Q&A: Business associate agreements

Q: A situation recently arose with one of our business associates (BA). We have a copy of a business associate agreement (BAA) signed by the company; however, there have been some changes in personnel within the BA. The BA now claims it has no record of the BAA and does not feel it should be bound by the agreement. We suggested creating and signing a new BAA but the BA is reluctant to agree to do that. Is it a HIPAA breach if the BA no longer has a copy of the BAA?

A: As a covered entity (CE), you are required to have a written agreement with each of your business associates to secure the PHI to which the BA has access. If the BA claims it does not have a copy of the agreement previously signed, the BA is clearly not abiding by the agreement. You should (1) provide a copy of the existing agreement to the BA and obtain their agreement to abide by it; (2) have the BA sign a new agreement, or (3) terminate your contract with the BA.

This question was answered by Mary D. Brandt, MBA, RHIA, CHE, CHPS for Briefings on HIPAA. Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.