Business Associate Agreements for HIPAA - Top Ten Points to Know

Description

Under HIPAA, business associate agreements (BAAs) are critical legal contracts that govern how a covered entity ensures the privacy and security of protected health information (PHI) when certain functions are outsourced to a third-party who is not otherwise a covered entity.

A covered entity, such as a health care provider, health plan, or health care clearinghouse, must obtain satisfactory assurances from its business associates that PHI will be appropriately safeguarded when the associate performs services involving PHI on behalf of the covered entity. These BAAs are mandated by the HIPAA Privacy and Security Rules and form a central part of HIPAA compliance programs.

A business associate is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This includes third-party administrators, billing companies, data storage and cloud services, consultants, and many others. Even if a contractor cannot view PHI, for example, cloud service providers that store encrypted data, they may still be a business associate if they create, receive, maintain, or transmit PHI as part of their service functions.

An exception is conduit services such as USPS, FedEx, and UPS. Conduit services are limited to vendors that only transmit PHI and do not further store any sensitive information. Because of this, most cloud based services qualify as a Business Associate since they both transmit and store data.

The BAA must clearly set forth the permitted and required uses and disclosures of PHI by the business associate and prohibit inappropriate uses. The contract must also require the business associate to implement appropriate administrative, physical, and technical safeguards to protect electronic PHI, in alignment with HIPAA’s Security Rule. In addition, the covered entity must ensure that any subcontractors who create, receive, maintain, or transmit PHI agree to the same restrictions and conditions that apply to the business associate.

Although HIPAA does not require a business associate to create its own Notice of Privacy Practices, covered entities must ensure that the business associate’s use and disclosure of PHI are consistent with the practices outlined in the covered entity’s own overarching privacy notice. The covered entity may also use a business associate to help distribute said notice.

A BAA may be combined with a data use agreement (DUA) when both types of agreements apply. For instance, in situations involving a limited data set with direct identifiers, a single agreement can satisfy the regulatory requirements for both the BAA and the DUA, as long as the terms adequately address HIPAA’s protections and the obligations of both parties.

HIPAA also permits business associate contracts in electronic form, including electronic signatures, provided they satisfy applicable state law, even though HIPAA itself does not prescribe specific electronic signature standards. This flexibility can help streamline processes and storage, but is state dependent.

In summary, BAAs are a foundational element of HIPAA compliance for covered entities and their partners. They define roles, responsibilities, and safeguards for PHI, and ensure HIPAA protections extend through the entire healthcare information ecosystem.

Areas Covered in the Session

• Definition of Covered Entities and Business Associates
• Who Is a Business Associate?
• Core Required Elements of a Business Associate Agreement
• Consistency With Covered Entity Notice of Privacy Practices
• Business Associate Obligations & Individual Rights
• Compliance Enforcement & Risk Management
• How and When Someone is Not a Business Associate
• The Worst Horror Story You will Hear About the Lack of a Business Associate Agreement and How a Doctor Got in Trouble

Why should you Attend?

Learn about the basics of what Business Associates are and the agreement needed to satisfy HIPAA requirements for them

Who will Benefit?

Healthcare practitioners who work with other partners, vendors, or third party services.Business Associate Agreements for HIPAA - Top Ten Points to Know