Business Associate Agreement


In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was passed into law in order to improve efficiency of the health care system and protect the security of patient information and data. The Privacy Rule of HIPAA ("Privacy Rule"), which became effective April 2003, governs the use and disclosure of individually identifiable patient/client health information of many programs accredited by the Commission on Accreditation ("CoA") if such information has not been de-identified (redacted) in accordance with specific, strict provisions of the Privacy Rule. The Privacy Rule requires that programs that are "Covered Entities" under HIPAA have agreements with their "Business Associates" as a means of obtaining satisfactory assurance that the Business Associate will appropriately safeguard such protected health information ("Business Associate Agreement(s)"). Accreditors such as CoA are considered a Business Associate if they receive Protected Health Information from a Covered Entity that has not been de-identified. The Privacy Rule sets forth many required provisions of the Business Associate Agreement.

Implementation by the Commission on Accreditation

The HIPAA regulations recognize the necessity of access by accreditation bodies to individually identifiable health information. CoA has considered the implications of the Privacy Rule for its accreditation functions and has determined that each site visitor will be required to sign a Site Visitor Confidentiality Agreement prior to each site visit. CoA is not requiring a Business Associate Agreement from all programs. However, some programs may wish to have CoA sign a Business Associate Agreement prior to a site visit. Because the issues concerning confidentiality and access to Protected Health Information during the CoA accreditation process are similar for all programs that are "Covered Entities" under the Privacy Rule, CoA has developed its own version of the Business Associate Agreement for such purpose. The use of this version of the Business Associate Agreement (PDF, 29KB) will reduce the complexity, paperwork and administration costs of implementing the Privacy Rule in the accreditation context. The CoA agreement was drafted to include the requirements for a Business Associate Agreement contained in the Privacy Rule and is very similar to the Business Associate Agreements being used by other accrediting bodies.

To Obtain a Business Associate Agreement With CoA

To obtain a signed Business Associate Agreement with CoA, please contact the APA Office of Program Consultation and Accreditation at (202) 336-5979 or by email. You may also print a copy of CoA's Business Associate Agreement, complete the missing information and send a signed copy to the APA Office of Program Consultation and Accreditation, American Psychological Association, 750 First Street NE, Washington, DC 20002-4242.