Medical providers don’t run their business alone. They work with various third-party vendors to ensure that all their business operations are functioning well while they focus on quality patient care.
However, working with third-party vendors exposes is not all sunshine. Some third-party vendors require access to the protected health information (PHI) that you store, create or use, or otherwise, they won’t be able to perform their tasks.
These vendors might be a medical billing company, an IT support, or a document shredding company. But if they come into contact with the PHI you hold, then they are your business associates.
Just like any covered entity, business associates (BA) also have HIPAA obligations. They must also safeguard PHI and require their own set of directions for proper PHI handling. And one of the first and most important HIPAA obligations between a covered entity and business associates is documenting a signed Business Associate Agreement (BBA) in place.
A BAA is essentially a written agreement between you and the vendor, specifying each party’s responsibilities when accessing and maintaining PHI. With a BAA in place, your medical practice will be on the safe side in case anything were to happen, like a breach. However, you will also be held somewhat accountable since it’s also your responsibility to ensure that the business associate is complying with HIPAA when they access your PHI.
That is why covered entities, whether it’s a hospital or dental firm, shouldn’t just provide anyone access to patient’s sensitive health information without laying some groundwork first. Business Associate Agreements (BAAs) can be very lengthy and may differ based on the type of vendor you are working with. On that note, let’s take a look at what should a basic BAA contain:
Permitted Uses and Disclosures of PHI
Whether it’s a business associate or a healthcare provider, they can’t just share PHI with anyone they want. There should be a documented written agreement clearly specifying all the do’s and don’ts to ensure everyone is on the same page regarding the use and disclosure of PHI.
Business Specific Safeguards
Security controls that might work for one organization might not apply to another. That is why organizations should assess their workflow and implement appropriate technical, physical, and administrative safeguards to best protect PHI.
Breach Notification Requirements
A business associate agreement also includes specific requirements for reporting data breaches in case the worst happens. Typically, the guidelines cover the process for breach notifications and the timeframe, which is currently no later than 60 days upon discovery, that the BA must notify the medical provider according to the current HIPAA regulations.
BA Employee Training Requirements
Anyone who comes into contact with PHI should receive HIPAA training. The agreement should include details about training requirements so that all BA employees know how to best handle patients’ health information.
BAA Termination Guidelines
A medical provider might reach an expiration date on the agreement or might separate ways, or may have found another vendor to work with – whatever the case may be, there should clear guidelines for how PHI should be handled upon the termination of the BAA to ensure that PHI is properly disposed of or return to your practice.
Guidelines for providing PHI access at patient’s request
Patient right of access continues to be a source of many confusion and has been a huge government enforcement issue and focus. A BAA should include proper policies and procedures for responding to patient record requests.
Jotting down the requirements in a Business Associate Agreement is only the first step towards compliance. You will also need to be aware of proceedings happening within your own practice by making sure you are following all the HIPAA compliance requirements. HIPAA Compliance Software can be a great asset for you in that regard.
All In One HIPAA Compliance Management Solution
A All in One HIPAA Compliance Software, will enable you to achieve compliance by making sure you are following all the requirements through a checklist of tasks. HIPAA Compliance Software also enables you to manage training sessions effortlessly. With pre-loaded training materials, you will be able to get started with everything you need to know to handle patient’s health information.
One thought on “Business Associate Agreement – When and Why Would You Need One?”