Compliant Business Associate Agreement Guidance Issued

Compliant business associate agreement guidance has been added to the American Health Information Management Association and added to its library to assist Business Associates with their efforts to achieve full HIPAA-compliance.

The Privacy Rule introduces Business Associates (BAs) into HIPAA legislation, but it was the Omnibus Rule that plugged the gaps and made them accountable for their actions. Since then, BAs must agree to comply with Health Insurance Portability and Accountability Act rules covering Protected Health Information (PHI); however there is little compliant business associate agreement guidance available and many newly covered vendors are struggling to adhere to HIPAA rules.

While the Department of Health and Human Services’ Office for Civil Rights has released information to assist BAs achieve compliance, there is still some confusion, in particular how HIPAA applies to different vendors. While rules apply to all covered organizations, the specifics of how they relate to, say, a provider of a cloud platform are different to those of a printing or marketing company for example.

The American Health Information Management Association AHIMA has issued guidance for newly covered Business Associates by providing some practical advice on the expanded definitions of the Omnibus Rule and how these apply to BAs. One of the requirements is for BAs to complete a Business Associate Agreement (BAA), but the exact structure of these documents is left to the covered entity and BA to determine. Help is offered in this regard.

The guidance includes the details that need to be included in a BAA, information on the vetting process and how vendors can ensure they are compliant with both HIPAA and HITECH Rules, such as providing additional training to the staff that is likely to come into contact with PHI.

BAs are provided with pointers on establishing an ongoing security program to ensure safeguards are maintained and remain effective, while the issue of data encryption is covered; an addressable area under the Security Rule, but not a mandatory requirement.

Even when the best defenses are put in place, breaches can still occur. BAs must therefore abide by the Breach Notification Rule. Information is provided on how HIPAA violations and breach discoveries must be managed and how to set up a system to monitor for intrusions and data breaches. The need for clear and precise reporting, including details of the entities that must be informed, is also included.

A compliant business associate agreement must detail all responsibilities of the BA. The lack of a current and comprehensive BAA has been the cause of a number of HIPAA violations in the past, and with the OCR planning a new round of compliance audits in the near future it is important for both covered entities and their BAs to ensure that their BAAs are fully compliant with the Omnibus Rule updates. Both CE and BA can be fined directly Business Associate Agreement HIPAA violations relating to BAAs.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of