The HIPAA Privacy Rule and the Need for a Business Associate Agreement

You’re a covered entity (your company processes, stores or transfers any type of patient information), and you’re outsourcing your HIPAA hosting services to a third party (an IT vendor, a billing company, etc.).

But before you can do that, you need to sign a business associate agreement (BAA) with your business associate (BA), according to the HIPAA Privacy Rule. But what’s in a business associate agreement contract?

The U.S. Department of Health and Human Resources (HHS) has a sample business associate contract available on its site listing all the provisions for those that are curious.

While this shouldn’t be copied precisely and is more of a guide than a complete document, it does offer insight into the general terms that a BAA should address, with the addition of customized provisions specific to certain companies’ needs.

A summary of the primary provisions include:

Obligations and Activities of Business Associate
- No use or disclosure of protected health information (PHI) unless it’s permitted or required by law.
- Must use proper safeguards to prevent use or disclosure of PHI.
- Mitigation in the event of a data breach.
- Must report any use or disclosure of PHI.
- Ensures others (subcontractors) agree to the same BAA.
- Allows CE access PHI.
- Must create documented HIPAA policies and procedures.
- Document any PHI disclosures.
Permitted Users and Disclosures by Business Associate
- Specifies when BA can use or disclose PHI on behalf of the CE.
Specific Use and Disclosure Provisions (if applicable)
- When or why a BA would disclose or use any PHI, to report law violations, with CE permission, or to provide any kind of data aggregation reports to the CE).
Obligations of Covered Entity
- The CE will notify the BA of any changes in permission (including restrictions or revocation) of the individual to use or disclose PHI.
Permissible Requests by Covered Entity
- Terms and effective dates
- How PHI will be handled after termination (returned or destroyed)
- Reasons for termination

If you’re a covered entity, protect your company and your patients/clients by signing a thorough BAA. As a best practice recommended for HIPAA compliance, it will only strengthen your ability to pass a HIPAA audit, should the auditors come to your door.

Have other questions about compliance and BAAs? Read our HIPAA FAQ to find answers about BAs, hosting and agreements.

Source:
Business Associate Contracts

How Formula 1 Teams Leverage Big Data for Success

A Year After: Has Blockchain Changed Advertising by 2022?

5 Ways Investors can Benefit your Cloud Startup

AI Technology Helps App Marketplaces Compete with App Store

Data-Driven Marketers Must Configure Outlook Data Files

How Formula 1 Teams Leverage Big Data for Success

A Year After: Has Blockchain Changed Advertising by 2022?

5 Ways Investors can Benefit your Cloud Startup

AI Technology Helps App Marketplaces Compete with App Store

Data-Driven Marketers Must Configure Outlook Data Files

The HIPAA Privacy Rule and the Need for a Business Associate Agreement

How Formula 1 Teams Leverage Big Data for Success

A Year After: Has Blockchain Changed Advertising by 2022?

5 Ways Investors can Benefit your Cloud Startup

What Are the Most Serious Privacy Concerns Regarding Big Data?

AI Technology Helps App Marketplaces Compete with App Store

Data-Driven Marketers Must Configure Outlook Data Files