In our last post, we covered the HIPAA Privacy Rule and how it applies to Business Associates. In this post, we'll cover Business Associate Agreement, which is a written contract between a covered entity and a Business Associate and is required for HIPAA compliance.
The Business Associate Agreement (BAA) has 10 provisions that must be covered:
- Determine the amount of protected health information (PHI) the Business Associate is allowed to disclose.
- Assures the Business Associate will not use or release PHI other than required by the contract or by law.
- Require the Business Associate to use appropriate safeguards to prevent unauthorized access to PHI. This is especially important when it comes to electronic protected health information, or ePHI. The Business Associate must make sure high encryption standards are always in place and that hackers don't penetrate its systems.
- Compel the Business Associate to report to the covered entity any data breaches of unsecured protected health information.
- Make sure the Business Associate releases protected health information when a patient asks for it.
- Define what components of the HIPAA Privacy Rule the Business Associate is responsible for and make sure it complies with those requirements.
- Require the Business Associate to make available its internal practices, books, and records to the U.S. Department of Health and Human Services.
- At termination of the contract, require the Business Associate to return or delete all protected health information it received from the covered entity.
- If a Business Associate uses subcontractors that have access to protected health information, the BA must make sure those subcontractors also sign a Business Associate Agreement.
- Allow the covered entity to terminate the agreement if the Business Associate violates a material term of the contract.
Is a Business Associate Agreement required?
Page 3 of the HIPAA Privacy Rule Summary states that, " when a covered entity uses a contractor or other non-workforce member to perform 'business associate' services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement."
In other words, if you are a covered entity entrusting protected health information to a third party, then a Business Associate Agreement is required by law. If you are dealing with a vendor that stores electronic protected health information for you and does not ask for or require a Business Associate Agreement, that's a recipe for fines and penalties.
Fines for Lack of a Business Associate Agreement
In 2012, Phoenix Cardiac Surgery agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 penalty for violations of the HIPAA Privacy Rule. Upon investigation, it was revealed that, " Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI."
We Understand the Business Associate Agreement
Here at Paubox, each plan comes with a Business Associate Agreement. We understand the HIPAA Privacy Rule. We understand our duties and responsibilities as a Business Associate. And we understand what it takes to execute a Business Associate Agreement.