You’re a covered entity (your company processes, stores or transfers any type of patient information), and you’re outsourcing your HIPAA hosting services to a third party (an IT vendor, a billing company, etc.).
But before you can do that, you need to sign a business associate agreement (BAA) with your business associate (BA), according to the HIPAA Privacy Rule. But what’s in a business associate agreement contract?
You’re a covered entity (your company processes, stores or transfers any type of patient information), and you’re outsourcing your HIPAA hosting services to a third party (an IT vendor, a billing company, etc.).
But before you can do that, you need to sign a business associate agreement (BAA) with your business associate (BA), according to the HIPAA Privacy Rule. But what’s in a business associate agreement contract?
The U.S. Department of Health and Human Resources (HHS) has a sample business associate contract available on its site listing all the provisions for those that are curious.
While this shouldn’t be copied precisely and is more of a guide than a complete document, it does offer insight into the general terms that a BAA should address, with the addition of customized provisions specific to certain companies’ needs. A summary of the primary provisions include:
- Obligations and Activities of Business Associate
- No use or disclosure of protected health information (PHI) unless it’s permitted or required by law.
- Must use proper safeguards to prevent use or disclosure of PHI.
- Mitigation in the event of a data breach.
- Must report any use or disclosure of PHI.
- Ensures others (subcontractors) agree to the same BAA.
- Allows CE access PHI.
- Must create documented HIPAA policies and procedures.
- Document any PHI disclosures.
- Permitted Users and Disclosures by Business Associate
- Specifies when BA can use or disclose PHI on behalf of the CE.
- Specific Use and Disclosure Provisions (if applicable)
- When or why a BA would disclose or use any PHI, to report law violations, with CE permission, or to provide any kind of data aggregation reports to the CE).
- Obligations of Covered Entity
- The CE will notify the BA of any changes in permission (including restrictions or revocation) of the individual to use or disclose PHI.
- Permissible Requests by Covered Entity
- Terms and effective dates
- How PHI will be handled after termination (returned or destroyed)
- Reasons for termination
If you’re a covered entity, protect your company and your patients/clients by signing a thorough BAA. As a best practice recommended for HIPAA compliance, it will only strengthen your ability to pass a HIPAA audit, should the auditors come to your door.
Have other questions about compliance and BAAs? Read our HIPAA FAQ to find answers about BAs, hosting and agreements. Source: Business Associate Contracts
