If you’re a healthcare practitioner, you have likely heard about a Business Associate Agreement, also known as a BAA. It’s probably come up in seminars you’ve attended about HIPAA compliance. Or maybe you’ve been considering two different vendors – one provides a BAA (for a fee), and the other does not. How do you know if you need a BAA? Today’s post is going to answer this question.
What is a Business Associate Agreement (BAA)?
A BAA is a signed document that affirms a third-party service provider's willingness to accept responsibility for the safety of your clients' PHI, maintain appropriate safeguards, and comply with HIPAA requirements when they handle PHI on your behalf.
HIPAA rules require a BAA from every third-party service provider you use that could be exposed to your clients’ PHI.
How to know if you need a BAA
Are you a covered entity?
Not every health care practitioner needs a BAA. The easiest way to tell is to figure out if you’re what's called a “covered entity” and subject to HIPAA rules. Ask yourself these two questions:
Am I a healthcare provider such as a doctor, psychologist, dentist, or chiropractor?
Do I bill insurance?
If you answered “yes” to both of these questions, you are a “covered entity” and need to obtain a BAA from any third-party service providers you use for your practice if they handle PHI.
If you didn’t answer “yes,” you might still be a “covered entity.” Or you might want to act as if you are to comply with the code of ethics of your profession.
Here is a terrific article by our partner, Person Centered Tech, that explains some of the technicalities surrounding the covered entity question.
The best thing you can do is to consult with your attorney to find out exactly what your responsibilities are when it comes to HIPAA.
Do you use third-party service providers that handle PHI?
You’ve identified yourself as a covered entity. Now, let’s look at the services you’re hiring to help run your practice. If you’re running a busy practice, you probably aren’t doing everything yourself. You might hire services to clean your office, handle your accounting, provide email, and complete other tasks crucial to your business’s success.
Not all of these services need to handle your clients’ information. However, some of them, such as an email provider like Hushmail, might handle PHI at some point. If you’re a covered entity, that PHI needs to be protected.
That’s where a BAA comes in.
The BAA places the responsibility for protecting the PHI squarely on the service provider’s shoulders when the information is in their hands.
In the words of the Department of Health and Human Services (HHS), this is what the BAA must accomplish.
The contract must: describe the permitted and required uses of protected health information by the business associate; provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and require the business associate to use appropriate safeguards to prevent abuse or disclosure of the protected health information other than as provided for by the contract.
Here are some examples of third-party service providers that should provide you with a BAA if they handle your clients’ PHI:
- Billing service
- Email service
- Online fax service
- Electronic health record (EHR) software provider
- Electronic signature service
- IT contractors
- Collections agency
What to expect when you sign a BAA
The process of signing a BAA is very straightforward, although the details likely vary from provider to provider. We’ll use our process as an example.
When you sign up for a Hushmail for Healthcare account, you’ll be sent an agreement to sign. Once you sign and return it to us, we’ll add our signature and send you back the completed agreement.
When both of us have signed the BAA, responsibility for protecting the PHI (when it’s in our hands) is transferred from you to Hushmail, fulfilling your legal obligation under HIPAA.
In other words, the Business Associate becomes separately responsible and liable for HIPAA compliance when your clients’ PHI is in their care.
Make sure you go through this process of signing the BAA and filing it in a safe, accessible location. If your practice is ever reviewed or affected by a data breach, you’ll want to locate the document quickly to demonstrate the steps you took to protect your clients’ PHI and your HIPAA compliance.
Is a BAA really necessary?
As you continue to grow your practice and need to hire additional services, you might find yourself in a situation where a service offering a BAA isn’t the obvious best financial choice.
For example, you might want to switch from using a fax machine to an online fax service, but the free online service you find doesn’t offer a BAA. The services that do offer a BAA require a subscription.
Understandably, you’re thinking about the pros and cons, and weighing the financial impacts. Let’s look at the bottom line – what might happen if you don’t have a BAA on file.
First, consider that if you’re a covered entity and you don’t have BAAs on file for your contractors that handle PHI, you will not be HIPAA compliant. It’s that simple.
If the Office for Civil Rights (OCR) discovers the non-compliance, in addition to being subject to fines, you may also be required to agree to a Corrective Action Plan (CAP). The CAP will require a risk analysis and the development and implementation of a risk management plan. The CAP will last for several years and require the submission of regular reports to the OCR for their monitoring purposes, all of which will be an expensive distraction from the provision of healthcare services.
Along with causing headaches, consider what you promise your clients. Do you assure them that the sensitive information they give you will be protected?
The truth is, while you might have every intention to protect PHI in your office, if you’re hiring third-party services, and you’re not getting BAAs, then you can’t back up that promise of privacy and security.
The other thing to consider is that you’ll be solely responsible if there’s a data breach. What happens to that PHI, whether it’s lost, stolen, or mishandled, will be considered your responsibility, and you’ll be held liable for any damages incurred as a result of the breach. This can have obvious financial consequences through fines and also compromise your reputation as a practitioner.
Make sure your clients’ information is safe
When it comes right down to it, BAAs are signed, legal documents stating that you’re doing your due diligence when it comes to making sure your clients’ information is safe and secure.
With HIPAA compliance being such a pressing concern in healthcare, you’ll find there are many service providers who offer BAAs. Hushmail is one of these providers.
Hushmail for Healthcare provides secure, HIPAA-compliant email, web forms, and an electronic signature service with a BAA included at no charge.
A BAA is a signed document that affirms a third-party service provider's willingness to accept responsibility for the safety of your clients' PHI, maintain appropriate safeguards, and comply with HIPAA requirements when they handle PHI on your behalf. BAAs are necessary if you’re a covered entity. Make sure you go through the process of signing the BAA and filing it in a safe, accessible location. If your practice is ever reviewed or affected by a data breach, you’ll want to locate the document quickly to demonstrate the steps you took to protect your clients’ PHI and your HIPAA compliance.