A business associate contract or Business Associate Agreement (BAA) is a required contract between a company (entity) which collects, processes, and maintains consumer information and its subcontractors (business associate) to protect entity’s consumer information which the business associate may access or manage. The BAA term is commonly used in the United States under the Health Insurance Portability and Accountability Act of 1996 or HIPAA to ensure the protection of consumers’ Protected Health Information (PHI).
A business associate agreement between an entity and its service providers which collect and process PHI or any other consumer information must be in writing and include the following requirements from the business associate:
1. data uses and disclosures of PHI or other consumer information by the business associate must be in accordance with the written agreement,
2. restrictions on the use or further disclosure of the information other than as permitted or required by the BAA or as required by law must be approved by the entity,
3. implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of regulations such as HIPAA,
4. report to the entity any unauthorized use or disclosure of the information,
5. upon termination of the contract, return or destroy all protected health information received, or created by the business associate,
6. ensure that any subcontractors engaged by the business associate to abide by the same restrictions and conditions that apply to the business associate with respect to consumer information; and
7. authorize termination of the contract by the entity if the business associate violates a material term of the contract.
It is very important to emphasize that allowing access to consumer information by a third party service provider does not remove the responsibility of an entity to protect the information it collects from consumers. Therefore, vendor oversight including a business associate contract and audits must be in place to not only encourage the subcontractors to take the same of protection measures that the entity is taking but also protect the entity from legal liabilities when the subcontractor violates the terms of the business associate agreements.
On a last note, the business associate agreements must be consistent with the information security and privacy policies of the entity which are most likely in line with the regulations. Ensuring consistency between the entity’s policies and contractual agreements will provide the assurance that the business associate is also complying with the laws which govern the entity, assuming that the entity has reconciled its own policies with the regulations.