by Jodie Cannon, BS, HIPAA Consultant
Business Associate Agreements (BAAs) are a very important requirement of HIPAA compliance and should not be overlooked. Organizations have gotten into trouble because of lack of a BAA and Business Associates (BAs) are quite often the source of breaches. This tip is written from the point of view of a Covered Entity, although the same concepts apply to BAs as well (Note: a BA can also have a BA! This is called a “downstream” BA – see below.)
Let us define a Business Associate. From the Health and Human Services (HHS) and the Office for Civil Rights (OCR) website, here is the definition (paraphrased): “A “business associate” is an entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate.” It is important to note that interactions between covered entities (CEs) do not require a Business Associate Agreement. This is because it is assumed, since both parties are CEs, that each party is taking the required precautions to protect PHI.
The first step is to identify all your BAs. Some will be obvious: a billing company, an IT provider, a software vendor. Others may not be as obvious. For instance, your copier company is probably a BA because the copiers have a hard drive that can store copies of documents with PHI. An organization is only a BA when it is within the scope of services that they provide to have access to, or store your PHI. Incidental contact with PHI does not make a vendor a BA – for example, a cleaning company would not normally be considered a BA.
The next thing to do is to make sure all your BAs have signed a BAA with you. This is very important. The BAA is your legal notice to the BA that they are responsible for protecting ePHI under the HIPAA regulations. Some companies, like billers, know they are BAs, but others might not be aware of it. For instance, there was a case in North Carolina where a company that recycled the silver from digital x-rays committed a breach. This came back to haunt the practice in the form of a big fine, because there was no BA agreement on file. Was the recycling company aware of their BA obligations? Not clear. All BAs need to have a signed BAA – no exceptions. And if you are a BA, you can have BAs yourself – this is called a downstream BA. For example, an IT company that is a BA to a medical practice might contract with a backup provider to store ePHI on behalf of the practice. The backup provider would be a downstream BA to the IT company.
A BAA can be pretty standard. We at Modern Practice Solutions offer Business Associate Audit services. As part of the HIPAA policies we offer, the standard Business Associate Agreement form is provided. Of course, you can pay a lawyer lots of money to craft a BAA for you, but it is probably not necessary. The point most negotiated in the BAA is the liability clause. Each party will look to minimize their liability in the event of a breach. Be sure to be aware of this clause in any BAA you sign that has been provided to you by the vendor. It is always to your advantage to provide your own BA agreement and not use one provided by the other party. Most BAAs do not specify an expiration date, therefore you do not need to sign a new one on a periodic basis. However, you may need to craft a new BAA if the HIPAA regulations change, as occurred back in 2013.
However, just signing a BA is not all you need to do. Covered entities should also check the BAs to make sure they really have a HIPAA compliance program in place. Some of the questions you should ask your vendor prior to initiating services are:
- Does your organization have a HIPAA security officer?
- Have your employees received HIPAA annual training on HIPAA policies?
- Do you use encryption to protect electronic protected health information?
- Do you have documented HIPAA security policies and procedures?
Too often, organizations will sign a BA just to get your business, and then totally ignore HIPAA compliance. This creates unnecessary risk for any CE (Covered Entity) because the risk of a breach has not really been lessened even though a BAA has been signed. Remember, the whole purpose of the HIPAA Security Rule is to analyze the risk of a breach and to remediate areas of high risk. If a BA does not have an active HIPAA compliance program in place, this represents a high risk to your organization. There have been numerous instances of BAs causing breaches. Even if you have a BA agreement in place, your organization will still be investigated because a breach was caused by your BA.
In summary, minimizing the risks posed by BAs need not be complicated if you follow a few simple rules. Make sure not to overlook this important component of HIPAA compliance. We have also listed below some additional information regarding who a covered entity is. If you have any questions about your BAs or BAAs, please contact us at firstname.lastname@example.org or 931-232-7738.