HIPAA Hosting: What’s in a Business Associate Agreement?

November 10, 2011
62 Views

You’re a covered entity (your company processes, stores or transfers any type of patient information), and you’re outsourcing your HIPAA hosting services to a third party (an IT vendor, a billing company, etc.).

But before you can do that, you need to sign a business associate agreement (BAA) with your business associate (BA), according to the HIPAA Privacy Rule. But what’s in a business associate agreement contract?

You’re a covered entity (your company processes, stores or transfers any type of patient information), and you’re outsourcing your HIPAA hosting services to a third party (an IT vendor, a billing company, etc.).

But before you can do that, you need to sign a business associate agreement (BAA) with your business associate (BA), according to the HIPAA Privacy Rule. But what’s in a business associate agreement contract?

The U.S. Department of Health and Human Resources (HHS) has a sample business associate contract available on its site listing all the provisions for those that are curious.

While this shouldn’t be copied precisely and is more of a guide than a complete document, it does offer insight into the general terms that a BAA should address, with the addition of customized provisions specific to certain companies’ needs. A summary of the primary provisions include:

  • Obligations and Activities of Business Associate
    • No use or disclosure of protected health information (PHI) unless it’s permitted or required by law.
    • Must use proper safeguards to prevent use or disclosure of PHI.
    • Mitigation in the event of a data breach.
    • Must report any use or disclosure of PHI.
    • Ensures others (subcontractors) agree to the same BAA.
    • Allows CE access PHI.
    • Must create documented HIPAA policies and procedures.
    • Document any PHI disclosures.
  • Permitted Users and Disclosures by Business Associate
    • Specifies when BA can use or disclose PHI on behalf of the CE.
  • Specific Use and Disclosure Provisions (if applicable)
    • When or why a BA would disclose or use any PHI, to report law violations, with CE permission, or to provide any kind of data aggregation reports to the CE).
  • Obligations of Covered Entity
    • The CE will notify the BA of any changes in permission (including restrictions or revocation) of the individual to use or disclose PHI.
  • Permissible Requests by Covered Entity
    • Terms and effective dates
    • How PHI will be handled after termination (returned or destroyed)
    • Reasons for termination

If you’re a covered entity, protect your company and your patients/clients by signing a thorough BAA. As a best practice recommended for HIPAA compliance, it will only strengthen your ability to pass a HIPAA audit, should the auditors come to your door.

Have other questions about compliance and BAAs? Read our HIPAA FAQ to find answers about BAs, hosting and agreements. Source: Business Associate Contracts

You may be interested

Healthcare Tech Advances That All Clinics Should Use
Medical Devices
461 views
Medical Devices
461 views

Healthcare Tech Advances That All Clinics Should Use

Dennis Hung - August 12, 2017

Healthcare will always be important to employees and the government since the issues surrounding healthcare are inherently ethical and moral…

Balancing Smart Data With Cybersecurity for Hospitals
Hospital Administration
453 views
Hospital Administration
453 views

Balancing Smart Data With Cybersecurity for Hospitals

Kayla Matthews - August 11, 2017

It should come as no surprise that your discussions and interactions with physicians and health professionals influence diagnoses, prescriptions, visit…

4 Ways to Halt Testosterone Problems After 40
Wellness
469 views
Wellness
469 views

4 Ways to Halt Testosterone Problems After 40

JohnHenning - August 10, 2017

Among men of all ages, testosterone is an important hormone for regulating health. Men over the age of 65 tend…