With the increasing growth of technology and digitization in medical facilities, the quality of healthcare delivery has significantly improved. Nowadays, medical services are not only fast but also efficient. However, besides the many benefits experienced in the sector, there are some disadvantages that have come along. For instance, medical data is at risk of facing dangers such as targeted attacks, virus infiltration, employee misconduct, and hacking, to name a few. To reduce the likelihood of such incidences, hospital organizations are urged to ensure the security of their data assets when entering into any partnership or entering into a contract with a third-party organization. The surest way of making such an agreement formal is through a business associate (HIPAA) agreement.
What is a Business Associate HIPAA Agreement?
A โbusiness associateโ in simple terms refers to a third party who is involved in undertaking certain activities on behalf of a protected entity that is associated with protected health information (PHI). The protected entity usually includes a healthcare provider, a healthcare clearinghouse, or a health plan. Oftentimes, the entity should maintain full compliance with the Health Insurance Portability and Accountability Act (HIPAA) guidelines.
As a subcontractor, the business associate will require some electronic PHI to pass through their system in order to execute their duties as recommended. In the process, they will be handling sensitive and confidential information that shouldnโt be disclosed to any unauthorized party. As such, complying with HIPAA regulations means safeguarding all the shared PHI with specific instructions. At no time will the business associate be allowed to sell any prohibited health information or use it for other self-interest reasons.
How Do I Write One?
Who Needs a Business Associate Agreement?
Literally, any organization that is involved in the sharing of PHI or electronic PHI needs to sign a Business Associate Agreement before engaging any other party. Therefore, if you are operating in the following fields, know that your organization needs this agreement more than ever:
- Medical billing services
- Practice management
- Accountants
- Electronic healthcare providers
- Information and technology providers
- Shredding services
- Cloud storage providers
- Hospital supplies and management
Common Mistakes Associated With This Agreement
The common mistakes include the following:
Insisting that every contractor sign the agreement
There are some covered organizations that go overboard by approaching every business relationship they engage with strict adherence to BAA. For instance, they make every contractor sign the agreement regardless of the services provided. Usually, there are some contractors that donโt have access to PHI and therefore donโt need to sign it. Therefore, if you insist on such contractors signing it, it would affect the relationship between you two.
Assuming that a signed BAA means compliance with HIPAA
Well, according to research by the California Healthcare Foundation, it was noted that some covered entities were neglecting their responsibilities and obligations, claiming that after signing a Business Associate Agreement, they were already in compliance with HIPAA. Unfortunately, this is not the case. Even after signing a BAA, it is equally important that every party observe compliance through effective protection of PHI.
Not having a HIPAA business associate agreement for those entities accessed to ePHI
There are other entities that need to be given Public Health Information while performing their task. However, the electronic PHI performs through its system. In that sense, they too should be made to sign the BAA, as they risk disclosing them to the public.
Identifying the business associate agreement and reviewing the BA relationship
All healthcare providers are expected to seek professional help from other knowledgeable third parties. This will help protect them from violators or vandalism. Also, a knowledgeable third party will help in signing the BAA without any incompetence or hassles.
For instance, the healthcare provider can contact a lawyer who practices healthcare IT and security and understands the HIPAA protocols and guidelines. Through this, you will establish a working and effective agreement as well as understand the nature of the relationship.
When Business Associate Agreement May Not be Required
- When the party or organization is not involved in the use or disclosure of private and protected health information. Such as janitorial or electrical service providers.
- When a covered entity that participates in an organized healthcare arrangement (OHCA) is involved.
- When a covered entity purchases a health plan product, such as insurance.
- When phi is disclosed to a research facility with patient authorization or pursuant to a waiver
- When a person or an organization acts merely as a conduit for the PHI.
Key Takeaways
- Every entity associated with the creation, maintenance, and transfer of Protected Health Information (PHI) or ePHI must sign a Business Associate Agreement that is compliant with HIPAA.
- It should be signed before disclosing the PHI to the business associate.
- Both the business associate and the covered entity should take stringent precautions to protect the confidential PHI from unauthorized persons.
- If one party violates or breaches this agreement, the consequences can be costly.