Business Associate Agreements
When you run a private medical practice, you’re invariably going to need services and vendors outside of your practice. What you need to know is that any person or organization that you hire to handle, use, distribute, or access protected health information is a Business Associate (BA) and that you need to have a Business Associate Agreement (BAA.)
You need to have a Business Associate Agreement in place before you share protected health information.
The goal behind the Business Associate Agreement is to acknowledge that both parties are obligated to follow federal HIPAA regulations and to protect both parties in the event of a breach.
HHS can audit Business Associates and Business Associates Subcontractors for HIPAA compliance, not just you as the Covered Entity. According to HHS, the Business Associate Agreement must:
- Describe the permitted and required protected health information uses by the Business Associate and /or their subcontractors
- State that the Business Associate and their Subcontractors will not use or further disclose protected health information beyond what is permitted or required by the contract or as required by law;
- And require the Business Associate and their Subcontractors to use appropriate safeguards to prevent inappropriate protected health information use or disclosure
A Business Associate Subcontractor is a person or entity to that the BA delegates to perform a function, activity or service.
Contractors and Confidentiality Agreements
Your employees, independent contractors who work exclusively for your company or a sole proprietor with other clients are not BAs. In this case your practice is solely responsible if someone breaches protected health information. One way to address this from a compliance perspective is to have your employees and independent contractors sign a confidentiality agreement. The confidentiality agreements should:
- Clarify the type of information the agreement covers.
- Describe what type of information cannot be copied, downloaded or modified. As an aside, this is a very common source of a HIPAA breach—when some piece of protected health information is downloaded onto a desktop because its “easier” to access but it’s not secured.
- Address issues like not removing a laptop containing protected health information from your office
- State information must be returned upon employer’s request
- Disciplinary action for persons responsible for a breach of confidential information
Your Business Associate Agreement should be written so that it’s “evergreen,” meaning that it renews automatically and doesn’t require a new signature to remain valid. That said, you will still want to set up a regular review schedule for all of your business associate agreements to make sure that it stays current with your service contract and your state laws. Significant changes in the scope of work performed by the business associate will necessitate a change in the business associate agreement.
While the business associate has the liability, you as the covered entity are still required to take reasonable steps to cure the breach or end the violation.
Download the Business Associate Security Questionnaire to help you do your due diligence in choosing a Business Associate.
If you'd like to hear more tips on how to start, run and grow your practice and related medical businesses, please sign up for my newsletterat https://www.thepracticebuildingmd.com.
And, be sure to join my FB group, The Private Medical Practice Academy.