Behavioral Health Business Associate Vetting
As a HIPAA covered entity, behavioral health professionals have an obligation to vet their business associates. Vetting business associates ensures that the protected health information (PHI) that they create, receive, transmit, maintain, or store on behalf of the covered entity is secure.
What is a Business Associate?
A business associate is any vendor that a covered entity contracts that may come into contact with PHI over the course of work they are hired for.
A business associate for a behavioral health professional may include:
- Electronic Medical Record (EHR) platforms
- Teleconferencing tools (i.e. Zoom, GoToMeeting, Skype, etc.)
- Email providers (if email is used in conjunction with PHI)
- Cloud service providers (i.e. AWS, Microsoft Azure, etc.)
- Medical billing services
How to Vet Business Associates
The Department of Health and Human Services (HHS) requires covered entities to vet their business associates. Failure to adequately vet business associates leaves covered entities liable should their business associate experience a healthcare breach. To avoid costly HIPAA fines, covered entities must vet vendors before sharing PHI.
The best way to vet business associates, is to send them vendor questionnaires. HIPAA standards mandate that the confidentiality, integrity, and availability of PHI is maintained through the implementation of HIPAA safeguards. Vendor questionnaires measure administrative, physical, and technical safeguards against HIPAA standards.
Upon completion of a vendor questionnaire, gaps in the business associate’s safeguards are identified. Before covered entities can work with the business associate, the business associate must address their gaps with remediation efforts. If a business associate is unwilling to address gaps, the covered entity should choose another vendor to work with.
Business Associate Agreements
In addition to vetting vendors, before covered entities can share PHI with their business associates, they must have a signed business associate agreement (BAA). A BAA is a legal document that mandates the safeguards the vendor must implement. A BAA also limits the liability for both singing parties as it states that each party is responsible for maintaining their own HIPAA compliance.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.
Your TBHI Professional Training Options
TBHI specializes in teaching you how to relax when delivering telehealth. It offers you a step-by-step learning path of online training that helps you be legally and ethically compliant, clinically proficient, and able to handle even the most difficult of clinical scenarios. Take advantage of COVID discount pricing to learn how to sit back and enjoy your telehealth experiences, rather than struggling with ZOOM fatigue and clinical uncertainty. All courses are evidence-based, available 24/7 through any device and most count toward legal and ethical requirements for licensure. Two micro certifications are also available.
- Telehealth Group Therapy — Exciting, highly interactive telehealth learning experience designed to get answers to your questions about legally and ethically managing telehealth group therapy. Digital class will allow you to connect with colleagues ahead of time to ask questions and share answers. Distinguished faculty will lead you through telehealth group therapy theory and exercises.
- Telehealth Clinical Best Practices Workshop — Live, interactive webinar, w/ 4 CME or CE hours to discuss preventing and handling complex clinical issues.
- Course Catalog
- Micro Certifications to give you a broader range of legal and ethical grounding, and allow you to distinguish yourself as a TBHI-credentialed professional on your websites, in social media, directories and other areas.