Why does HIPAA still require Business Associate Agreements?

In 2014, the law firm Manatt, Phelps & Phillips ("Manatt") published a paper funded by the California HealthCare Foundation that surveyed sixteen covered entities and five business associates inquiring about business associates' compliance with HIPAA, including the topic of business associate agreements ("BAA") The paper made several interesting findings, notably that (emphasis added):

In a separate blog post, Manatt highlighted several other key findings from the paper. One key finding the blog post highlighted was that "[w]hen BAA negotiations occur between a Covered Entity and a Business Associate, they often relate to provision that are not mandated under HIPAA." Most often, the provisions negotiated over related to indemnification and the time frame for notification of impermissible uses and disclosures and/or breaches.

The paper is from 2014 but the pain points it highlights ring true for privacy and legal teams even today. Confusion still exists over who is a business associate and when a BAA is required, and regulated entities still expend valuable resources negotiating them. What's more, business associates became directly liable in 2013 with the Omnibus Rule that implemented changes in the HITECH Act. Since business associates have been directly liable for violations under HIPAA for 12 years, one has to ask: why are BAAs still required?

That question was asked (and answered) when the Omnibus Rule was published. More than a decade later, and as HHS plows ahead with changes to the Privacy Rule and proposed changes to the Security Rule, reviewing these answers, in particularly in light of the Manatt paper, is worthwhile.

In response to questions about the continued need for BAAs, HHS presents three main arguments for maintaining the BAA requirement.

First, and most compelling, HHS implicitly makes a separation of powers argument. HHS highlights that the HITECH Act not only retained the BAA requirement, but that it expressly refers and ties business associate liability to making uses and disclosures in accordance with the uses and disclosures laid out in" BAAs. There are two arguments happening here. First, there is an implicit separation of powers argument that the HITECH Act retained the requirement and therefore HHS is not able to simply remove that requirement. This is compelling because Federal agencies when promulgating rules have to color within the lines drawn by Congress. However, as mentioned below as well, this is not an insurmountable barrier as Congress could simply amend HIPAA to remove the BAA requirement.

Second, there is a more substantive argument being made--that the BAA serves a practical function by laying out the permitted uses and disclosures. HHS incorporates this rationale into its own argument, writing that "[w]e also continue to believe that, despite the business associate's direct liability for certain provisions of the HIPAA rule, the [BAA] is necessary to clarify and limit, as appropriate, the permissible uses and disclosures by a business associate."

Facially these two arguments make sense but are belied by the face of the regulations. Specifically, a covered entity is permitted to disclose PHI to a business associate. A business associate is, generally speaking, a third-party that provides or performs certain functions, activities, or services to, for, or on behalf of a covered entity. Those functions, activities, and services are exhaustively listed under the definition of "business associate." Furthermore, HIPAA cabins a business associate's use and disclosure of PHI can almost exclusively to providing or performing such a function, activity, or service, with very narrow exceptions (e.g., proper management and administration).

In other words, the BAA generally does not specifically clarify and limit a business associate's permissible uses and disclosures any more than is already clarified and limited in the regulations. This comports with the Manatt paper (and the experience of many healthcare privacy attorneys) where the bulk of negotiations goes into non-HIPAA required provisions or details within certain provisions.

HHS goes on with a similar argument, writing that the BAA "is also necessary to ensure that the business associate is contractually required to perform certain activities for which directly liability does not attach (such as amending [PHI] . . .)." That seems like a strong argument for the BAA requirement, but in reality it's specious because the underlying rationale here rests on business associates not being directly liable--something Congress can, as we have see, remedy.

Third, and least compelling, HHS argues that the BAA "serves to notify the business associate of its status under the HIPAA rules, so that it is fully aware of its obligations and potential liabilities." It's difficult not to wince reading that.

As the Manatt paper demonstrates, in 2014 confusion abounded about who is a business associate and when a BAA is required. From my own professional experience that confusion has not abated, and importantly HHS has not provided guidance to lift that fog of confusion over the industry.

It's unlikely that either Congress or HHS will prioritize remedying the issues around the BAA requirement. However, regulated entities concerned with the problems with the requirement should continue to raise them particularly in light of the recent proposed changes to the Security Rule that only heighten the burdens of the BAA requirement.