If you are a healthcare provider looking to expand your services into the growing world of telehealth options, it is extremely important that you are up to speed on the best practices in order to follow HIPAA regulations in addition to knowing the specific requirements for telehealth. One of those requirements is a Business Associate Agreement (BAA). BAA is a critical part of any effective program that is in compliance with HIPAA laws.
The HIPAA Privacy Rule requires all covered entities to sign a Business Associate Agreement with any Business Associate (BA) that they hire that may come in contact with Protected Health Information. The HIPAA Omnibus Rule changed how Business Associates and Business Associate Subcontractors (BAS) can be held liable for any violations of HIPAA. With this ruling, it is extremely important that a thorough understanding is reached between the Covered Entity and the Business Associate of how they expect to secure patient, client and employee data.
What are common terms in a Business Associate Agreement?
Covered Entity: This refers to the physician, the specialist, the health plan, the health insurance provider or the healthcare clearinghouse. Generally, these transactions concern billing and payment services or insurance coverage.
Business Associate: This is the organization that creates, maintains, transmits or receives patient health information on behalf of the Covered Entity. This includes medical billing companies, accountants, attorneys, transcription services, email encryption providers, file sharing vendors, backup storage companies and so on.
Business Associate Subcontractor: This is the organization that creates, receives, transmits or maintains patient health information on behalf of a Business Associate. This could be an accountant, attorney, transcription service, file sharing vendor, IT support vendor, shredding company and so on.
Who needs to sign a Business Associate Agreement?
- Medical billing services
- IT service providers
- Practice management
- Cloud storage providers
- Physical storage providers
- EHR providers
- Shredding Services
What’s not considered a Business Associate?
- Internet service providers
- U.S. Postal Service
- Other courier services
Just because these contractors are not considered Business Associates, does mean that they have free rein and no restrictions when it comes to PHI. Your organization is still responsible if one of these contractors breaches Protected Health Information. Instead of having them enter into an agreement like the one with your BAA or subcontractors, HIPAA recommends having them sign a confidentiality agreement that outlines much of the same requirements and information for protecting sensitive health data.
What’s in a BAA?
A Business Associate Contract, also called a Business Associate Agreement, is a written agreement that specifies each party’s responsibilities when it comes to Protected Health Information (PHI). HIPAA requires Covered Entities to only work with Business Associates who promise total protection of PHI. Because HHS can audit BAs and subcontractors to make sure they are staying in compliance with HIPAA, it is vital that organizations have a Business Associate Agreement for all three levels in order to meet the HIPAA requirements. The agreement between the Business Associate/subcontractor must include, per HHS requirements:
- Describe the required and allowed patient health information by the Business Associate/Subcontractor.
- Ensure that the Business Associate/subcontractor will not use or disclose Protected Health Information, other than what was agreed upon and is permitted by law.
- Require the BA/subcontractor use safeguards to protect against unlawful PHI use or disclosure.
A good HIPAA Business Associate Agreement will serve to protect organizations from liability in the event of PHI breach. If one of the two parties is responsible for a breach, then a BAA should clearly hold the party responsible, with language in the contract that clearly defines that. Not only are Business Associate Agreements mandated by the feds, they are also in the best interest of protecting an organization’s reputation because breaches can permanently destroy your organization’s reputation.
What happens if PHI is disclosed?
If a Business Associate or subcontractor fails to meet and uphold the requirements of an agreement, there are substantial ramifications. In some cases, they will be subject to criminal penalties. When a Business Associate or subcontractor violates a BAA, it is the responsibility of the Covered Entity to take steps to fix the breach. If those steps are unsuccessful, they must terminate the contract. If it’s impossible to terminate the contract, the Covered Entity must contact the HHS Office for Civil Rights.
For more information on the Business Associate Agreement, Telehealthist offers a HIPAA course, available here. In the course, you will learn everything from the basics of HIPAA to privacy laws, security risks, safeguards and best practices.