Third parties are often tapped to provide services to hospitals, clinics, and other healthcare organizations. When this happens, they need to keep medical records confidential, specifically PHI (Protected Health Information). Doing so ensures compliance with the Health Insurance Portability and Accountability Act (HIPAA).
This federal law is particular with how PHI should be shared, handled, and secured. If an insurance company needs to verify patient information to process a claim, they can’t access PHI without following certain guidelines. This is where a Business Associate Agreement (BAA) comes into play.
But what is a BAA?
Table of Contents
- What Is a Business Associate Agreement?
- Who Is Considered a Business Associate Under HIPAA?
- Why Is a BAA Important for Healthcare?
- Checklist for a HIPAA-Compliant BAA
What Is a Business Associate Agreement (BAA)?
A Business Associate Agreement (BAA) is a legal document that details people’s responsibilities when it comes to handling PHI. It is used to ensure that when third parties have access to PHI, there are limits as to how it is used, shared, and stored.
Two parties are required to sign a business associate agreement:
- Covered entity: This refers to an organization or individual that provides healthcare services to patients so they have direct access to PHI.
- Business associates: These are the third parties that you agree to share patient information with.
It is the covered entity’s responsibility to identify trustworthy business associates and determine if they adhere to HIPAA regulations.
Who Is Considered a Business Associate Under HIPAA?
Business associates are companies/organizations and/or people who work for a covered entity (i.e. a hospital) tasked to use, share, and store medical information. This includes, but is not limited to, lawyers, accounting firms, outsourcing and offshoring companies, and accreditation companies.
These are people or organizations who don’t directly handle patients but have access to their protected health information (PHI). Anyone who has been provided access to a patient’s PHI is considered a business associate.
For example, you recently switched to online charting in lieu of printed medical records. So, you hired Company A to dispose of your paper documents. You will need to execute and issue a business associate agreement, which Company A must sign in acknowledgment.
However, if Company A hires Company B to transport the medical records, Company A and Company B will sign a BAA issued by you. In this case, Company B is your subcontractor’s business associate.
Why Is a BAA Important in Healthcare?
A business associate agreement is needed for every process that involves the sharing of protected health information to ensure the confidentiality of patient information. This document should also highlight the right measures to be taken when data breaches happen.
Medical records should be kept and stored with the utmost confidentiality. If patients feel that their personal information is not protected, they may end up staying away from hospitals even when they need immediate attention.
An example of this is when someone has HIV and a doctor disclosed it to unauthorized persons. Since there is ongoing stigma about this condition, a patient may face discrimination if this becomes public. Also, disclosing this information without consent reinforces the idea that hospitals can’t be trusted.
Another example would be when a hospital uses a medical billing service to streamline its coordination with health insurance providers. When patients file claims to a health insurance provider, they will have to validate the patient’s information. Moreover, they need PHI to check if a specific condition is covered by their policy.
However, health insurance providers can’t easily be given access to a patient’s medical records. The hospital and the health insurance provider have to sign a BAA security document first to comply with HIPAA.
This is to ensure that:
- Medical records can only be used in authorized ways
- Only the necessary PHI is shared
- Both parties abide by the law
Checklist for a HIPAA-Compliant BAA
Here are the things that you must include in your BAA to comply with HIPAA requirements.
1. Limitations to PHI access
Giving business associates access to PHI doesn’t mean they have access to every little detail. For instance, if you hire Company A to get rid of X-ray films, then the business associates could only access X-ray films. Your BAA should specify that.
Your business associates should also agree with the implementation of administrative and technical safeguards stated in HIPAA regulations to safeguard PHI.
2. HIPAA training
The business associates you work with must have employees who completed HIPAA training. This is important to ensure that they are aware of their responsibilities in dealing with PHI. More so, it is to ensure they are aware of the consequences of mishandling medical records.
Hence, your business associate should be able to provide proof of their employees’ HIPAA training completion.
3. Consequences of a data breach
What if your business associate caused a data breach or has put PHI at risk? Set a specific timeline that details when they should inform you about actual or potential incidents.
This is important because HIPAA only gives you a 60-day window to inform the United States Health & Human Services (HHS). The timeline helps you resolve the data breach right away, especially if it affects more than 500 patients. If left unresolved, it compromises the reputation of the state in terms of protecting its people and providing human services.
4. Required subcontractor compliance
Your business associates may have their own business associates that indirectly work with you. To ensure that your shared PHI is secure, lay down terms for subcontractor compliance. For instance, require your business associates to sign a BAA with your subcontractors. Then, ask for a copy of this agreement.
5. Termination of agreement
The BAA lays down the limits of the use of PHI once shared with the business associate. Once the covered entity finds that the business associate breached HIPAA protocol, the covered entity has the right to terminate the agreement.
Your business associates affect the reputation of your company. Business associate agreements help you ensure they won’t taint it.
Use Fill to Sign Business Associate Agreements
If you want to streamline how you approve BAAs, Fill is the perfect tool for you. It is an esignature platform that allows you to create contracts and agreements that you can store in an online database. This allows you to have quick access to important documents via your mobile phone or laptop.
With Fill, you can create business agreements by writing your own or choosing from our template gallery. You can also sign and request signatures online.