCR) understands that healthcare organizations are being targeted by cybercriminals and that it is not possible to implement impregnable security defenses.

Being HIPAA compliant is not about making sure that data breaches never happen. HIPAA compliance is about reducing risk to an appropriate and acceptable level. Just because an organization experiences a data breach, it does not mean the breach was the result of a HIPAA violation.

The OCR breach portal now reflects this more clearly. Many data breaches are investigated by OCR and are found not to involve any violations of HIPAA Rules. Consequently, the investigations are closed without any action being taken.

How are HIPAA Violations Discovered?

HIPAA violations can continue for many months, or even years, before they are discovered. The longer they are allowed to persist, the greater the penalty will be when they are eventually discovered. It is therefore important for HIPAA covered entities to conduct regular HIPAA compliance reviews to make sure HIPAA violations are discovered and corrected before they are identified by regulators.

There are three main ways that HIPAA violations are discovered:

  1. Investigations into a data breach by OCR (or state attorneys general).
  2. Investigations into complaints about covered entities and business associates.
  3. HIPAA compliance audits.

Even when a data breach does not involve a HIPAA violation, or a complaint proves to be unfounded, OCR may uncover unrelated HIPAA violations that could warrant a financial penalty.

10 Most Common HIPAA violations

Listed below are 10 of the most common HIPAA violations, together with examples of HIPAA-covered entities and business associates that have been discovered to be in violation of HIPAA Rules and have had to settle those violations with OCR and state attorneys general. In many cases, investigations have uncovered multiple HIPAA violations.

In no particular order, the 10 most common HIPAA violations are:

  1. Snooping on healthcare records
  2. Failure to perform an organization-wide risk analysis
  3. Failure to manage security risks / lack of a risk management process
  4. Failure to enter into a HIPAA-compliant business associate agreement
  5. Insufficient ePHI access controls
  6. Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices
  7. Exceeding the 60-day deadline for issuing breach notifications
  8. Impermissible disclosures of protected health information
  9. Improper disposal of PHI
  10. Denying patients access to health records/exceeding timescale for providing access