Kypher Web Serier ep.5
Business Associate Agreements and why they are so important
First, what is a business associate? A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. So what is a covered entity then?
Covered entities are defined in the HIPAA rules as:
Health care clearinghouses, and
Health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standard. So, if you are a physician practice you are a covered entity.
In most cases that means everyone else is a business associate. The catch is they fall under the same rules as covered entities. Covered entities must enter into contracts with their business associates, which is what we are talking about today. They require, among other responsibilities, the business associate to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI. How does this affect your practice? Not only is this the law, but it is also forcing practices to become accountable for how they protect patient data and who they choose to do business with.
Here are a few common questions about BAA’s:
Q: Having a HIPAA Business Associate sign a Business Associate Agreement is all I have to do to make sure they are HIPAA compliant, right?
A: Wrong. While a HIPAA Business Associate Agreement is required before you let a vendor provide any services that give them access to patient information, they have a clear responsibility to implement a complete HIPAA compliance program. Like your practice, they must document their HIPAA-compliant policies, procedures, workforce training, and evidence of ongoing compliance. Because you are responsible for their activities, you should make them prove to you that they have a real HIPAA compliance program. Require that they share their HIPAA Risk Analysis with you to prove that they have complied with the first HIPAA requirement. You should also reserve the right to audit your vendors’ compliance at any time.
Q: Is it OK to use the HIPAA Business Associate Agreement we have always used?
A: No, it isn’t. BAA’s must speak to current laws and current technology. You are required to update this often. If your current BAA is older than 2014 you should update it immediately.
Q: Are my employees also business associates? Do I need to have them sign an agreement?
A: No. A physician practice’s employees are not business associates, but rather a part of the covered entity’s workforce.
Q: Do I still need to perform the security risk assessment if I have BAA’s with everyone?
A: Yes. Physician practices that maintain electronic PHI must comply with the HIPAA Security Rule requirements and perform a risk analysis of office security. A risk analysis must be an accurate and thorough assessment of the potential risks and vulnerabilities to ANY PHI and its integrity and confidentiality. A risk analysis is more complex than filling out a checklist and physician practices should obtain assistance in completing this task.
Q: My vendor has a BAA can I just sign their BAA?
A: Yes, you can. But that will only cover for that one vendor and always go over the agreement with a fine toothed comb to make sure it is current and speaks to all the protections required.
How do I make changes? Where do I start?
Make a full and complete list of vendors your practice does business with. Make sure they are willing to sign a BAA with you. If they refuse, find another vendor.
Do the research, there are many templates for BAA’s form the health and human services and CMS websites to software programs that handle document creation for you. Choose what works best for your practice, many solutions can be budget neutral.
Perform the annual risk assessment for your own practice, it is a great first step to understanding and educating yourself and your employees.
Keep copies of everything, from your risk assessments to your BAA’s. This will go a long way in protecting your practice from the all dreaded audit
Getting complaint doesn’t happen over night. It takes time and patience and it takes learning and understanding. Patient data security is incredibly important. The government has these laws for a reason. Each year the punishment and fines increase. As long as you are showing improvement and taking the necessary steps to secure your practice you are doing the right thing. Start small, educate yourself. That is always your first, best step.