Business Associate Agreement Matters

Health Insurance Portability and Accountability Act (HIPAA) - covered businesses, such as healthcare providers, health plans, health clearinghouses, and legal offices that handle medical-related cases are required to adhere to the HIPAA Privacy Rule. 

In today’s age, cyber dangers, and patient privacy concerns evolve.  Detailed contracts with business partners have become vital to compliance and security, yet both small and large businesses frequently overlook them.

What is a Business Associate?

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.   

Who is required to establish a Business Associate Agreement?

The HIPAA Privacy Rule mandates an individual or organizations such as consultants who perform hospital utilization assessments or attorneys who provide legal counsel to their clients, to establish a Business Associate Agreement (BAA) with any of their partners and vendors to meet specific requirements with respect to the use and disclosure of PHI.

Direct liability of Business Associates according to  Health Information Technology for Economic and Clinical Health (HITECH) Act includes:

Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.

Why is BAA very important when handling Protected Health Information?

Organizations are  being held accountable for any data breaches resulting from their vendor’s conduct if they don't sign a BAA with them. A vendor is in charge of protecting your PHI after they agree to the BAA. When it comes to HIPAA and business associate agreements, both parties are held accountable for oversight of the PHI, not doing so would have a systemic negative impact on their entire system. A properly executed BAA can  protect both parties in the event of a breach.

What are the penalties for  not securing a HIPAA-Compliant BAA?

Penalties for HIPAA violations can vary from $100 to $50,000 for individual violations, with a maximum fine of $1.5 million per calendar year for infractions, depending on the perceived amount of carelessness. Additionally, those who commit infractions risk spending time in jail. An example of a HIPAA violations is the failure to sign a HIPAA-Compliant Business Associate Agreement.

Securing a Business Associate Agreement is part of  Shield Data Network onboarding process. We would gladly review and complete our client's own BAA  document, or we can provide ours if needed. This maybe an added step but doing so can protect our clients from future headaches.