Business Associate Agreements: More Than Just a Template
How to get the best out of your BAAs
Business Associate Agreements (BAAs) are an essential part of any effective HIPAA compliance program. But understanding what a good BAA should and should not include isn’t as intuitive as understanding that you need one in the first place.
Below, we’ve compiled the basic components of a HIPAA Business Associate Agreement template for you to peruse. Keep in mind that BAAs are legally binding contracts, so it’s best to have a compliance expert, security officer, or lawyer help you before finalizing anything with your organization’s Business Associates (BAs).
But first, let’s define what exactly the HIPAA Rules qualify as a Business Associate (BA). According to guidance from the Department of Health and Human Services (HHS), a BA is:
“[A] person or entity, other than a member of the workforce of a covered entity who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A [BA] also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another [BA].”
Essentially, if an organization is hired to handle, use, distribute, or access protected health information (PHI), they likely qualify as a BA under HIPAA regulation.
The quick rule to remember with Business Associates: before you share PHI, you must have a BAA in place. That’s the easiest way to protect your practice or organization in the event of a breach, which we’ll discuss in more detail below.
Compliancy Group’s web-based compliance solution, The Guard, comes equipped with everything you and your organization need to manage your HIPAA Business Associates.
Business Associate Agreements
BAAs are mandated by the HIPAA Security Rule. They consist of information regarding the permissible and impermissible uses of PHI between two HIPAA-beholden organizations. That can include relationships between a CE and a BA, as well as relationships between two BAs.
Business Associate Agreements should be heavily vetted against the HIPAA rules to ensure that they cover everything they’re meant to. In most cases, it’s best to use BAAs supplied by your HIPAA compliance solution–if you have a consultant or security-based solution for your compliance though, they probably won’t supply you with a BAA without additional charges.
In our case, the BAAs we give to our clients are fully vetted against the HIPAA rules, and included as a part of our total compliance solution. Our team of expert compliance coaches guide users through the entire BA management portion of their compliance plan.
Who Needs a Business Associate Agreement?
Any Business Associate you share PHI or ePHI with over the course of the work they’ve been hired to do is who needs a Business Associate Agreement.
Here is a short list of some of the most common examples of Business Associates we see in the market. For the full list, visit our examples of Business Associates.
- Medical billing services
- IT service providers
- Practice management
- Cloud storage providers
- Physical storage providers
- EHR providers
- Shredding services
- And many more
“We’re both beholden to federal HIPAA regulation.”
The first thing that a good BAA must include is an acknowledgement that the organization issuing it is beholden to HIPAA regulation. And the second thing it must include is an acknowledgement that the organization signing the BAA is beholden to HIPAA regulation.
This is a fairly intuitive idea: essentially, if both organizations agree that they fall under HIPAA, they can’t excuse themselves from liability by claiming they shouldn’t have to follow HIPAA regulation.
A good Business Associate Agreement will protect both parties in the event of a breach, so it’s in your best interest to ensure that they’re executed using the proper language.
A good Business Associate Agreement also serves the important function of protecting organizations from liability in the event of a breach. If one of the two parties is responsible for a breach of protected health information, then a BAA should clearly hold that party responsible with language defining that.
In past OCR investigations where BAAs were not properly executed, Covered Entities that had nothing to do with the breach that incited the investigation were held liable for the loss of data.
Not only are BAAs mandated by federal regulation, they’re also in the best interest of protecting your organization’s reputation. Breaches can permanently impact your organization with a place on the HHS Breach Portal, otherwise known as the “Wall of Shame.”
With Compliancy Group, you get the confidence of a total compliance solution that simplifies HIPAA so that you can focus on running your organization. BAAs and Business Associate Management are important parts of any compliance plan, and The Guard is built to manage all of that from an all-in-one web-based compliance portal.