HIPAA Business Associate Agreement Management — §164.502(e), §164.504(e)

HIPAA Business Associate Agreement Management — §164.502(e), §164.504(e)

Overview

The HIPAA Privacy and Security Rules require covered entities to obtain satisfactory assurances from business associates that they will appropriately safeguard PHI. These assurances are documented through Business Associate Agreements (BAAs). The HITECH Act of 2009 and the 2013 Omnibus Rule fundamentally changed the BA landscape by making business associates directly liable for HIPAA Security Rule compliance and certain Privacy Rule provisions, and by extending the BAA chain to subcontractors. A BAA is not merely a contractual formality — it is a regulatory requirement, and failure to execute a BAA when required is itself a HIPAA violation subject to enforcement.

Who Is a Business Associate — §160.103

Definition

A business associate is a person or entity that:

1. On behalf of a covered entity or another business associate, creates, receives, maintains, or transmits PHI for a function or activity regulated by the HIPAA Administrative Simplification rules, including claims processing, data analysis, utilization review, quality assurance, billing, benefit management, practice management, and repricing; OR
2. Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity where the provision of the service involves the disclosure of PHI

Who Is NOT a Business Associate

Common Business Associate Categories at Asclepius Health Network

Required BAA Provisions — §164.504(e)(2)

Mandatory Contract Terms

A BAA must include the following provisions:

1. Permitted and Required Uses and Disclosures

The BAA must establish the permitted and required uses and disclosures of PHI by the business associate. The BA may not use or disclose PHI other than as permitted or required by the BAA or as required by law.

Asclepius Health Network BAA language: "Business Associate shall not use or disclose Protected Health Information other than as permitted or required by this Agreement, as Required by Law, or as otherwise permitted by 45 CFR §164.504(e)."

2. Prohibition on Unauthorized Use or Disclosure

The BAA must not authorize the BA to use or disclose PHI in a manner that would violate the Privacy Rule if done by the covered entity.

Exception: The BAA may permit the BA to use PHI for:

• Proper management and administration of the BA
• Carrying out its legal responsibilities
• Data aggregation services (if specifically authorized)

3. Appropriate Safeguards

The BA must use appropriate safeguards and comply with the Security Rule to prevent unauthorized use or disclosure.

Asclepius Health Network BAA language: "Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, in accordance with 45 CFR Part 164, Subpart C."

4. Breach Reporting

The BA must report to the covered entity any use or disclosure of PHI not provided for by the BAA, including breaches of unsecured PHI as required by §164.410.

Asclepius Health Network BAA language: "Business Associate shall report to Covered Entity any use or disclosure of Protected Health Information not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured Protected Health Information as required by 45 CFR §164.410, without unreasonable delay and in no case later than five (5) business days after discovery of the Breach."

5. Subcontractor Requirements

The BA must ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the BA agree to the same restrictions and conditions that apply to the BA, including entering into a BAA with the subcontractor.

6. Access Rights

The BA must make PHI available to the covered entity (or directly to the individual if designated in the BAA) to satisfy the individual's right of access under §164.524.

Asclepius Health Network BAA language: "Business Associate shall make available Protected Health Information in a Designated Record Set to Covered Entity, or at Covered Entity's direction, directly to the Individual, within fifteen (15) business days of a request, to satisfy Covered Entity's obligations under 45 CFR §164.524."

7. Amendment Rights

The BA must make PHI available for amendment and incorporate amendments as directed by the covered entity under §164.526.

8. Accounting of Disclosures

The BA must make available the information required to provide an accounting of disclosures under §164.528.

9. HHS Access

The BA must make its internal practices, books, and records relating to the use and disclosure of PHI available to HHS for determining compliance.

10. Return or Destruction of PHI

At termination of the BAA, the BA must return or destroy all PHI received from or created on behalf of the covered entity. If return or destruction is not feasible, the BA must extend the protections of the BAA for as long as it maintains the PHI.

Asclepius Health Network BAA Lifecycle Management

Business Associate vs Subcontractor Obligations

Direct Liability Under HITECH/Omnibus Rule

Since the 2013 Omnibus Rule, business associates are directly liable for:

Subcontractor BAA Chain

Covered Entity
  └── BAA → Business Associate
                └── BAA → Subcontractor (Level 1)
                              └── BAA → Subcontractor (Level 2)
                                            └── ...continues downstream

Each link in the chain must have a BAA in place. Asclepius Health Network requires primary BAs to:

1. Maintain a registry of subcontractors with PHI access
2. Provide the registry to Asclepius upon request
3. Ensure subcontractor BAAs contain provisions no less restrictive than the primary BAA
4. Report subcontractor breaches through the primary BA

Breach Chain Notification Flow

When a breach occurs at a subcontractor:

1. Subcontractor discovers breach → notifies BA within timeframe specified in sub-BA (Asclepius standard: 24 hours)
2. Business Associate validates and documents → notifies Covered Entity within BAA timeframe (Asclepius standard: 5 business days of BA's discovery)
3. Covered Entity conducts four-factor risk assessment → determines if breach notification to individuals/HHS/media/AG is required
4. Covered Entity fulfills notification obligations (or delegates to BA per BAA)

Termination Remedies — §164.504(e)(2)(iii)

Material Breach

If the covered entity knows of a pattern of activity or practice of the BA that constitutes a material breach or violation of the BAA:

1. Cure: Provide the BA an opportunity to cure the breach or end the violation
2. Terminate: If cure is not successful, terminate the contract if feasible
3. Report to HHS: If termination is not feasible, report the problem to HHS OCR

Asclepius Health Network Termination Process:

• Written notice of material breach with 30-day cure period
• If not cured within 30 days, termination notice with 60-day wind-down period
• During wind-down: PHI access restricted to minimum necessary for transition
• At termination: BA must return or certify destruction of all PHI within 30 days post-termination
• If return/destruction infeasible, BA must provide written certification of ongoing protection

PHI Return/Destruction Verification

Asclepius Health Network requires:

• Written certification of PHI destruction from BA within 30 days of termination
• Destruction must comply with NIST SP 800-88 Rev. 1 for electronic media
• Paper records destroyed via cross-cut shredding or incineration
• Asclepius reserves the right to audit destruction compliance

Common BAA Deficiencies

Enforcement Actions

• North Memorial Health Care (2016): $1.55 million — failed to execute a BAA with a major contractor that had access to ePHI of 289,904 individuals; failed to conduct organization-wide risk analysis
• Care New England Health System (2019): $400,000 — failed to execute BAA with BA that experienced a breach; BAA was under negotiation but not signed when PHI was disclosed
• UMMC (University of Mississippi Medical Center) (2016): $2.75 million — multiple Security Rule violations including failure to manage BA relationships properly

Integration Points

• hipaa-privacy-rule: BAA requirement stems from Privacy Rule §164.502(e); BA permitted uses mirror Privacy Rule provisions
• hipaa-security-rule: BA must independently comply with Security Rule; BAA must require appropriate safeguards
• hipaa-breach-notify: BAA breach notification chain is critical path for timely CE notification and individual notice
• hipaa-minimum-necessary: BA disclosures must comply with minimum necessary standard