CruisingIsSafeCom.Com

Loading

Tag Business Agreement

Business

Business Associate Agreement

A business associate agreement (BAA) is a vital part of HIPAA compliance. Without one, your organization could face hefty fines and corrective action plans.

A BAA is required whenever a covered entity (CE) shares PHI with a business associate (BA). This includes physical copies of x-rays, insurance information, and patient data stored by third-party software providers.

What is a BAA?

With the size and complexity of modern healthcare, it’s often necessary for practices to work with third-party services to ensure that their clients can receive quality care. Whether it’s physical copies of x-rays that need to be stored offsite or insurance data that needs to be sent electronically from one location to another, health organizations can’t afford to handle sensitive information on their own.

If a vendor or contractor is going to be working with PHI, they must have a BAA in place with the covered entity before any services can begin. The BAA serves as a contractual agreement between the two parties, binding both to specific regulations and requirements for handling patient records.

The contract also ensures that when the service contract ends and the BA no longer has access to PHI, they will return it or destroy it. Failure to do so could result in legal ramifications for both the covered entity and the BA.

What are covered entities?

Covered entities need to require BAAs from all their business associates that may access PHI. For example, a hospital onboarding a cybersecurity vendor will need to ensure that the security vendor signs a BAA. The same is true for any entity that may come into contact with PHI on behalf of the covered entity. A designated security officer, attorney, or HIPAA compliance solution will be best suited to help you understand these legally binding contracts.

Despite the need for BAAs, many covered entities take a self-described conservative approach to their compliance: They treat everyone as a business associate even though they might not need to sign a contract. This saves time and resources on negotiating with potential business associates; feels “better safe than sorry” from a compliance perspective; and keeps the business associates from being exposed to regulatory fines in case of a breach.

The types of business associates that must sign a BAA include data processing services, clearinghouses, community health information systems, and value-added networks (like Google Drive, Sheets, and Chat). Contractors working exclusively for your company, individuals with other clients, and employees who are not authorized to work on PHI do not qualify as a business associate.

What are the requirements of a BAA?

HIPAA regulations require that you have a BAA in place with any company that creates, receives, sends, or keeps your PHI. This includes contractors and subcontractors – such as IT service providers.

These agreements establish that the company will abide by HIPAA rules and will protect your data from any breaches. Additionally, they will agree to return or destroy all of your PHI when their services are complete or the agreement is terminated.

You should also include a provision that requires the BA to provide you with documentation of their employees’ training on how to handle ePHI. Additionally, you should ensure that your BAAs with all of your business associates are reviewed on a regular basis to make sure they are still valid. You should also consider aligning reassessments with your procurement cycle so that you can get your vendors to update their contracts before a breach occurs. This will save you time and money while ensuring that your BAs continue to comply with the rules.

What are the benefits of a BAA?

Having a BAA in place is the best way to protect your organization from fines and investigations for non-compliance. It’s also a great way to make sure that all of your vendors can meet your specific data requirements and are working with the highest standards.

If you are a healthcare provider or any other entity that is covered under HIPAA, you should have a BAA in place with anyone who will come into contact with your PHI. This includes outside corporations that you hire to do work on your behalf, such as a printing company that needs to scan your physical copies of X-Rays to digitize them for storage or a cloud-based service that stores your electronic PHI.

A BAA provides you with the assurance that your BA can meet the Administrative, Physical and Technical standards under HIPAA to keep your information secure. You should always review your BAAs annually to ensure they are meeting all of the HIPAA regulations.