BAA – Business Associate Agreement – Yours, Mine, or Ours?

BAA business associate agreement BAAsTakeaways: Updated BAA deadline is Sept 23, 2014 and 5 Tips for managing your BAAs.
Who is really in control of the content of the Business Associate Agreements to be signed? It has been a frequent question now that BAAs are required everywhere.  Just who gets to control what is in the BAA gets down to the Yours, Mine, or Ours discussion.

Historically, Small CEs had been able to use their own BAA, often pulled from a template pack. Their BAs would sign them as if they were simply providing an autograph not making any serious commitments. That was before HITECH. Today both parties need to be aware of what they are signing and make sure they are covering their requirements. Which party should create the contract?

CEs are the ones with the ultimate responsibility to the patient. CEs are also the ones responsible for breach notifications to the patients. You certainly wouldn’t want to learn of a breach in the news instead of direct from a BA because they didn’t tell you about it for 45 days as their contract states. It is understandable that a CE would want to control the content of the agreement to protect their patients and their own reputation.

BAs can have an especially complicated time sorting through all their contracts. They have BAAs with all their CE and BA clients and with all their vendors who have access to that PHI and with any subcontractors they use to do the work for their clients. It is easy to see why they would want to use their own contract in each case rather than review hundreds of them.

Some people have suggested signing both contracts but that creates a great deal of confusion since you don’t know which one will ultimately be followed.  I have stopped that idea more than once.

Which one do you use? There is no rule other than the parties must have an agreement defining what should be done to protect PHI. No single contract will likely be used for every single case in any business. It will likely be some of yours, some of theirs, and some you work out between each other (ours).

The best we can do for you is provide some tips for managing your BAAs and here are your 5 tips, as promised.

  1. Know what is in your version of the contracts to make it easy to reference those requirements when needed. Don’t just pick a template and go with it because some of those templates have some crazy things in there.  Review the details before using one.
  2. A contract between a CE and a BA should be worded differently than one between two BAs. If you read them without changes for two BAs they make little to no sense when applied between two BAs. You may need multiple standard contracts for different scenarios.  The requirements can be the same but the wording needs to make it clear what responsibilities are being delegated.
  3. All these contracts must be managed to track and confirm they stay up to date and you know what they specify. You will need to easily tell what version and dates you have on each one. Create something in your compliance document management system specifically for indexing all your BAAs.
  4. BAs need to know the most strict requirements across all your contracts because that is the one you need to follow as your standard policies and procedures. Many people stumble on that note and ask why is the strictest requirements what I have to follow. Because:
    • You won’t be able to have your workforce follow different rules for different CEs and BAs with much success. That would become a management nightmare.
    • More importantly, that contract’s commitment is the minimum your BAAs must reflect to any of your downstream BAs otherwise, you can’t meet the requirements of of your own commitments as it pertains to your BAs.
  5. Remember that the BAA should cover Breach, Security, and Privacy rule requirements.
    • CEs need to make sure proper uses and disclosures are covered in the contract along with what is considered PHI from the Privacy rule, at a minimum.
    • We have found many BAs with no reference to Privacy rule requirements in any of their compliance plans yet a number of their contracts stated specifically that they were responsible for the Privacy rule as it applied to their CE with no further clarification.  The common misconception that BAs don’t need to worry at all about the Privacy rule is completely shot down when that language is in your BAA.

Since the final BAA deadline is rapidly approaching it is a perfect time to do a complete review of all your contracts. That goes for both CEs and BAs. You both are required to have all of your BAAs up to date with the Omnibus details included by Sept 23, 2014.  Use these tips to help you check that your bridges are built and structurally sound between all your vendors, subcontractors, clients, etc.