Limitations is a variable that appears in the Business Associate Agreement Cover Page, in the Key Terms section. This section is for your agreements' key legal terms.
This term allows you to include limitations within the agreement for subcontracting, offshoring, de-identification and aggregation.
Default: No additional limitations.
How to fill this out
By default, the BAA includes NO limitations. This means that the business associate or subcontractor (depending on the relationship under the BAA) can use subcontractors (subject to the requirements in the Standard Terms), can offshore PHI to provide services, can de-identify PHI, and can aggregate PHI for its own purposes. Use the Limitations variable to place specific restrictions or limitations on these activities.
Subcontracting
Subcontracting is when a Business Associate delegates part of its function, activity, or service that involves the use or disclosure of PHI to a person or organization outside of its workforce. It is sometimes possible that this term holds a slightly different meaning in the context of a BAA than it would in the principal or underlying agreement.
Factors to consider when setting up limitations on subcontracting:
Is your company not allowed to use subcontractors at all?
Can your company use subcontractors under certain circumstances, and if so when?
Is written permission required before your company can use subcontractors?
Offshoring
Offshoring occurs when part of the services to be provided may require the use or disclosure of PHI to a person or entity outside of the United States. Although HIPAA does not restrict the use or disclosure of PHI outside of the United States like other laws such as GDPR do, there may be other reasons a company may not be able to offshore data (e.g., in order to comply with some state Medicaid and Medicare laws).
Factors to consider when setting up limitations on offshoring:
What kind of activities require the use and disclosure of PHI abroad?
Is your company not allowed to use offshoring services or send PHI abroad at all?
Can your company use offshoring services or send PHI abroad at all under certain circumstances, and if so when?
What kind of vendors and sub-contractors are being used in your technical infrastructure? Are these global companies where it might be more likely that data may be transferred?
What kind of offshoring services is your company conducting (some might be easier to negotiate than others)?
De-identification
De-identification is the process of removing the individual identifying aspects of Protected Health Information (PHI), effectively rendering it no longer PHI and subject to HIPAA regulations. HIPAA has two standards for de-identification - the Safe Harbor Rule (when you get rid of all identifiers outlined in the law and there are no other known means of re-identifying the individuals) and the Expert Determination Method (when you have a qualified statistical expert review and report that the risk of reidentification is statistically low).
Factors to consider when setting up limitations on de-identification:
Is your company not permitted to de-identify PHI at all?
Can your company de-identify PHI under certain circumstances, and if so when?
Is your company only permitted to de-identify PHI under one de-identification standard but not the other?
Is de-identification of PHI part of the services to be provided?
Why is your company de-identifying the PHI (e.g., are there legitimate reasons for de-identification)?
Data Aggregation
Data aggregation occurs when a company combines data received in its capacity as a business associate (or subcontractor) from one or more covered entities (or business associates). A company may engage in data aggregation to improve performance of a product or to gather insights about the dataset.
Factors to consider when setting up limitations on data aggregation:
Is your company not permitted to aggregate PHI at all?
Can your company aggregate PHI under certain circumstances, and if so when?
If your company needs to aggregate PHI, what are the underlying purposes - e.g., product improvement, cross-customer insights?
Can your company’s products or services be effectively provided without aggregation of data?
Is data aggregation part of the service being provided?