Posted on

When Do You Need a Business Associate Agreement

Business Partnership Agreements (BAAs) are an integral part of any effective HIPAA compliance program. But understanding what a good BAA should and shouldn`t include isn`t as intuitive as understanding that you need it at all. Not all naturopaths need a BAA. The easiest way to put it is to find out if you are a so-called “covered entity” and if you are subject to HIPAA rules. Ask yourself these two questions: The BAA places the responsibility to protect PSR directly on the shoulders of the service provider when the information is in their hands. There are some exceptions to the requirement to sign a commercial partnership agreement. These include specialists to whom a hospital refers a patient and submits the patient`s medical record for treatment, laboratories to which a physician transmits a patient`s PSR for treatment, and disclosure of PSR through a group health plan to a health plan sponsor such as an employer. The most comprehensive source of information about HIPAA is the HHS website. However, since HHS cannot cover all possible relationships between a covered company and a business partner, some information can be difficult to track and subject to interpretation.

For specific advice regarding specific circumstances, we recommend that you seek the help of a HIPAA compliance professional. HHS can audit BAs and contractors for HIPAA compliance, not just covered companies. This means that organizations must have a Business Partnership Agreement (BAA) for all three tiers in order to meet HIPAA requirements. It is in your mutual interest to reach an agreement, as all three classifications are responsible for the protection of PSR. The best thing to do is to consult with your attorney to find out exactly what your HIPAA responsibilities are. By law, the HIPAA privacy rule only applies to covered companies – health plans, health care clearing houses, and certain health care providers. However, most health care providers and health care plans do not perform all of their health activities and functions themselves. Instead, they often use the services of a variety of other people or companies. The confidentiality rule allows covered health care providers and plans to share protected health information with these “business partners” if the providers or plans receive satisfactory assurances that the business partner will only use the information for the purposes for which it was engaged by the covered entity, protect the information from misuse, and help the covered entity comply with some of the obligations of the covered entity under the To comply with the data protection rule. Registered entities may disclose protected health information to an entity in its role as a business partner only to assist the captured entity in performing its health functions, and not for the business partner`s own use or purposes, unless this is necessary for the proper administration and administration of the business partner. For this reason, it is preferable for BAAs to include language such as “as soon as the breach is discovered or should have been discovered” in the “Notification of Violations” section of the agreement. According to HHS, concierge services that clean the offices or facilities of a covered company are generally not business partners.

Therefore, a trade partnership agreement would not be necessary. However, if a janitorial service is hired to work for a targeted company where the disclosure of protected health information is not restricted (e.g., B routine processing of records or shredding of documents containing protected medical information), it is likely that this is a business partner. The HHS Office of Civil Rights has imposed numerous fines for the failure of trade partnership agreements. During the investigation of the data breaches and complaints, OCR found that the following registered companies failed to obtain a signed HIPAA-compliant BAA from at least one vendor. This was either the only reason for the fine or the additional violation that contributed to the severity of the fine. Ultimately, BAAs are signed, legal documents indicating that you are fulfilling your duty of care when it comes to ensuring that your customers` information is safe and secure. If you hire a subcontractor and that contractor comes into contact with a PHI, you will need to do a BAA between the two of you. .