The HIPAA Privacy Rule and the Need for a Business Associate Agreement

You’re a covered entity (your company processes, stores or transfers any type of patient information), and you’re outsourcing your HIPAA hosting services to a third party (an IT vendor, a billing company, etc.).

But before you can do that, you need to sign a business associate agreement (BAA) with your business associate (BA), according to the HIPAA Privacy Rule. But what’s in a business associate agreement contract?

You’re a covered entity (your company processes, stores or transfers any type of patient information), and you’re outsourcing your HIPAA hosting services to a third party (an IT vendor, a billing company, etc.).

But before you can do that, you need to sign a business associate agreement (BAA) with your business associate (BA), according to the HIPAA Privacy Rule. But what’s in a business associate agreement contract?

The U.S. Department of Health and Human Resources (HHS) has a sample business associate contract available on its site listing all the provisions for those that are curious.

While this shouldn’t be copied precisely and is more of a guide than a complete document, it does offer insight into the general terms that a BAA should address, with the addition of customized provisions specific to certain companies’ needs.

A summary of the primary provisions include:

• Obligations and Activities of Business Associate
  • No use or disclosure of protected health information (PHI) unless it’s permitted or required by law.
  • Must use proper safeguards to prevent use or disclosure of PHI.
  • Mitigation in the event of a data breach.
  • Must report any use or disclosure of PHI.
  • Ensures others (subcontractors) agree to the same BAA.
  • Allows CE access PHI.
  • Must create documented HIPAA policies and procedures.
  • Document any PHI disclosures.
• Permitted Users and Disclosures by Business Associate
• • Specifies when BA can use or disclose PHI on behalf of the CE.
• Specific Use and Disclosure Provisions (if applicable)
  • When or why a BA would disclose or use any PHI, to report law violations, with CE permission, or to provide any kind of data aggregation reports to the CE). 
• Obligations of Covered Entity
  • The CE will notify the BA of any changes in permission (including restrictions or revocation) of the individual to use or disclose PHI. 
• Permissible Requests by Covered Entity
  • Terms and effective dates
  • How PHI will be handled after termination (returned or destroyed)
  • Reasons for termination

If you’re a covered entity, protect your company and your patients/clients by signing a thorough BAA. As a best practice recommended for HIPAA compliance, it will only strengthen your ability to pass a HIPAA audit, should the auditors come to your door.

Have other questions about compliance and BAAs? Read our HIPAA FAQ to find answers about BAs, hosting and agreements.

Source:
Business Associate Contracts