In recent weeks we have seen several OCR fines levied against organizations that were transferring PHI or receiving PHI without executed Business Associates Agreement. It is clear this has become a point of intense focus for federal regulators, and one from which we can expect continued fines. However, that is only half of the story. In practice, Business Associates Agreement are not always easy to get executed; for a plethora of reasons. Therefore, let’s analyze some best practices to get those outstanding Business Associate Agreements executed.
1. Get the ball rolling: Whether you are a Business Associate, Covered Entity, or subcontractor don’t hesitate to be the first to send a Business Associate Agreement for negotiation and execution. It establishes the parameters of the negotiation, states that this is a serious matter to you, and takes the first step in getting a BAA executed. If you need a place to start, there are plenty of examples readily available,including from HHS.
2. Stress the importance: A Business Associate is determined by the specifics of the business relationship, not by the existence of a Business Associate Agreement. In other words, not executing a Business Associate Agreement does not absolve an organization from HIPAA required safeguards, therefore there is no compelling argument not to execute a Business Associate Agreement. It is a requirement of both the Business Associate/Subcontractor and the Covered Entity to have a BAA in place. The requirement is not one-way.
3. Cause for termination: Almost all contracts outlining the business relationship will permit (or require) the termination of the agreement if one party does not comply with applicable laws or regulations. Signing a BAA is required by HIPAA, thus not signing one is grounds for termination. While it might be a disconcerting thought, your only protection against an organization that refuses to sign a Business Associate Agreement is to stop the transfer of PHI. This may create an incredibly challenging situation, but in extreme situations it is the only option. Most likely, when threatened with terminating the underlying contract, organizations will agree to execute the BAA.
This topic is one of the more difficult facing the entire industry at present. It is not that the answer to the situation is an unknown, it is that the best answer is the most challenging solution. However, you must ask yourself one question, “How much can you trust an organization that will not execute a Business Associate Agreement to ensure the privacy and security of PHI?” I am willing to guess an organization that won’t execute a BAA is probably an organization you don’t want to do business with.