Business Associate Agreements (BAAs) are agreements between a Covered Entity (CE) and a Business Associate (BA) to ensure that Protected Health Information (PHI) is properly safeguarded. In these agreements, the CE and BA agree to comply with the HIPAA Privacy and Security Rules, specify the permitted uses and disclosures of PHI, and set forth responsibilities in the event of a breach. But can these agreements be assigned to another entity?
The answer is not a simple one. Generally, BAAs cannot be assigned without agreement from all parties involved. But, it also depends on the language in the specific agreement. A BAA might contain a clause that allows for assignment with written consent, a change of control, or in connection with a sale or transfer of all or substantially all of the business.
When a BAA is assigned, all provisions and obligations under the agreement must be assumed by the new entity. This includes maintaining the privacy and security of PHI, implementing appropriate safeguards, and reporting any breaches to the CE. The new entity should also sign a business associate addendum agreeing to take on the responsibilities outlined in the original BAA.
If a BAA cannot be assigned, a new agreement must be executed with the new entity. This ensures that the CE is aware of and has approved the new BA, and that all obligations are met under HIPAA regulations.
Assigning a BAA requires careful consideration and review of the underlying agreement. It’s important to consult legal counsel to ensure compliance with HIPAA regulations and to properly handle the transfer of PHI.
In summary, while BAAs generally cannot be assigned without agreement from all parties involved, it depends on the specific language in the agreement. If assignment is permitted, the new entity must assume all provisions and obligations under the BAA, and a business associate addendum should be signed. If assignment is not permitted, a new agreement must be executed with the new entity to ensure compliance with HIPAA regulations.