Business Associate Agreements

Some controversy has erupted regarding the status of business associate agreements, when the business associate refuses to enter into a business associate agreement. The preamble to the HHS July 14, 2010 proposed regulations provides that - if a covered entity and business associate have failed to enter into a business associate agreement, then the business associate may use or disclose protected health information only as necessary to perform its obligations for the covered entity (pursuant to whatever agreement set the general terms for the relationship between the covered entity and business associate) or as required by law, but any other use or disclosure would violate the privacy rule. Some business associates have interpreted this as a default standard of having no BA agreement. It appears that HHS was trying to set forth some protection for covered entities who needed to do business with a BA, but couldn't get the BA to agree to a BA agreement. (Unfortunately, this situation is becoming more common.) However, I seriously doubt that HHS was attempting to set forth a default "no BA agreement standard," when the requirement remains that all CEs must obtain a BA agreement with their BAs. In addition, the disclosure allowed in such a situation is so limited, that any other use or disclosures would violate the privacy rule, such as a use of PHI by a BA for data aggregation. Further, monetary penalties for not signing a BA agreement apply equally to both the CE and the BA.  Look for clarification of this in the final regulations.

Latest Thinking

View more Insights
Insights Center
Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their