​An ECRI Institute member recently asked for a sample business associate agreement as required by the Health Insurance Portability and Accountability Act (HIPAA) privacy rule and for guidance on implementing these agreements.

The HIPAA privacy rule requires a written business associate agreement between a covered entity and a business associate that contains "satisfactory assurances" that the business associate will use and disclose protected health information (PHI) provided by the covered entity only as permitted under the terms of the agreement and in a manner that would not violate the HIPAA privacy and security rules if done by a covered entity (45 CFR § 164.504[e]).

Covered entities are not required to obtain "satisfactory assurances" from a subcontractor or enter into business associate agreements with subcontractors; rather, business associates must obtain satisfactory assurances from their subcontractors or enter into business associate agreements with them.

A sample business associate agreement is available from the U.S. Department of Health and Human Services (HHS). Organizations are not required to use HHS's sample agreement. Rather, organizations should review the sample with their legal counsel and adapt it to their needs. In fact, HHS encourages covered entities and their business associates to modify the sample contract language to reflect the actual business arrangements between them. In addition to required HIPAA privacy and security provisions, the contract may include indemnification and other risk-shifting provisions and should also address any applicable state law security or privacy requirements.

The parties' legal relationship (i.e., whether the business associate is an agent of the covered entity) should be carefully considered and clearly addressed in the business associate agreement because creating an agency relationship creates liability exposure for the principal (45 CFR § 160.402). In circumstances in which the business associate is an agent of the covered entity, as per the federal common law of agency, the omnibus rule subjects a covered entity to liability for civil money penalties imposed for violations of the HIPAA rules incurred by its business associate, regardless of whether the covered entity knew of the violations or had a compliant agreement in place. Referencing federal common law agency principles, HHS states that the right or authority of a covered entity to direct or control a business associate in performing a delegated service distinguishes covered entities in agency relationships from those in nonagency relationships. HHS also states that terms or labels, such as "independent contractor," that parties might use to describe their business relationship are not controlling.

The omnibus rule significantly modified HIPAA and HITECH Act (Health Information Technology for Economic and Clinical Health) breach notification rules relating to the procedures that covered entities or business associates must take when determining whether a breach of unsecured PHI requires notification to affected individuals, HHS, or the media. In light of the regulatory liability implications of the timing of breach notifications, HHS encourages covered entities to define in their business associate agreements the requirements regarding how, when, and to whom a business associate should notify the covered entity of a potential breach.

Detailed information on these and other health information privacy and security considerations is available in the guidance articles The HIPAA Privacy Rule and The HIPAA Security Rule.

The recommendations contained in Ask ECRI do not constitute legal advice. Facilities should consult legal counsel for specific guidance and develop clinical guidance in consultation with their clinical staff.