Culture/LeadershipPolicy and GovernancePrivacy

The HIPAA Privacy Rule and the Need for a Business Associate Agreement

onlinetech
onlinetech
3 Min Read

You’re a covered entity (your company processes, stores or transfers any type of patient information), and you’re outsourcing your HIPAA hosting services to a third party (an IT vendor, a billing company, etc.).

But before you can do that, you need to sign a business associate agreement (BAA) with your business associate (BA), according to the HIPAA Privacy Rule. But what’s in a business associate agreement contract?

You’re a covered entity (your company processes, stores or transfers any type of patient information), and you’re outsourcing your HIPAA hosting services to a third party (an IT vendor, a billing company, etc.).

More Read

data breaches

How Hospital Security Breaches Devastate Local Communities

Data Ethics: Safeguarding Privacy and Ensuring Responsible Data Practices
Tips to Protect Office 365 Systems from Data Breaches
The Importance of CSRD Data for EU-Operative Businesses
Google Report Shows Android Users Need VPNs for Data Privacy

But before you can do that, you need to sign a business associate agreement (BAA) with your business associate (BA), according to the HIPAA Privacy Rule. But what’s in a business associate agreement contract?

The U.S. Department of Health and Human Resources (HHS) has a sample business associate contract available on its site listing all the provisions for those that are curious.

While this shouldn’t be copied precisely and is more of a guide than a complete document, it does offer insight into the general terms that a BAA should address, with the addition of customized provisions specific to certain companies’ needs.

A summary of the primary provisions include:

  • Obligations and Activities of Business Associate
    • No use or disclosure of protected health information (PHI) unless it’s permitted or required by law.
    • Must use proper safeguards to prevent use or disclosure of PHI.
    • Mitigation in the event of a data breach.
    • Must report any use or disclosure of PHI.
    • Ensures others (subcontractors) agree to the same BAA.
    • Allows CE access PHI.
    • Must create documented HIPAA policies and procedures.
    • Document any PHI disclosures.
  • Permitted Users and Disclosures by Business Associate
    • Specifies when BA can use or disclose PHI on behalf of the CE.
  • Specific Use and Disclosure Provisions (if applicable)
    • When or why a BA would disclose or use any PHI, to report law violations, with CE permission, or to provide any kind of data aggregation reports to the CE). 
  • Obligations of Covered Entity
    • The CE will notify the BA of any changes in permission (including restrictions or revocation) of the individual to use or disclose PHI. 
  • Permissible Requests by Covered Entity
    • Terms and effective dates
    • How PHI will be handled after termination (returned or destroyed)
    • Reasons for termination

If you’re a covered entity, protect your company and your patients/clients by signing a thorough BAA. As a best practice recommended for HIPAA compliance, it will only strengthen your ability to pass a HIPAA audit, should the auditors come to your door.

Have other questions about compliance and BAAs? Read our HIPAA FAQ to find answers about BAs, hosting and agreements.

Source:
Business Associate Contracts

Share This Article

Follow us on Facebook

Latest News

Shutterstock Licensed Photo - 1051059293 | Rawpixel.com
QR Codes Leverage the Benefits of Big Data in Education
Big Data
football analytics
The Role of Data Analytics in Football Performance
Analytics Big Data Exclusive
smart home data
7 Mind-Blowing Ways Smart Homes Use Data to Save Your Money
Big Data
ai low code frameworks
AI Can Help Accelerate Development with Low-Code Frameworks
Artificial Intelligence

Stay Connected

Lost your password?