What exactly is a Business Associate and why do we need an agreement?

aspida_3for3_HIPAAHQThink about any entity, or individual, you allow access to your patient information (or Protected Health Information – PHI) in order to facilitate their job. This could be anyone from an IT company, your practice management system, even your collections agency. Wouldn’t it be nice to know these companies are taking precautions to safeguard your patient PHI? This is exactly what a Business Associate Agreement (BAA) is!

This is a guest post written by Laura Miller, Compliance Manager of Aspida.

We’re going to delve into the ins and outs of BAAs and who exactly you need them with. There are several standards in the Federal Register to address what these are and why they’re needed.

Administrative Safeguards – § 164.308(b)(1) Business Associate Contracts and other Arrangements – A covered entity, in accordance with §164.308 may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a) that the business associate will appropriately safeguard the information.

Implementation Specifications – § 164.314 (a)(2)(i) Business Associates Contracts – The contract between a covered entity and a business associate must provide that the business associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart.

With the HIPAA Omnibus rule, Business Associates are more responsible and accountable than ever before to protect your data. It’s integral to have a contract in place to ensure your Business Associate is responsible in obtaining, maintaining and protecting your patient’s electronic protected health information (ePHI). Below is a great start* on who you should have a BAA with:

 

Absolutely Not Necessary
IT Service Provider Another Covered Entity
(Doctor or Specialist you’re referring to)
Vendor Support (i.e. Schein, Patterson, Etc.) Cleaning Crew
Appointment Reminder Company Consultants not interacting with PHI
Document Shredding Company Cleaning Crew
Email Provider Insurance Companies
Collections Agency Dental Labs

*Not to be considered a complete list

Some larger companies may provide their own to you. This is normal but beware of loopholes! You will want to ensure a couple of things:

  • The BAA is updated with the latest amendments (including the Final Omnibus Rule in 2013)
  • Subcontractor Clause: Best to confirm your BAAs are taking responsibility to execute a BAA with their own subcontracts.
  • Liability/assumption of financial responsibility in the event they cause a breach due to their mishandling of PHI.

Covered entities and business associates may be in violation of HIPAA if there is no required BAA in place! For more info, and sample BAA templates, check out www.hhs.gov/hipaa.

Special offer for Aspida Mail:
Try the First Three months for $3! Aspida offers a 30 day money back guarantee, month to month contracts and risk free cancellation!
Use HIPAAHQ in the “Promotional Code” box in the shopping cart.
Click here to learn more about their product.

About the author

Laura Miller is Compliance Manager of Aspida, which has quickly established itself as an industry leader in providing compliance security products and services for healthcare providers. Their first product to market, Aspida Mail, offers medical practices affordable Encrypted Email without compromising security. Miller has over 8 years of experience in the healthcare industry including 3 years with a primary focus on HIPAA Compliance procedures.

About Jacco / Editor HIPAA HQ

Jacco Blankenspoor is the founder and editor of HIPAAHQ.com. Jacco specializes in providing useful and in-depth information about the complex topic that is HIPAA Compliant Hosting.

Check Also

HIPAA Compliant Data Center

What is a HIPAA Compliant Data Center & How to Find One

Choosing a HIPAA compliant data center that meets your IT needs and serves as a trusted partner takes time, but is a critical piece of the puzzle. Non-compliance is not an option for the survival of your organization.