In order to maintain HIPAA compliance and ensure that sensitive health information remains secure, all healthcare providers must maintain a type of contract called a Business Associate Agreement with their technology vendors and service providers. In this guide, we’ll help you get a better understanding of what it means to establish a business associate agreement. What do these terms mean and how do they help protect your clients, your business, and protected health information? Here we’ll look at everything there is to know about business associate agreements.
HIPAA is the Health Insurance Portability and Accountability Act. It is the US federal law that regulates the protection of sensitive patient health information relating to PHI (protected health information) such as doctors notes or lab test results, medical histories and other information that is stored and transmitted between covered entities and their business associates.
Under HIPAA a “covered entity” is any healthcare provider, but the definition also includes healthcare plans and healthcare clearinghouses. Such as:
HIPAA “business associates” are defined as persons or entities that use, disclose, maintain, create, receive, or transmit PHI on behalf of the covered entity for a healthcare function or other related purpose. They may also be entities that provide professional services to covered entities. This can include tech vendors, providers, and SaaS products. Such as:
Increasingly as practices digitize their workflows, more and more third party vendors such as B2B Saas companies are selling to covered entities. In these cases, Business Associates might refer to a tech vendor providing a file sharing vendor, CRM, or IT support vendor.
A Business Associates Agreement (BAA) is required between a covered entity like a hospital or other healthcare provider and each business associate. It is a contract that outlines each party’s responsibilities as it relates to protected health information and makes responsible the service provider who is now entrusted with the protected health information. This means that if you are transmitting PHI to another service provider, having that service provider sign a BAA makes them responsible for that information.
This applies to outside vendors which are used in the transfer, use, storage or maintenance of PHI which can include IT vendors or cloud storage. An agreement is made between your organization and the outside party that handles this data which ensures that HIPAA guidelines will be complied to.
Any time a covered entity intends to disclose PHI to a business associate under the right circumstances, a BAA must be in place before the disclosure.
It is important to note that even if there is no contract involved an entity may still fall under definition as a business associate and remain liable in the event of potential mishandling of protected health information and thus HIPAA compliance. As such, your organization should do everything in its power to maintain a separate business associate agreement for each business associate that it does business with in relation to PHI. The same would be maintained for business associates and their subcontractors down the chain. If you meet the definition of a business associate you must comply.
A Business Associate Agreement is a written contract provided by vendors which outlines how a business associate will use and disclose protected health information. It must outline what is considered as permitted uses and disclosures of PHI. This will depend on what the covered entity has hired the business associate for. How is the information going to be used in healthcare business functioning or shared by the business associate to other subcontractors if necessary? As well, the BAA must prohibit all other use and disclosure other than what is permitted in the contract or by law.
For example a healthcare provider who is a covered entity is providing treatment to a patient and wishes to share that patient’s information to a pharmacy, the business associate, for prescription coverage. In this example, the information can only be shared for this exact purpose and no other.
The BAA must require the business associate to employ appropriate physical, administrative, and technical security safeguards to protect the PHI from improper disclosure or use. Best practice here would be to follow the three pillars of the Security Rule. Ensure that there are proper controls and infrastructure in place to offer technical and physical safeguards and further safety protocol through administrative safeguards in establishing the proper policies and procedures that also encourage security and privacy.
Examples of technical safeguards include authentication and encryption where physical safeguards relate to facility access and physical locking mechanisms for cabinets or electronic key card readers for door entries. Administrative safeguards include policies, procedures and training initiatives.
Finally business associates must notify covered entities in the event of a breach.
A BAA ensures that all parties involved, including subcontractors which are also included in the definition of a business associate, know how they must handle and safeguard PHI.
The Omnibus Rule also set a new standard for breach notification. No longer was it required to report breaches that caused significant potential harm to over 500 people but instead any unauthorized use or sharing of protected health information would be considered a breach. Other aspects of the Omnibus Rule include allowing individuals better access to their ePHI and increasing limitations on sharing protected health information.
Try Securicy for free and automatically generate custom policies, procedures, designate key officers, and track your progress towards compliance today or check out our free HIPAA Compliance Checklist and book a demo to see learn from our experts how Securicy can help you get HIPAA compliant.