Business Associate Agreements are a necessary but sometimes misunderstood part of the Health Insurance Portability and Accountability Act (HIPAA). Many practices are left with questions and misconceptions that can expose them to risks. We’ve decided to shed a little light on the topic.
What is a Business Associate?
A business associate is a third party who perform services or functions that require the use of or access to protected health information (PHI) to an entity covered by HIPAA. It can also be a subcontractor of someone who does business with you, when that subcontractor might have access to this same information.
Any of your contractors, service providers or vendors to who may have access to protected health information is considered a business associate. In addition to other medical agencies you might contract with, this can also include non-medical entities, such as lawyers, accountants, and IT providers.
What is a Business Associate Agreement?
HIPAA requires that you have a signed agreement with any contractor who is considered a business associate. The agreement lists obligations and responsibilities of both organizations pertaining to the protection and use of the protected health information. Each entity covered by HIPAA is required to have such a contract for each organization they do business with that falls under the definition of business associate.
How often do Business Associate Agreements need to be signed?
IN 2013, the HIPAA Omnibus Final Rule broadened the definition of a business associate and modified some of the requirements. Any contracts written before September 22, 2014 are not valid any longer and should have been redone prior to that date.
Outside of that, each agreement must have an effective date and a termination date. If you plan to do business with your contractor following the termination date, you’ll need to create a new contract. You cannot continue to share PHI without a valid, active agreement in place.
What needs to be in the Agreement?
The requirements of what needs to be included were updated with the HITECH and the Omnibus Rules. Your BAA needs to include the following:
1. Outline of permissible or required uses and disclosures of protected health information.
2. Provision that your business associate may not use or disclose PHI for purposes not specified in the agreement.
3. Requirements that the associate implement appropriate safeguards to prevent unauthorized use or access to PHI, including electronic PHI.
4. Specific requirements and timeframes for reporting to you any unauthorized use or disclosure of PHI, including security breaches and unsecured PHI.
5. Requirements for the associate to disclosure PHI to satisfy any of your obligations with respect to individual requests for copies of their PHI.
6. Compliance mandates for contractor to adhere to your obligations under the privacy rule.
7. Provision that they make available to the Department of Health and Human Services all of their internal practices, books and records relating to use and disclosure of PHI as it pertains to your compliance.
8. Contract termination requirements that cover the disposition and destruction of PHI received from you or created and received on your behalf.
9. Provisions that the vendor obtain business associate agreements from their subcontractors who may access PHI. These BAAs need to include the same restrictions and provisions outlined in your agreement.
10. Authorization to terminate the contract when there is a material breach of the contract.
Why BAAs Matter to Your Practice
If your contractor has a breach, you could be liable. This is even more true if your business associate doesn’t have an agreement or if it is expired, or if they fail to include all of the appropriate provisions. Further, if you are audited and it’s discovered that your contracts are expired or are outdated to the point that they no longer adequately address the contractor’s use of your PHI, you could be facing fines.
It’s important to make sure that you have strong business associate agreements and that you ensure they are up to date. Without adequate tracking, it is easy to forget to obtain an agreement, renew them when needed or ensure they continue to address your evolving relationship with your vendors.
ECRVault is a fast, easy, HIPAA-compliant solution for capturing, storing and retrieving paper documents electronically. We’ve partnered with Eyefinity to develop the only integrated, paperless solution in the eye care industry.
Watch a demo to see how you can go paperless in a day!